[Secure-testing-team] DTSA advisory format

[Moritz Muehlenhoff]

Joey Hess wrote:
> Moritz Muehlenhoff wrote:
> > dtsa -u is only used for updating DTSA that have already been published,
> > i.e. for cases where DTSA-X-2 would become necessary. This isn't implemented
> > yet, I'm currently working on it.
> > To generate the template right now please use "dtsa -a 1".
> 
> Ok, calling that "announce" is misleading, since it does not really post
> the announcement. Also, dtsa doesn't right-align the url and author at
> the top of the template,

Fixed.

> and it should add new items to the top of the
> list file, not to the end.

Does one of the other scripts depend on this behaviour? Adding it to the
front is rather ugly inplace editing, while adding it the end is a plain
append operation. Or does anyone know a pythonesque workaround?

> Oh and you put the wrong date in the list, in
> case you didn't notice. :-)

That was used as a workaround, because the descriptional date in the
advisory differs from the one in data/DTSA/list. Let's add the date
in ISO format (i.e 2005-08-11) into the .adv file, then I'll transform
it into the proper formats. It the date entry in data/DTSA/list used
besides statistical evaluation?
 
> > To bring the rest of the rest in the loop; I'm thinking of the following
> > work flow:
> > 
> > 1. Someone is working on a vulnerability in package foo. He checks the
> > highest currently unused DTSA number and commits an initial .adv file
> > into SVN. (can be automated with a little shell script that extracts the
> > highest number and performs the checkin)
> > This is the equivalent of the "claimed" markers for data/CAN/list.
> 
> This is ok as long as we don't mind possibly announcing DTSA's in
> non-numerical order as later ones get finished before earlier ones.

I guess that can't be avoided, as some advisories will require more time
than others. Security team works this way as well.

Cheers,
        Moritz