Hallo Moritz. Wie geht`s? :) On Fri, 12 Jan 2007 22:59:14 +0100, Moritz Muehlenhoff wrote > We use a quite open system for maintaining our data, but some notes > to ensure a continuing high level of data quality: > > - Do not add <not-affected> entries unless it's very obvious (like > Windows-specific issues) or clearly stated inside a bug log or > home page.
ok. > - Severity ratings have been repeatedly picked up by news sites > taking it as an official position of the Debian project and > indirectly the Security Team. This means that severity ratings > should only be added with great care. Not every issue needs > a severity rating, if in doubt leave out or mark it unknown. > > - Do not trust vulnerability web sites or the CVE description! Did you mean that I shoudn't trust in mitre CVE "CVSS Severity"? I changed many severity bugs using it. :( Do you wait for the avaliation of the mantainer to change the severity afterwards or do you only look in description of the bug? How can I analize the severitys correctly? > - If you add NOT-FOR-US: you should have done significant checking > if that package is not in the archive. If the package can even > be found with "apt-cache search" you haven't tried hard enough. I made a mistake when I thought that there were no Debian Firefox extensions packages. (NOT-FOR-US: Sage extension). Sorry. > Cheers, > Moritz > _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
