[Secure-testing-team] New members, how to help

[Stefan Fritsch]

Hi,

sorry this mail took so long. So far Nate Campi, Karol Langner, and 
Chris Lamb have been added to the Alioth project. You should now be 
able to check out and commit to the svn repository.

The thing with which to start is checking new issues. These are added 
by a cron job (about two times per week) to data/CVE/list and just 
have a "TODO: check". There are a few open issues in there now. If 
someone wants to start, please coordinate on #debian-security to 
avoid duplicate work.

There is a syntax check in the post-commit hook, so you will not be 
able to commit if you break the syntax. The error message can by 
cryptic, ask if you have problems. Sometimes, the tracker will detect 
errors only after they have been commited. It then sends error 
messages to the secure-testing-commits mailing list. Therefore, you 
should all subscribe to that list. This list is also where you see 
that new open issues have been added to the list.

There is a tool that helps with sorting out all the NOT-FOR-US issues: 
See "bin/check-new-issues -h". For the search functions in 
check-new-issues to work, you need to have unstable in your 
sources.list and have done "apt-get update" and "apt-file update". 
Having libterm-readline-gnu-perl installed helps, too. 

When you find an issue affecting Debian, find out whether it is 
already fixed in Debian and edit the entry accordingly. Look for 
corresponding bug reports. File a bug if the issue is not yet fixed 
in unstable. Choose the severity of the bug report depending on the 
issue. Not all security issues are "grave", many are 
only "important", some are only "normal" or "minor". Always mention 
the CVE id in the bug report.

I hope this was not too confusing. If you have questions, ask. BTW, 
feel free to improve or extend doc/narrative_introduction if 
something is missing.



Cheers,
Stefan