[Secure-testing-team] DTSA advisory format

[Moritz Muehlenhoff]

Joey Hess wrote:
> > - Problem-Type should be renamed to "Problem Scope" or "Vulnerability
> >   Scope". OTOH it might be dropped completely, it's hard to decide
> >   in several cases (e.g. when s/o processes some file that triggers
> >   a vulnerability the attack vector may very well be remote, if this
> >   s/o receives the file by mail) and may give a false sense of security.
> 
> I only included that since it's in DSAs. OTOH, I think it's easy to make
> the judgement call about whether the vulnerability is a remote hole in a
> standard setups or not.

It's now in the dtsa script. If in doubt we should use a relaxed defition
of "remote" to prevent giving a warm fuzzy false feeling of security.
 
> > - The install recommendation uses apt-get install foo. So we'd need to
> >   specify a list of all binary names here to properly install the update.
> >   Shouldn't we just recommend dist-upgrade instead? (If people use the
> >   testing security apt repo they don't have to cherry pick fixes)
> 
> I've been editing that to use apt-get upgrade for DTSAs that include
> more than one binary package. But IMHO dist-upgrade should be unnecessary,
> we won't be adding/removing packages. Hopefully.
                                        ^^^^^^^^^
:-)

Cheers,
        Moritz