Hi,
as discussed we should implement some changes to our CAN/list and possibly
finalize it as well.
1. The unfixed tag should be pulled out from the brackets and moved to
the place, where the actual fix would belong to. This makes things
much more structured and logical.
CAN-2005-3011 (texindex in texinfo 4.7 and earlier allows local users to
overwrite ...)
- texinfo (unfixed; bug #328265; low)
would become
CAN-2005-3011 (texindex in texinfo 4.7 and earlier allows local users to
overwrite ...)
- texinfo unfixed (bug #328265; low)
2. Issues, that we don't currently can research on our own should be moved from
TODO: to HELP:. A website is generated from the HELP entries and linked from
secure-testing.debian.net.
3. REJECTED: replaces the current NOTE: rejected, after the : a reason of cross
reference
may follow (free form).
4. RESERVED replaces the current NOTE: reserved
5. To track ITPs more cleanly we should add them like this (the source package
name
is the one for which the ITP has been filed, but instead of a version number
they
get an itp entry. The referenced bug# number is the ITP's bug number, so
that we
can track, whether it get closed and react upon it.
CAN-2005-2396 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.4.6 and
...)
- mediawiki itp (bug #276057; bug #217571)
6. For syntactical clarity cross references in {} should only be allowed
directly
after the CVE line.
7. After some more thought, I agree with Florian's argument that
NOT-FOR-US: Ueberl00t BBS Board
is a better solution than
NOTE: not-for-us (Ueberl00t BBS Board).
The first one permits as to have a concrete machine-parseable solution for
each
security issue, while we can use NOTE: to give additinal free-form
information.
This will be a big diff, but I think it's worth the effort.
I also agree with your FIXES: proposal for DSA/list.
Please review and let's finalize the format somehow.
Cheers,
Moritz
_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
