diff --git a/docs/xml/releases-data.xml b/docs/xml/releases-data.xml
index 0cd30b4c..afc0b0c7 100644
--- a/docs/xml/releases-data.xml
+++ b/docs/xml/releases-data.xml
@@ -140,7 +140,12 @@
A description tag contains a brief description of what is new in the release.
- The description tag is structured as described in .
+ The intended audience of the description are the users of the component (who are typically not developers), and so the description should mention only the user visible changes in the release.
+ The description tag supports child tags as described in .
+
+
+ It is recommended to not link to issue trackers or bug reports, as these typically make no sense to users.
+ If particular issues need to be highlighted (for example, CVEs fixed in this release), they should be listed in the issues tag.
@@ -162,15 +167,41 @@
The issues tag contains issue children defining issues resolved by this release.
- It is used most commonly to mention CVE IDs,
+ It is used most commonly to mention CVE IDs.
+ Software which is interpreting the release notes for the component should present the list of issues separately from the release description. They should not be thought of as a bullet-point list of issues which follow straight on in prose from the description element’s value.
The value of an issue tag must be the bug number, ticket name, or CVE ID and is typically displayed to the user, but may also in case of CVE IDs be read by
machines. The content of an issue element is not translatable, but can be a string appropriate for the project's bug tracker.
- If the element's value is a CVE ID, the type property of the issue tag must be set to cve.
- If the type property is missing, an issue type of generic is assumed. The url property can be used to provide
- a web URL to a details page on the respective issue. It is required for all issue types, except for the cve type, where it is optional.
+
+ The issue tag may have a type property, which should have a value of generic or cve.
+ If the type property is missing, a type of generic is assumed.
+
+
+ It may also have a url property, which should be a URL for a details page on the respective issue.
+
+
+ If type is cve, the element’s value must be a CVE ID in the format defined by MITRE.
+ For example, CVE-2023-12345. Software consuming the release data of a component should be able to append the element’s value to https://nvd.nist.gov/vuln/detail/ to get a page of information about the CVE.
+ If a url property is given, its value overrides any URL constructed from the CVE identifier.
+ The url property is optional if type is cve.
+
+
+ For example:
+
+ bz#12345]]>
+
+ If type is generic or unspecified, the element’s value is a free-form issue identifier, and the url property must be specified.
+ The issue identifier should be shorthand for an issue in the project’s bug tracker, and it does not have to be globally unique. It should be human readable, but does not have to be appropriate for non-technical audiences.
+
+
+ For example:
+
+
+ CVE-2021-28153
+ CVE-2021-27218
+]]>