narrative_introduction

- update on removed-packages file
- clean up some formatting and grammar

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@12800 e39458fd-73e7-0310-bf30-c45bca0a0e42

1 files changed, 28 insertions, 7 deletions

diff --git a/doc/narrative_introduction b/doc/narrative_introduction
index 384d02910e..e7083b3a69 100644
--- a/doc/narrative_introduction
+++ b/doc/narrative_introduction
@@ -60,8 +60,8 @@ This will check out our working repository after asking for your alioth
 password twice. This is normal and to be expected. After successfully
 downloading, you will have a new directory called secure-testing. Inside
 this directory are a number of subdirectories.  The data directory is
-where we do most of our work.  If you don't have Alioth account, you can
-create one at:
+where we do most of our work.  If you don't have an Alioth account, you
+can create one at:
 
 https://alioth.debian.org/account/register.php
 
@@ -102,6 +102,7 @@ with the secure-testing repository:
 
 Automatic Issue Updates
 -----------------------
+
 Twice a day a cronjob runs that pulls down the latest full CVE lists
 from Mitre, this automatically gets checked into data/CVE/list, and
 also syncs that file with other lists like data/DSA/list and
@@ -122,6 +123,7 @@ do this.
 
 Processing TODO entries
 -----------------------
+
 The Mitre update typically manifests in new CVE entries. So what we do
 is to update our svn repository and then edit data/CVE/list and look
 for new TODO entries. These will often be in blocks of 10-50 or so,
@@ -149,6 +151,7 @@ IMPORTANT: make sure to read: http://lists.alioth.debian.org/pipermail/secure-te
 
 Issues Not-For-Us (NFU)
 -----------------------
+
 Processing your claimed entries is done by first seeing if the issue
 is related to any software packaged in Debian, if it isn't a package
 in Debian and has no ITP then you note that in the file. Another case
@@ -175,6 +178,7 @@ but the package was removed
 
 Reserved entries
 ----------------
+
 Several security problems have coordinated dates of public disclosure,
 i.e. a CVE identifier has been assigned to a problem, but it's not
 public yet. Also, several vendors have a pool of CVE ids they can
@@ -186,6 +190,7 @@ CVE-2005-1432
 
 Rejected entries
 ----------------
+
 Sometimes there are CVE assignments that later turn out to be duplicates,
 mistakes or non-issues. These items are reverted and turned into REJECTED
 entries:
@@ -195,6 +200,7 @@ CVE-2005-4129
 
 ITP packages
 ------------
+
 If it is a package that someone has filed an RFP or ITP for, then that
 is also noted, so it can be tracked to make sure that the issue is
 resolved before the package enters the archive:
@@ -206,6 +212,7 @@ in Serendipity ...)
 
 Packages in the archive
 -----------------------
+
 If it is a package in Debian, look to see if the package is affected or 
 not (sometimes newer versions that have the fixes have already been 
 uploaded). 
@@ -257,6 +264,9 @@ CVE-2004-2628 (Multiple directory traversal vulnerabilities in thttpd 2.07 beta
 <not-affected> is also used if a vulnerability was fixed before a
 package was uploaded into the Debian archive.
 
+Removed packages
+----------------
+
 Sometimes there are cases, where a vulnerability hasn't been fixed with
 a code change, but simply by deciding that a package is that broken that
 it needs to be removed from the archive entirely. This is tracked with
@@ -265,11 +275,6 @@ the <removed> tag:
 CVE-2005-1435 (Open WebMail (OWM) before 2.51 20050430 allows remote authenticated ...)
         - openwebmail <removed>
 
-After a new Debian release, some packages vanish from the database,
-and consistency checks might fail.  In this case, a single <removed>
-entry needs to be added to an input file, or the package name should
-be included in the data/packages/removed-packages file.
-
 Also note that it is sufficient to mark a package as removed in unstable.
 The tracker is aware of which package is present in which distribution
 and marks other distributions that still contain the package automagically
@@ -280,8 +285,16 @@ unstable, then:
 
 will track oldstable as affected, but stable and unstable as not-affected.
 
+Once a package has been completely removed from all currently supported
+debian releases, it should be tracked in the data/packages/removed-packages
+file.  This file lists all packages (one source package per line) that were
+at one time in a debian release, but no longer exist in any supported
+version.  Additions to this file can be used to address failing consistency
+checks after a new release.
+
 Severity levels
 ---------------
+
 These levels are mostly used to prioritize the order in which security
 problems are resolved. Anyway, we have a rough overview on how you should
 assess these levels. 
@@ -326,6 +339,7 @@ their importance.
 
 NOTE and TODO entries
 ---------------------
+
 There are many instances where more work has to be done to determine
 if something is affected, and you might not be able to do this at the
 time. These entries can have their TODO line changed to something
@@ -351,6 +365,7 @@ STABLE11 and ...)
 
 CVE assignments
 ---------------
+
 Debian can only assign CVE names from its own pool for issues which
 are not public.  To request a CVE from the Debian pool, write to
 <security@debian.org> and include a description which follows CVE
@@ -374,6 +389,7 @@ cross-referenced advisories nevertheless.
 
 Distribution tags
 -----------------
+
 Our data is primarily targeted at sid, as we track the version that
 a certain issue was fixed in sid. The Security Tracker web site (see
 below) derives information about the applicability of a vulnerability
@@ -392,6 +408,7 @@ which isn't part of Sarge.
 
 Generated Reports
 -----------------
+
 All of this tracking information gets automatically parsed and
 compared against madison to determine what has been fixed and what is
 still waiting, this results in this website:
@@ -425,6 +442,7 @@ For every security problem it displays
 
 The DSA list
 ------------
+
 We maintain a list of all DSA advisories issued by the stable security
 team. This information is used to derive information about the state
 of security problems for the stable and oldstable distribution. An
@@ -458,6 +476,7 @@ You should not blindly trust the script output and double-check it, though.
 
 Checking your changes
 ---------------------
+
 Commits are checked for syntax errors before they are actually committed,
 and you'll receive an error and your commit is aborted if it is in error.
 To check your changes yourself beforehand, use "make check-syntax" from
@@ -465,6 +484,7 @@ the root of the svn directory.
 
 Following up on security issues
 -------------------------------
+
 By simply loading this page and doing a little gardening of the
 different issues many things can be done. One thing is that you can
 read all the bug reports of each issue and see if new information has
@@ -499,6 +519,7 @@ usertag $BUGNUM + tracked
 
 IRC Channel
 -----------
+
 We hang-out on #debian-security on OFTC, stop by the IRC channel if
 you'd like, also we can add you to the alioth project so you have svn
 write permission and you can test drive it on the testing issues for