From c03f39ed796b1fd35f18acd70e57a31618938bbd Mon Sep 17 00:00:00 2001 From: Michael Gilbert Date: Sun, 11 Apr 2010 23:48:31 +0000 Subject: remove claiming discussion from documentation since that is never used anymore and clarify module tracking git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@14458 e39458fd-73e7-0310-bf30-c45bca0a0e42 --- doc/narrative_introduction | 48 ++++++++++++++++------------------------------ 1 file changed, 17 insertions(+), 31 deletions(-) (limited to 'doc/narrative_introduction') diff --git a/doc/narrative_introduction b/doc/narrative_introduction index 1f534ae67f..3db17d2c9c 100644 --- a/doc/narrative_introduction +++ b/doc/narrative_introduction @@ -105,37 +105,24 @@ Processing TODO entries The Mitre update typically manifests in new CVE entries. So what we do is to update our svn repository and then edit data/CVE/list and look for new TODO entries. These will often be in blocks of 10-50 or so, -depending on how many new issues they have assigned. Depending on how -you feel you will "claim" a block of say 10 new entries by -putting your name in the file at the beginning and the end of the new -TODO entries and then commit the repository. This looks like this: - -begin claimed by jmm -CVE-2005-4066 (Total Commander 6.53 uses weak encryption to store FTP -usernams and ...) - TODO: check -CVE-2005-4065 (SQL injection vulnerability in the search module in -Edgewall Trac ...) - TODO: check -CVE-2005-4030 (SQL injection vulnerability in Quicksilver Forums -before 1.5.1 allows ...) - TODO: check -end claimed by jmm - -Once these are checked-in, then others will not do work on these TODO -issues. - -IMPORTANT: make sure to read: http://lists.alioth.debian.org/pipermail/secure-testing-team/2009-May/002394.html - -Issues Not-For-Us (NFU) +depending on how many new issues they have assigned. + +IMPORTANT: make sure to read: +http://lists.alioth.debian.org/pipermail/secure-testing-team/2009-May/002394.html + +Issues NOT-FOR-US (NFU) ----------------------- -Processing your claimed entries is done by first seeing if the issue -is related to any software packaged in Debian, if it isn't a package -in Debian and has no ITP then you note that in the file. Another case -are meta packages that only provide a downloader (e.g. flashplugin-nonfree). -There is no way to mark such packages as we have no influence on the version -and technically the code is not present in Debian. +Processing entries is done by first seeing if the issue is related to any +software packaged in Debian. If it isn't a package in Debian and has no +ITP then you note that in the file with a 'NOT-FOR-US:' tag. Third-party +modules are not yet packaged for Debian are also tagged as NFU; even if +their parent software is packaged for Debian. The module names should be +mentioned in the NFU note in order to make issues apparent if that module +should ever receive a propper package. Another case are meta packages +that only provide a downloader (e.g. flashplugin-nonfree). There is no +way to mark such packages as we have no influence on the version and +technically the code is not present in Debian. Example: @@ -147,8 +134,7 @@ There is a tool that helps with sorting out all the NOT-FOR-US issues: See "bin/check-new-issues -h". For the search functions in check-new-issues to work, you need to have unstable in your sources.list and have done "apt-get update" and "apt-file update". -Having libterm-readline-gnu-perl installed helps, too. Unfortunately, -check-new-issues does not yet support the "claimed by" tags mentioned above. +Having libterm-readline-gnu-perl installed helps, too. Please also make sure to check the wnpp list for possible items and the ftp-master removal list to see if the issue way maybe present in the past -- cgit v1.2.3