Re: Looking for issues affecting wheezy but fixed in squeeze

[Guido Günther]

Hi,
On Thu, Jan 28, 2016 at 07:27:20PM +0100, Moritz Mühlenhoff wrote:
> On Sat, Jan 23, 2016 at 02:22:22PM +0100, Guido Günther wrote:
> > Hi,
> > 
> > now that Wheezy LTS is approaching I wondered what would be the best
> > places to help out fixing issues in Wheezy so that upgrading from
> > Squeeze to Wheezy would not introduce new security issues.
> > 
> > Therefore I added bin/lts-needs-forward-port.py (based on
> > lts-cve-triage.py) that lists issues fixed in Squeeze that are unfixed
> > or marked no-dsa in wheezy. O.k. to apply?
> 
> That should also parse next-oldstable-point-update.txt, since several of
> those are likely scheduled for the next whezy point release.

Good point - I didn't even know about that file. New version
attached.

The CVE-- issues in are problematic since they're not unique
so we have some fuzziness there until the issues get updated.

Am I reading the SVN logs correctly that they are currently hand
maintained? If so should one add user tags when filing bugs about this
to release.debian.org so it gets easier to track.

Cheers,
 -- Guido
>From 18e502cbeeeae7c30966aec5db6ea2b3474042b7 Mon Sep 17 00:00:00 2001
Message-Id: <18e502cbeeeae7c30966aec5db6ea2b3474042b7.1454074057.git@sigxcpu.org>
From: =?UTF-8?q?Guido=20G=C3=BCnther?= 
Date: Sat, 23 Jan 2016 13:49:02 +0100
Subject: [PATCH] Add lts-needs-forward-port
To: debian-lts@lists.debian.org

This looks for issues fixed in LTS but yet unfixed in lts_next taking
into account next-oldstable-point-update.txt.
---
 bin/lts-needs-forward-port.py | 99 +++
 bin/tracker_data.py   | 22 ++
 2 files changed, 121 insertions(+)
 create mode 100755 bin/lts-needs-forward-port.py

diff --git a/bin/lts-needs-forward-port.py b/bin/lts-needs-forward-port.py
new file mode 100755
index 000..fbf859d
--- /dev/null
+++ b/bin/lts-needs-forward-port.py
@@ -0,0 +1,99 @@
+#!/usr/bin/python
+# vim: set fileencoding=utf-8 :
+#
+# Copyright 2016 Guido Günther 
+#
+# This file is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This file is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this file.  If not, see .
+
+import argparse
+import collections
+import sys
+
+from tracker_data import TrackerData, RELEASES
+
+# lts is currently squeeze, next_lts wheezy
+LIST_NAMES = (
+('needs_fix_in_next_lts',
+ ('Issues that are unfixed in {next_lts} but fixed in {lts}'
+  ).format(**RELEASES)),
+('needs_review_in_next_lts',
+ ('Issues that are no-dsa in {next_lts} but fixed in {lts}'
+  ).format(**RELEASES)),
+('fixed_via_pu_in_oldstable',
+ ('Issues that will be fixed via p-u in {oldstable}'
+  ).format(**RELEASES)),
+)
+
+
+def main():
+def add_to_list(key, pkg, issue):
+assert key in [l[0] for l in LIST_NAMES]
+lists[key][pkg].append(issue)
+
+parser = argparse.ArgumentParser(
+description='Find discrepancies between suites')
+parser.add_argument('--skip-cache-update', action='store_true',
+help='Skip updating the tracker data cache')
+parser.add_argument('--exclude', nargs='+', choices=[x[0] for x in LIST_NAMES],
+help='Filter out specified lists')
+
+args = parser.parse_args()
+
+lists = collections.defaultdict(lambda: collections.defaultdict(lambda: []))
+tracker = TrackerData(update_cache=not args.skip_cache_update)
+
+for pkg in tracker.iterate_packages():
+for issue in tracker.iterate_pkg_issues(pkg):
+status_in_lts = issue.get_status('lts')
+status_in_next_lts = issue.get_status('next_lts')
+
+if status_in_lts.status in ('not-affected', 'open'):
+continue
+
+if status_in_lts.status == 'resolved':
+#  Package will be updated via the next oldstable
+#  point release
+if (issue.name in tracker.oldstable_point_update and
+pkg in tracker.oldstable_point_update[issue.name]):
+add_to_list('fixed_via_pu_in_oldstable', pkg, issue)
+continue
+
+#  The security tracker marks "not-affected" as
+#  "resolved in version 0" (#812410)
+if status_in_lts.reason == 'fixed in 0':
+continue
+
+if status_in_next_lts.status == 'open':
+add_to_list('needs_fix_in_next_lts', pkg, 

Re: Looking for issues affecting wheezy but fixed in squeeze

[Antoine Beaupré]

On 2016-01-23 08:22:22, Guido Günther wrote:
> Hi,
>
> now that Wheezy LTS is approaching I wondered what would be the best
> places to help out fixing issues in Wheezy so that upgrading from
> Squeeze to Wheezy would not introduce new security issues.
>
> Therefore I added bin/lts-needs-forward-port.py (based on
> lts-cve-triage.py) that lists issues fixed in Squeeze that are unfixed
> or marked no-dsa in wheezy. O.k. to apply?

Looks okay to me. I tested the script and it seems to run fine. It finds
a significant number of issues, however (66!) which means we'll have
quite a bit of catching up to do once we switch to "wheezy-lts mode"...

I think the patch should go in.

a.

-- 
Being cynical is the only way to deal with modern civilization — you
can't just swallow it whole.
- Frank Zappa

Re: Looking for issues affecting wheezy but fixed in squeeze

[Moritz Mühlenhoff]

On Sat, Jan 23, 2016 at 02:22:22PM +0100, Guido Günther wrote:
> Hi,
> 
> now that Wheezy LTS is approaching I wondered what would be the best
> places to help out fixing issues in Wheezy so that upgrading from
> Squeeze to Wheezy would not introduce new security issues.
> 
> Therefore I added bin/lts-needs-forward-port.py (based on
> lts-cve-triage.py) that lists issues fixed in Squeeze that are unfixed
> or marked no-dsa in wheezy. O.k. to apply?

That should also parse next-oldstable-point-update.txt, since several of
those are likely scheduled for the next whezy point release.

Cheers,
Moritz