[Secure-testing-team] Some notes on data commits

[Moritz Muehlenhoff]

Alex de Oliveira Silva wrote:
> Hallo Moritz. Wie geht`s? :)

Welcome to the secret cabal of German speaking Debian people. :-)
  
> > - Severity ratings have been repeatedly picked up by news sites
> >   taking it as an official position of the Debian project and
> >   indirectly the Security Team. This means that severity ratings
> >   should only be added with great care. Not every issue needs
> >   a severity rating, if in doubt leave out or mark it unknown.
> >
> > - Do not trust vulnerability web sites or the CVE description!
> 
> Did you mean that I shoudn't trust in mitre CVE "CVSS Severity"?
> I changed many severity bugs using it. :(
> Do you wait for the avaliation of the mantainer to change the severity
> afterwards or do you only look in description of the bug?
> How can I analize the severitys correctly?  

We've never actively used CVSS or NVD. The current classifications have
been defined at the Linux Developer's Meeting in Oldenburg in 2005. It's
roughly:

low: security issues w/o real-world ramifications
medium: genuine security problems
high: severe genuine security problems (remote code injection against
important software, issues with an exploit in the wild, popular web
crap with worm potential, Linux root exploits, etc)

It's probably best to follow commits for a while to get a feeling for it.
All in all, severity classifications are rather useless, anyway.

> > - If you add NOT-FOR-US: you should have done significant checking
> >   if that package is not in the archive. If the package can even
> >   be found with "apt-cache search" you haven't tried hard enough.
>
> I made a mistake when I thought that there were no Debian Firefox extensions
> packages. (NOT-FOR-US: Sage extension). Sorry.

No worries. If in doubt just add a TODO: and note the information you've
found about it, see some commits be Stefan as an example.

Cheers,
        Moritz