document distribution tags

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@3027 e39458fd-73e7-0310-bf30-c45bca0a0e42

1 files changed, 19 insertions, 2 deletions

diff --git a/doc/narrative_introduction b/doc/narrative_introduction
index a0bf1d66ae..ec2c5653e0 100644
--- a/doc/narrative_introduction
+++ b/doc/narrative_introduction
@@ -196,11 +196,28 @@ STABLE11 and ...)
         NOTE: Bug was introduced in a patch to squid-2.5.STABLE10,
         NOTE: this patch was never applied to the Debian package.
 
+Distribution tags
+-----------------
+Our data is primarily targeted at sid, as we track the version that
+a certain issue was fixed in sid. The Security Tracker web site (see
+below) derives information about the applicability of a vulnerability
+to stable and oldstable from the list of DSAs issued by the security
+team and the fact that a source package is part of a release.
+Distribution tags can be used to denote information about a vulnerability
+for the version of a package in a specific release. An example:
+
+CVE-2005-3974 (Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on ...)
+        - drupal 4.5.6-1 (low)
+        [sarge] - drupal <not-affected> (Only vulnerable if running PHP 5)
+
+Drupal has been fixed since 4.5.6, however Drupal from Sarge still isn't
+vulnerable as the vulnerability is only effective when run under PHP 5,
+which isn't part of Sarge.
 
 TODO
 ----
 
-Need to document [sarge], [woody], and other tags
+Need to document <not-affected>, <removed>, REJECTED, RESERVED
 
 
 Generated Reports
@@ -257,7 +274,7 @@ helps!)
 
 
 TODO:
-document severity levels
+document {} cross refs
 document DSA/list
 document DTSAs
 document tsck