From a787120cd4be96964430716b5b2d0a708f0faba0 Mon Sep 17 00:00:00 2001 From: Johnathan Ritzi Date: Mon, 25 Jul 2011 03:48:49 +0000 Subject: Additions to narrative_introduction file Explicitly mention steps that should be taking before marking an issue NFU. Mention to add a NOTE if there is any doubt. Include links for making an unstable chroot. Clarify handling of RFPs. git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@16978 e39458fd-73e7-0310-bf30-c45bca0a0e42 --- doc/narrative_introduction | 53 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 37 insertions(+), 16 deletions(-) (limited to 'doc/narrative_introduction') diff --git a/doc/narrative_introduction b/doc/narrative_introduction index 76a223e500..3d15102b55 100644 --- a/doc/narrative_introduction +++ b/doc/narrative_introduction @@ -131,15 +131,48 @@ CVE-2005-3018 (Apple Safari allows remote attackers to cause a denial of service ...) NOT-FOR-US: Safari +Before marking a package NOT-FOR-US, the following should be done: + - Read the full CVE description to determine the product name + - Search for the product using apt-cache search + - If a file was referenced, search for the file using + apt-file search + - Search the wnpp list (http://www.debian.org/devel/wnpp/) to see + if the product has an ITP or RFP (see "ITP/RFP packages" below) + - Search the ftp-master removal list + (http://ftp-master.debian.org/removals-full.txt) or the Package + Tracking System (http://packages.qa.debian.org/) to see if the + package was present in the past but was removed (see "Removed + packages" below) + +If there is any doubt, add a NOTE with your findings and ask others to +double check. + There is a tool that helps with sorting out all the NOT-FOR-US issues: See "bin/check-new-issues -h". For the search functions in check-new-issues to work, you need to have unstable in your sources.list and have done "apt-get update" and "apt-file update". -Having libterm-readline-gnu-perl installed helps, too. +Having libterm-readline-gnu-perl installed helps, too. If you are not +running unstable, you can search at http://packages.debian.org or +set up an unstable chroot: + +http://www.debian.org/doc/manuals/reference/ch09#_chroot_system +http://wiki.debian.org/Debootstrap + +ITP/RFP packages +---------------- + +If it is a package that someone has filed an RFP or ITP for, then that +is also noted, so it can be tracked to make sure that the issue is +resolved before the package enters the archive. ITPs are marked with +, while RFPs are simply mentioned in a NOTE: + +CVE-2004-2525 (Cross-site scripting (XSS) vulnerability in compat.php +in Serendipity ...) + - serendipity (bug #312413) -Please also make sure to check the wnpp list for possible items and -the ftp-master removal list to see if the issue way maybe present in the past -but the package was removed +CVE-2008-0851 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 ...) + NOT-FOR-US: Dokeos + NOTE: there is an RFP for Dokeos #433352 Reserved entries ---------------- @@ -163,18 +196,6 @@ entries: CVE-2005-4129 REJECTED -ITP packages ------------- - -If it is a package that someone has filed an RFP or ITP for, then that -is also noted, so it can be tracked to make sure that the issue is -resolved before the package enters the archive: - -CVE-2004-2525 (Cross-site scripting (XSS) vulnerability in compat.php -in Serendipity ...) - - serendipity (bug #312413) - - Packages in the archive ----------------------- -- cgit v1.2.3