document DSA/list and curly cross-refs

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@3030 e39458fd-73e7-0310-bf30-c45bca0a0e42

1 files changed, 27 insertions, 2 deletions

diff --git a/doc/narrative_introduction b/doc/narrative_introduction
index 958d6ae287..a19dfc064f 100644
--- a/doc/narrative_introduction
+++ b/doc/narrative_introduction
@@ -275,6 +275,33 @@ unfixed holes currently in testing, the number of holes that have been
 fixed in unstable that haven't migrated to testing, and the number of
 TODO items that we have to process still.
 
+
+The DSA list
+------------
+We maintain a list of all DSA advisories issued by the stable security
+team. This information is used to derive information about the state
+of security problems for the stable and oldstable distribution. An
+entry for a DSA looks like this:
+
+[21 Nov 2005] DSA-903-1 unzip - race condition
+        {CVE-2005-2475}
+        [woody] - unzip 5.50-1woody4
+        [sarge] - unzip 5.52-1sarge2
+        NOTE: fixed in testing at time of DSA
+
+The first line tracks the date, when a DSA was issued, the DSA identifier,
+the affected source package and the type of vulnerability.
+The second line performs a cross-reference to the entry in CVE/list that
+maintains the state of the vulnerability in sid. Every entry that is
+added like this to DSA/list is parsed by a script and automatically added
+to CVE/list, so there's no need to add references to the CVE list manually
+(although you could).
+The next lines contain the fixes for stable and optionally oldstable, addressed
+with distribution tags.
+You may add NOTE: entries freely, we use a NOTE entry for statistical purposes
+that tracks, when a fix has reached testing relative to the time when it hit
+stable.
+
 TODO
 ----
 Document Florian's tracker
@@ -305,7 +332,5 @@ helps!)
 
 
 TODO:
-document {} cross refs
-document DSA/list
 document DTSAs
 document tsck