Bug#761061: tracker doesnt show closed issues as done
Hi, On Mittwoch, 10. September 2014, Moritz Muehlenhoff wrote: It's only that noone has come around to change this. But since you now have experience with the code base... :-) grummel, this seems to be true ;) from what I've said on irc just now: * | h01ger is happy to report that he has patched the security tracker so it eg shows whats fixed through lts uploads in the file package whats funny though is, that it still doesnt know about wheezy-security just lts :) havent digged into the cause anymore last night, but the source_packages table doesn't seem hold the wheezy-security packages, yet the tracker knows which DSA was fixed in which version. I'll now do some other stuff and later continue with this... (oh, and it now just shows squeeze and squeeze-lts, as it would show wheezy and wheezy-security if that were in source_packages... I'm tempted to debug this now, but really need to do other stuff first :) cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#761061: tracker doesnt show closed issues as done
Hi, On Donnerstag, 11. September 2014, Holger Levsen wrote: (oh, and it now just shows squeeze and squeeze-lts, as it would show wheezy and wheezy-security if that were in source_packages... I'm tempted to debug this now, but really need to do other stuff first :) grummel. and so this is fixed now too. will propose patches later for real. (the cause for this was that I did make update-$MANY_THINGS (and even added a update-all target) but forgot to run make all, which is now fixed/included in my update-all target too. Guess those targets need some cleanup too...) cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#761061: tracker doesnt show closed issues as done
package: security-tracker severity: important x-debbugs-cc: debian-...@lists.debian.org Hi, the tracker doesnt show issues which are only closed in the security or lts subreleases as closed, as for example can be seen on https://security- tracker.debian.org/tracker/source-package/file eg https://security-tracker.debian.org/tracker/CVE-2014-3478 is closed in both wheezy-security as well as squeeze-lts, yet the /tracker/source-package/file lists it as open. (There pages like https://security-tracker.debian.org/tracker/CVE-2014-3478 also are less clean, but at least they contain the right info visibly, just a bit scrambled.) I believe the bug is in getBugsForSourcePackage() in lib/python/security_db.py but I couldn't yet wrap my head around it properly to fix it. There seem to be several functions (in security_db.py) which only deal with the releases (sid, jessie, wheezy, squeeze) but not the subreleases (security, lts). I'd be happy to discuss this issue and possible strategies to fix it in either #debian-security or #debian-lts cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#761061: tracker doesnt show closed issues as done
Hi, On Wed, Sep 10, 2014 at 02:06:01PM +0200, Holger Levsen wrote: package: security-tracker severity: important x-debbugs-cc: debian-...@lists.debian.org Hi, the tracker doesnt show issues which are only closed in the security or lts subreleases as closed, as for example can be seen on https://security- tracker.debian.org/tracker/source-package/file eg https://security-tracker.debian.org/tracker/CVE-2014-3478 is closed in both wheezy-security as well as squeeze-lts, yet the /tracker/source-package/file lists it as open. (There pages like https://security-tracker.debian.org/tracker/CVE-2014-3478 also are less clean, but at least they contain the right info visibly, just a bit scrambled.) I believe the bug is in getBugsForSourcePackage() in lib/python/security_db.py but I couldn't yet wrap my head around it properly to fix it. There seem to be several functions (in security_db.py) which only deal with the releases (sid, jessie, wheezy, squeeze) but not the subreleases (security, lts). The tabular view clearly would need some improvement and making clear where the fix is already, e.g. wheezy-security but not yet wheezy. I try to explain. The version tracked on the individual CVE pages is *correct* from the following point of view: A fix is in wheezy-security already, but not yet accepted into the wheezy suite. This happen, when the release team accepts an upload through security, which get uploaded to wheezy-proposed-updates-NEW to be intregrated into an upcoming poing release[*]. It is not enough from stable point of view for having the fix available in stable to have it only on wheezy-security -- it also needs to be included into a wheezy point release. Thus for example taking CVE-2014-3478 we have: squeeze, squeeze (security) 5.04-5+squeeze5 vulnerable squeeze (lts) 5.04-5+squeeze6 fixed wheezy 5.11-2+deb7u3 vulnerable wheezy (security) 5.11-2+deb7u4 fixed jessie, sid 1:5.19-2fixed One issue is: with -lts this will never happen that packages will be integrated into squeeze, as there will be no pint releases including the -lts fixes into squeeze. [*] As an example were this does not happen currently is openjdk-7. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140910150143.GA8592@eldamar.local
Bug#761061: tracker doesnt show closed issues as done
Hi Salvatore, On Mittwoch, 10. September 2014, Salvatore Bonaccorso wrote: The tabular view clearly would need some improvement and making clear where the fix is already, e.g. wheezy-security but not yet wheezy. I try to explain. The version tracked on the individual CVE pages is *correct* from the following point of view: A fix is in wheezy-security already, but not yet accepted into the wheezy suite. thanks for explaining this here also, but as on IRC I wonder: for whom is that view useful? Or in other words: I'd like a view which shows me which issues are (not) fixed in wheezy-security and squeeze-lts. I don't care at all about wheezy and squeeze alone - like many many other users. It is not enough from stable point of view for having the fix available in stable to have it only on wheezy-security -- it also needs to be included into a wheezy point release. That's a view about which very very few people are concerned, namely stable release managers ;) All the rest is using -security and are fine once the fix is there :) squeeze, squeeze (security) 5.04-5+squeeze5 vulnerable squeeze (lts) 5.04-5+squeeze6 fixed wheezy 5.11-2+deb7u3 vulnerable wheezy (security) 5.11-2+deb7u4 fixed jessie, sid 1:5.19-2fixed One issue is: with -lts this will never happen that packages will be integrated into squeeze, as there will be no pint releases including the -lts fixes into squeeze. I don't really see this as an issue *with practical impact*. cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#761061: tracker doesnt show closed issues as done
On Wed, Sep 10, 2014 at 05:13:35PM +0200, Holger Levsen wrote: Hi Salvatore, On Mittwoch, 10. September 2014, Salvatore Bonaccorso wrote: The tabular view clearly would need some improvement and making clear where the fix is already, e.g. wheezy-security but not yet wheezy. I try to explain. The version tracked on the individual CVE pages is *correct* from the following point of view: A fix is in wheezy-security already, but not yet accepted into the wheezy suite. thanks for explaining this here also, but as on IRC I wonder: for whom is that view useful? For noone, we already discussed that during the security team meeting and we decided to fix the view as also described in your bug report. It's only that noone has come around to change this. But since you now have experience with the code base... :-) Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140910175001.ga8...@inutil.org
Bug#761061: tracker doesnt show closed issues as done
On Wed, Sep 10, 2014 at 08:56:48PM +0200, Yves-Alexis Perez wrote: On mer., 2014-09-10 at 19:50 +0200, Moritz Muehlenhoff wrote: On Wed, Sep 10, 2014 at 05:13:35PM +0200, Holger Levsen wrote: Hi Salvatore, On Mittwoch, 10. September 2014, Salvatore Bonaccorso wrote: The tabular view clearly would need some improvement and making clear where the fix is already, e.g. wheezy-security but not yet wheezy. I try to explain. The version tracked on the individual CVE pages is *correct* from the following point of view: A fix is in wheezy-security already, but not yet accepted into the wheezy suite. thanks for explaining this here also, but as on IRC I wonder: for whom is that view useful? For noone, we already discussed that during the security team meeting and we decided to fix the view as also described in your bug report. It's only that noone has come around to change this. But since you now have experience with the code base... :-) It's still important to have the data available because wheezy is what you get when you pick the latest install media. But they also contain the security apt sources, so this is rather theoretical. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140910184240.ga11...@inutil.org
Bug#761061: tracker doesnt show closed issues as done
On mer., 2014-09-10 at 19:50 +0200, Moritz Muehlenhoff wrote: On Wed, Sep 10, 2014 at 05:13:35PM +0200, Holger Levsen wrote: Hi Salvatore, On Mittwoch, 10. September 2014, Salvatore Bonaccorso wrote: The tabular view clearly would need some improvement and making clear where the fix is already, e.g. wheezy-security but not yet wheezy. I try to explain. The version tracked on the individual CVE pages is *correct* from the following point of view: A fix is in wheezy-security already, but not yet accepted into the wheezy suite. thanks for explaining this here also, but as on IRC I wonder: for whom is that view useful? For noone, we already discussed that during the security team meeting and we decided to fix the view as also described in your bug report. It's only that noone has come around to change this. But since you now have experience with the code base... :-) It's still important to have the data available because wheezy is what you get when you pick the latest install media. -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#761061: tracker doesnt show closed issues as done
On mer., 2014-09-10 at 20:42 +0200, Moritz Muehlenhoff wrote: On Wed, Sep 10, 2014 at 08:56:48PM +0200, Yves-Alexis Perez wrote: On mer., 2014-09-10 at 19:50 +0200, Moritz Muehlenhoff wrote: On Wed, Sep 10, 2014 at 05:13:35PM +0200, Holger Levsen wrote: Hi Salvatore, On Mittwoch, 10. September 2014, Salvatore Bonaccorso wrote: The tabular view clearly would need some improvement and making clear where the fix is already, e.g. wheezy-security but not yet wheezy. I try to explain. The version tracked on the individual CVE pages is *correct* from the following point of view: A fix is in wheezy-security already, but not yet accepted into the wheezy suite. thanks for explaining this here also, but as on IRC I wonder: for whom is that view useful? For noone, we already discussed that during the security team meeting and we decided to fix the view as also described in your bug report. It's only that noone has come around to change this. But since you now have experience with the code base... :-) It's still important to have the data available because wheezy is what you get when you pick the latest install media. But they also contain the security apt sources, so this is rather theoretical. No, some people don't have easy access to security sources (for example disconnected networks where mirror sync is manual) and thus having a way to know the status in current is useful. It's also useful in audit/forensics. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#761061: tracker doesnt show closed issues as done
On Wed, Sep 10, 2014 at 3:03 PM, Yves-Alexis Perez wrote: On mer., 2014-09-10 at 20:42 +0200, Moritz Muehlenhoff wrote: On Wed, Sep 10, 2014 at 08:56:48PM +0200, Yves-Alexis Perez wrote: On mer., 2014-09-10 at 19:50 +0200, Moritz Muehlenhoff wrote: On Wed, Sep 10, 2014 at 05:13:35PM +0200, Holger Levsen wrote: Hi Salvatore, On Mittwoch, 10. September 2014, Salvatore Bonaccorso wrote: The tabular view clearly would need some improvement and making clear where the fix is already, e.g. wheezy-security but not yet wheezy. I try to explain. The version tracked on the individual CVE pages is *correct* from the following point of view: A fix is in wheezy-security already, but not yet accepted into the wheezy suite. thanks for explaining this here also, but as on IRC I wonder: for whom is that view useful? For noone, we already discussed that during the security team meeting and we decided to fix the view as also described in your bug report. It's only that noone has come around to change this. But since you now have experience with the code base... :-) It's still important to have the data available because wheezy is what you get when you pick the latest install media. But they also contain the security apt sources, so this is rather theoretical. No, some people don't have easy access to security sources (for example disconnected networks where mirror sync is manual) and thus having a way to know the status in current is useful. Except that there is much less reason for concern about security in disconnected scenarios. Especially since there is no access to the online tracker to get that information anyway. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CANTw=MN=vw6rtef31dmr-4ino1xxuecpd-ou7ugpbwsfgw-...@mail.gmail.com
