</para>
<para>
When closing security bugs include CVE numbers as well as the
-<literal>Closes: #<replaceable>nnnnn</replaceable></literal>
+<literal>Closes: #<replaceable>nnnnn</replaceable></literal>.
This is useful for the security team to track vulnerabilities. If an upload is
made to fix the bug before the advisory ID is known, it is encouraged to modify
the historical changelog entry with the next upload. Even in this case, please
<listitem>
<para>
Any fixed packages that you have prepared yourself (send only the
-<literal>.diff.gz</literal> and <literal>.dsc</literal> files and read <xref
+<filename>.diff.gz</filename> and <filename>.dsc</filename> files and read <xref
linkend="bug-security-building"/> first)
</para>
</listitem>
a false sense of good maintenance. For the same reason, team members do
not need to add themselves to the <literal>Uploaders</literal> field just because they are
uploading the package once, they can do a “Team upload” (see <xref
-linkend="nmu-team-upload"/>). Conversely, it it a bad idea to keep a
+linkend="nmu-team-upload"/>). Conversely, it is a bad idea to keep a
package with only the mailing list address as a <literal>Maintainer</literal> and no
<literal>Uploaders</literal>.
</para>