[Secure-testing-team] DTSA advisory format
Moritz Muehlenhoff
jmm at inutil.org
Sun Aug 28 19:06:12 UTC 2005
Joey Hess wrote:
> Moritz Muehlenhoff wrote:
> > It's now in the dtsa script. If in doubt we should use a relaxed defition
> > of "remote" to prevent giving a warm fuzzy false feeling of security.
>
> So if I run dtsa -u 1 it doesn't seem to do anything. Shouldn't I get a
> filled out template or some sort of output?
dtsa -u is only used for updating DTSA that have already been published,
i.e. for cases where DTSA-X-2 would become necessary. This isn't implemented
yet, I'm currently working on it.
To generate the template right now please use "dtsa -a 1".
To bring the rest of the rest in the loop; I'm thinking of the following
work flow:
1. Someone is working on a vulnerability in package foo. He checks the
highest currently unused DTSA number and commits an initial .adv file
into SVN. (can be automated with a little shell script that extracts the
highest number and performs the checkin)
This is the equivalent of the "claimed" markers for data/CAN/list.
2. Once he's written his advisory template, tested the uploaded fix and
everything is in shape for release he uses dtsa.py -a. All information
is automatically included in data/DTSA/list. HTML output is generated
and rsynched to the website (not implemented yet) and the textual form
can be send to -announce with sndadvisory.
>From now on a DTSA is kept as "published".
3. If it is "published" an update can be issued with dtsa.py -u, which
automatically updates data/DTSA/list and increases the DTSA code by a minor
number. HTML and textual representation are again made public.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list