Contents of /data/README

The checklist program can be run on a system with madison available to
check vulnerability info from the list files against what packages are in
testing. Also the updatelist is used by the Makefile to update the lists
with new info from Mitre. So the various list files need a common, machine
parsable format. That format is:

begin claimed by foo

[date] id description
        {id id id}
        UPCASE: text
        - package [version] (note; note; note)

end claimed by foo


Without writing a format grammar, because this is really rather ad-hoc and
probably will be replaced with something better:

[date]
        The date of the advisory in the form dd Mmm YYYY (01 Nov 2004).
        Optional, only given for DSAs at the moment.
id
        DSA-nnn-n, CVE-YYY-nnnn, etc
description
        Pretty much freeform description of the problem. Short and optional.
        By convention, if it's taken from upstream data source
        automatically, it will be in parens.  If you want to use a different
        description, put it in square brackets instead.
{id id id}
        This is used to link to other ids that describe the same hole.
        Generally used to link DSAs to CVEs and back.
UPCASE
        Any word in upper case, typically NOTE, HELP, TODO, RESERVED,
        REJECTED, NOT-FOR-US.
        May be repeated for each entry.
- package [version] (note; notes; note)
        Indicates that the problem is fixed in the given version of the
        package. May repeat for other packages. If the problem is unfixed,
        use "<unfixed>" as the version. If the problem doesn't affect Debian,
        use "<not-affected>" as the version. If the problem only affects
        shipped releases, for which the stable security team provides
        security support and the affected package has meanwhile been removed
        from the archive use "<removed>" as the version.  If the problem
        affects a particular release, prepend "[release]" before the
        "- package" to reflect as much.

        The notes can be freeform, but some are understood by the tools,
        including "bug #nnnnn", "bug filed", and "high",
        "medium", "low", "unimportant" and "unknown" urgencies.

begin claimed by foo
end claimed by foo
        Marks a set of items that are being checked by someone.
        Used to avoid duplicate work.
1	The checklist program can be run on a system with madison available to
2	check vulnerability info from the list files against what packages are in
3	testing. Also the updatelist is used by the Makefile to update the lists
4	with new info from Mitre. So the various list files need a common, machine
5	parsable format. That format is:
6
7	begin claimed by foo
8
9	[date] id description
10	{id id id}
11	UPCASE: text
12	- package [version] (note; note; note)
13
14	end claimed by foo
15
16
17	Without writing a format grammar, because this is really rather ad-hoc and
18	probably will be replaced with something better:
19
20	[date]
21	The date of the advisory in the form dd Mmm YYYY (01 Nov 2004).
22	Optional, only given for DSAs at the moment.
23	id
24	DSA-nnn-n, CVE-YYY-nnnn, etc
25	description
26	Pretty much freeform description of the problem. Short and optional.
27	By convention, if it's taken from upstream data source
28	automatically, it will be in parens. If you want to use a different
29	description, put it in square brackets instead.
30	{id id id}
31	This is used to link to other ids that describe the same hole.
32	Generally used to link DSAs to CVEs and back.
33	UPCASE
34	Any word in upper case, typically NOTE, HELP, TODO, RESERVED,
35	REJECTED, NOT-FOR-US.
36	May be repeated for each entry.
37	- package [version] (note; notes; note)
38	Indicates that the problem is fixed in the given version of the
39	package. May repeat for other packages. If the problem is unfixed,
40	use "<unfixed>" as the version. If the problem doesn't affect Debian,
41	use "<not-affected>" as the version. If the problem only affects
42	shipped releases, for which the stable security team provides
43	security support and the affected package has meanwhile been removed
44	from the archive use "<removed>" as the version. If the problem
45	affects a particular release, prepend "[release]" before the
46	"- package" to reflect as much.
47
48	The notes can be freeform, but some are understood by the tools,
49	including "bug #nnnnn", "bug filed", and "high",
50	"medium", "low", "unimportant" and "unknown" urgencies.
51
52	begin claimed by foo
53	end claimed by foo
54	Marks a set of items that are being checked by someone.
55	Used to avoid duplicate work.