From db7b854df4e789dd092497d2029eef9a4e5369cc Mon Sep 17 00:00:00 2001 From: Michael Gilbert Date: Sun, 19 Apr 2009 23:28:54 +0000 Subject: some updates to wording of the narrative_introduction git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@11654 e39458fd-73e7-0310-bf30-c45bca0a0e42 --- doc/narrative_introduction | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) (limited to 'doc/narrative_introduction') diff --git a/doc/narrative_introduction b/doc/narrative_introduction index 2f23b1b6b8..79d46f140c 100644 --- a/doc/narrative_introduction +++ b/doc/narrative_introduction @@ -192,14 +192,25 @@ versions, does not ...) Bug numbers can be added as in the example above. To avoid duplicate bugs, "bug filed" can be added instead of "bug #123456" when the bug report has -been sent but the bug number is not yet known. The bug numbers are used -to add additional references for the overview page and the Security Bug -Tracker and they are parsed by a script that generates user tags "tracked" -for the user debian-security@lists.debian.org. This way you can generate -a BTS query for all issues in the BTS that are tagged "security" and are -not yet added to our tracker: +been sent but the bug number is not yet known (however, it is more +desirable to file the bug, wait for the BTS to assign a number, then update +the entry in the CVE list so that complete information is always available +in the tracker). The bug number is important because it makes it clear +that the maintainer has been contacted about the problem, and that they are +aware of their responsibility to work swiftly toward a fix. The bug +numbers are also used to add additional references for the overview page +and the Security Bug Tracker. They are parsed by a script that generates +user tags "tracked" for the user debian-security@lists.debian.org, which +enables BTS users to generate a query for all of the issues that are tagged +"security" but not yet added to the tracker: http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security;users=debian-security@lists.debian.org;exclude=tracked +Since CVEs often drop in bulk, submission of multiple CVEs in a single bug +report is permissable and encouraged. However, some maintainers have +indicated a preference for only one issue per bug report. The following +is a list of packages for which each CVE should be reported separately: + - php5 + A special exception is made for kernel related issues. The kernel-sec group will take care of them and file bugs if needed. -- cgit v1.2.3