[Secure-testing-team] Some notes on data commits
Alex de Oliveira Silva
enerv at host.sk
Sat Jan 13 02:51:47 CET 2007
Hallo Moritz. Wie geht`s? :)
On Fri, 12 Jan 2007 22:59:14 +0100, Moritz Muehlenhoff wrote
> We use a quite open system for maintaining our data, but some notes
> to ensure a continuing high level of data quality:
>
> - Do not add <not-affected> entries unless it's very obvious (like
> Windows-specific issues) or clearly stated inside a bug log or
> home page.
ok.
> - Severity ratings have been repeatedly picked up by news sites
> taking it as an official position of the Debian project and
> indirectly the Security Team. This means that severity ratings
> should only be added with great care. Not every issue needs
> a severity rating, if in doubt leave out or mark it unknown.
>
> - Do not trust vulnerability web sites or the CVE description!
Did you mean that I shoudn't trust in mitre CVE "CVSS Severity"?
I changed many severity bugs using it. :(
Do you wait for the avaliation of the mantainer to change the severity
afterwards or do you only look in description of the bug?
How can I analize the severitys correctly?
> - If you add NOT-FOR-US: you should have done significant checking
> if that package is not in the archive. If the package can even
> be found with "apt-cache search" you haven't tried hard enough.
I made a mistake when I thought that there were no Debian Firefox extensions
packages. (NOT-FOR-US: Sage extension). Sorry.
> Cheers,
> Moritz
>
More information about the Secure-testing-team
mailing list