[Secure-testing-team] New members, how to help

Moritz Muehlenhoff jmm at inutil.org
Fri Mar 14 15:00:12 UTC 2008 

On Thu, Mar 13, 2008 at 10:34:33PM +0100, Stefan Fritsch wrote:
> Hi,
> 
> sorry this mail took so long. So far Nate Campi, Karol Langner, and 
> Chris Lamb have been added to the Alioth project. You should now be 
> able to check out and commit to the svn repository.
> 
> The thing with which to start is checking new issues. These are added 
> by a cron job (about two times per week) to data/CVE/list and just 
> have a "TODO: check". There are a few open issues in there now. If 
> someone wants to start, please coordinate on #debian-security to 
> avoid duplicate work.
> 
> There is a syntax check in the post-commit hook, so you will not be 
> able to commit if you break the syntax. The error message can by 
> cryptic, ask if you have problems. Sometimes, the tracker will detect 
> errors only after they have been commited. It then sends error 
> messages to the secure-testing-commits mailing list. Therefore, you 
> should all subscribe to that list. This list is also where you see 
> that new open issues have been added to the list.
> 
> There is a tool that helps with sorting out all the NOT-FOR-US issues: 
> See "bin/check-new-issues -h". For the search functions in 
> check-new-issues to work, you need to have unstable in your 
> sources.list and have done "apt-get update" and "apt-file update". 
> Having libterm-readline-gnu-perl installed helps, too. 
> 
> When you find an issue affecting Debian, find out whether it is 
> already fixed in Debian and edit the entry accordingly. Look for 
> corresponding bug reports. File a bug if the issue is not yet fixed 
> in unstable. Choose the severity of the bug report depending on the 
> issue. Not all security issues are "grave", many are 
> only "important", some are only "normal" or "minor". Always mention 
> the CVE id in the bug report.
> 
> I hope this was not too confusing. If you have questions, ask. BTW, 
> feel free to improve or extend doc/narrative_introduction if 
> something is missing.

Also, please keep in mind that all commits are reviewed by more
experienced members, so potential errors are likely spotted/fixed
early and don't cause immediate harm.

Please keep an eye on the commit log mailing list, since
the commit messages are likely to contain valuable information.
An an example, see the commit I just fixed up.

Cheers,
        Moritz

More information about the Secure-testing-team mailing list