diff options
| author | Johnathan Ritzi <jrdioko@gmail.com> | 2011-07-25 03:48:49 +0000 |
|---|---|---|
| committer | Johnathan Ritzi <jrdioko@gmail.com> | 2011-07-25 03:48:49 +0000 |
| commit | a787120cd4be96964430716b5b2d0a708f0faba0 (patch) | |
| tree | a9d994950fcc1efd509cc8c3fcad8766cd0dab6e /doc/narrative_introduction | |
| parent | 3b908c3cefcf6d1258a9acd69549b2daa2d28a4d (diff) | |
Additions to narrative_introduction file
Explicitly mention steps that should be taking before marking
an issue NFU. Mention to add a NOTE if there is any doubt.
Include links for making an unstable chroot. Clarify handling
of RFPs.
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@16978 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'doc/narrative_introduction')
| -rw-r--r-- | doc/narrative_introduction | 53 |
1 files changed, 37 insertions, 16 deletions
diff --git a/doc/narrative_introduction b/doc/narrative_introduction index 76a223e500..3d15102b55 100644 --- a/doc/narrative_introduction +++ b/doc/narrative_introduction @@ -131,15 +131,48 @@ CVE-2005-3018 (Apple Safari allows remote attackers to cause a denial of service ...) NOT-FOR-US: Safari +Before marking a package NOT-FOR-US, the following should be done: + - Read the full CVE description to determine the product name + - Search for the product using apt-cache search <name> + - If a file was referenced, search for the file using + apt-file search <name> + - Search the wnpp list (http://www.debian.org/devel/wnpp/) to see + if the product has an ITP or RFP (see "ITP/RFP packages" below) + - Search the ftp-master removal list + (http://ftp-master.debian.org/removals-full.txt) or the Package + Tracking System (http://packages.qa.debian.org/) to see if the + package was present in the past but was removed (see "Removed + packages" below) + +If there is any doubt, add a NOTE with your findings and ask others to +double check. + There is a tool that helps with sorting out all the NOT-FOR-US issues: See "bin/check-new-issues -h". For the search functions in check-new-issues to work, you need to have unstable in your sources.list and have done "apt-get update" and "apt-file update". -Having libterm-readline-gnu-perl installed helps, too. +Having libterm-readline-gnu-perl installed helps, too. If you are not +running unstable, you can search at http://packages.debian.org or +set up an unstable chroot: + +http://www.debian.org/doc/manuals/reference/ch09#_chroot_system +http://wiki.debian.org/Debootstrap + +ITP/RFP packages +---------------- + +If it is a package that someone has filed an RFP or ITP for, then that +is also noted, so it can be tracked to make sure that the issue is +resolved before the package enters the archive. ITPs are marked with +<itp>, while RFPs are simply mentioned in a NOTE: + +CVE-2004-2525 (Cross-site scripting (XSS) vulnerability in compat.php +in Serendipity ...) + - serendipity <itp> (bug #312413) -Please also make sure to check the wnpp list for possible <itp> items and -the ftp-master removal list to see if the issue way maybe present in the past -but the package was removed +CVE-2008-0851 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 ...) + NOT-FOR-US: Dokeos + NOTE: there is an RFP for Dokeos #433352 Reserved entries ---------------- @@ -163,18 +196,6 @@ entries: CVE-2005-4129 REJECTED -ITP packages ------------- - -If it is a package that someone has filed an RFP or ITP for, then that -is also noted, so it can be tracked to make sure that the issue is -resolved before the package enters the archive: - -CVE-2004-2525 (Cross-site scripting (XSS) vulnerability in compat.php -in Serendipity ...) - - serendipity <itp> (bug #312413) - - Packages in the archive ----------------------- |