[Secure-testing-team] Some notes on data commits
Moritz Muehlenhoff
jmm at inutil.org
Fri Jan 12 22:59:14 CET 2007
We use a quite open system for maintaining our data, but some notes
to ensure a continuing high level of data quality:
- Do not add <not-affected> entries unless it's very obvious (like
Windows-specific issues) or clearly stated inside a bug log or
home page.
- Severity ratings have been repeatedly picked up by news sites
taking it as an official position of the Debian project and
indirectly the Security Team. This means that severity ratings
should only be added with great care. Not every issue needs
a severity rating, if in doubt leave out or mark it unknown.
- Do not trust vulnerability web sites or the CVE description!
- If you add NOT-FOR-US: you should have done significant checking
if that package is not in the archive. If the package can even
be found with "apt-cache search" you haven't tried hard enough.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list