[Secure-testing-team] Some notes on data commits

Alex de Oliveira Silva enerv at host.sk
Sun Jan 14 16:57:28 CET 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Moritz Muehlenhoff escreveu:
> Alex de Oliveira Silva wrote:
>> Hallo Moritz. Wie geht`s? :)
>
> Welcome to the secret cabal of German speaking Debian people. :-)

IT'S SECRET!!! Don't tell anyone.

>
>>> - Severity ratings have been repeatedly picked up by news sites
>>>  taking it as an official position of the Debian project and
>>> indirectly the Security Team. This means that severity ratings
>>> should only be added with great care. Not every issue needs a
>>> severity rating, if in doubt leave out or mark it unknown.
>>>
>>> - Do not trust vulnerability web sites or the CVE description!
>> Did you mean that I shoudn't trust in mitre CVE "CVSS Severity"?
>> I changed many severity bugs using it. :( Do you wait for the
>> avaliation of the mantainer to change the severity afterwards or
>> do you only look in description of the bug? How can I analize the
>> severitys correctly?
>
> We've never actively used CVSS or NVD. The current classifications
> have been defined at the Linux Developer's Meeting in Oldenburg in
> 2005. It's roughly:
>
> low: security issues w/o real-world ramifications medium: genuine
> security problems high: severe genuine security problems (remote
> code injection against important software, issues with an exploit
> in the wild, popular web crap with worm potential, Linux root
> exploits, etc)
>
> It's probably best to follow commits for a while to get a feeling
> for it. All in all, severity classifications are rather useless,
> anyway.
>

I make this.
Maybe is a good idea put this in definition of narrative_introduction
and remove this "These are generally based on the 'score' from NVD"  ?

>>> - If you add NOT-FOR-US: you should have done significant
>>> checking if that package is not in the archive. If the package
>>> can even be found with "apt-cache search" you haven't tried
>>> hard enough.
>> I made a mistake when I thought that there were no Debian Firefox
>> extensions packages. (NOT-FOR-US: Sage extension). Sorry.
>
> No worries. If in doubt just add a TODO: and note the information
> you've found about it, see some commits be Stefan as an example.

Ok, I added some notes in commit  5260 to help and I'll wait to see
how you are going to solve it .

>
> Cheers, Moritz
>


regards,
- --
   .''`.
  : :' :    Alex de Oliveira Silva | enerv
  `. `'     www.enerv.net
    `-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFqlLoarbczl+z12gRAuWpAKCuYxJU6JzrxeuX7R07rfLVCkA7dgCdE2g+
vRO1RZvQ/tI74Me/y1N0VJo=
=/bz5
-----END PGP SIGNATURE-----

More information about the Secure-testing-team mailing list