Re: bin/genDLA proposal: auto-commit requested DLA numbers (was: Re: [SECURITY] [DLA 265-1] unattended-upgrades security update)
Hi, On Montag, 6. Juli 2015, Ben Hutchings wrote: > > is anybody working on LTS really using pure svn instead of git-svn? I > > somewhat > > doubt it... > I am. Most commits need to be pushed immediately anyway, right? well, for LTS probably yes, though I still prefer being able to use "git log", "git diff" and "git show"... (and I also work on the security tracker, where git is even more useful...) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: bin/genDLA proposal: auto-commit requested DLA numbers (was: Re: [SECURITY] [DLA 265-1] unattended-upgrades security update)
On Sat, 2015-07-04 at 10:58 +0200, Holger Levsen wrote: > Hi, > > On Freitag, 3. Juli 2015, Raphael Hertzog wrote: > > It displays a colorful warning and offers to commit only the > > modified file (if you use svn, if you use git-svn like me, you're > on your > > own). > > is anybody working on LTS really using pure svn instead of git-svn? I > somewhat > doubt it... I am. Most commits need to be pushed immediately anyway, right? Ben. -- Ben Hutchings If you seem to know what you are doing, you'll be given more to do. signature.asc Description: This is a digitally signed message part
Re: bin/genDLA proposal: auto-commit requested DLA numbers (was: Re: [SECURITY] [DLA 265-1] unattended-upgrades security update)
Hi, On Sun, 05 Jul 2015, Mike Gabriel wrote: > I just looked at the patch and played with it a little. > > Comments: > > o We maybe want to do an "svn update" before manipulating data/DLA/list > and data/dla-needed.txt file? Probably a minor thing, but it svn > updating could > be handeled by the script, as well No opinion here. > o I'd auto-generate a commit message, something like: > -m "reserve $IDMODE-$DAID for $PACKAGE" Done. > o Also, the "warning" text message on screen is above the svn diff output. > There it somehow > gets lost and "stayed unseen" for me, the first time I tested this > patch. Maybe the warning > message should be right above the "Do you want to commit now?" > question.(?) Done. And committed the result. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150706065325.gb24...@home.ouaza.com
Re: bin/genDLA proposal: auto-commit requested DLA numbers (was: Re: [SECURITY] [DLA 265-1] unattended-upgrades security update)
HI Raphael, On Sa 04 Jul 2015 08:25:27 CEST, Raphael Hertzog wrote: Hi, On Sat, 04 Jul 2015, Mike Gabriel wrote: >It displays a colorful warning and offers to commit only the >modified file (if you use svn, if you use git-svn like me, you're on your >own). Why not also commit the changes to the dla-needed.txt file? I just forgot about it. You're right we should do that too. What about this then (not entirely tested, I use git-svn): diff --git a/bin/gen-DSA b/bin/gen-DSA index 395a8f1..9156d0b 100755 --- a/bin/gen-DSA +++ b/bin/gen-DSA @@ -368,4 +368,17 @@ EOF sed -rn '/^'"$PACKAGE"'\b/{: next;n;/^\s/b next;d};p' $needed_file > $needed_file.new mv $needed_file.new $needed_file echo "$IDMODE text written to ./$IDMODE-$DAID" +if [ "$IDMODE" = "DLA" ]; then + warn "you need to commit the changes to data/$IDMODE/list to actually reserve the $IDMODE number and avoid conflicts with others." + if [ -d .svn ]; then + idmode=$(echo "$IDMODE" | tr A-Z a-z) + echo "Here are the pending changes:" + svn diff data/$IDMODE/list data/$idmode-needed.txt + echo -n "Do you want to commit them now ? [Yn] " + read reply + if [ "$reply" = "Y" ] || [ "$reply" = "" ] || [ "$reply" = "y" ]; then + svn commit data/$IDMODE/list data/$idmode-needed.txt + fi + fi +fi fi Cheers, I just looked at the patch and played with it a little. Comments: o We maybe want to do an "svn update" before manipulating data/DLA/list and data/dla-needed.txt file? Probably a minor thing, but it svn updating could be handeled by the script, as well o I'd auto-generate a commit message, something like: -m "reserve $IDMODE-$DAID for $PACKAGE" I'd actually even prefer having the package version in that commit message, but with my little son sitting next to me, this is a non-trivial task o Also, the "warning" text message on screen is above the svn diff output. There it somehow gets lost and "stayed unseen" for me, the first time I tested this patch. Maybe the warning message should be right above the "Do you want to commit now?" question.(?) All three comments above are more in the "cosmetic improvements" category, so I'd say using your changes without modifications is just fine and helps a lot if people are not accustomed to the LTS upload / announcing workflow that much. If you think some of the above thoughts are useful, I can work on a follow-up commit during the coming week. Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpY2E3qY5nSu.pgp Description: Digitale PGP-Signatur
Re: bin/genDLA proposal: auto-commit requested DLA numbers (was: Re: [SECURITY] [DLA 265-1] unattended-upgrades security update)
Hi, On Freitag, 3. Juli 2015, Raphael Hertzog wrote: > It displays a colorful warning and offers to commit only the > modified file (if you use svn, if you use git-svn like me, you're on your > own). is anybody working on LTS really using pure svn instead of git-svn? I somewhat doubt it... cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: bin/genDLA proposal: auto-commit requested DLA numbers (was: Re: [SECURITY] [DLA 265-1] unattended-upgrades security update)
Hi, On Sat, 04 Jul 2015, Mike Gabriel wrote: > >It displays a colorful warning and offers to commit only the > >modified file (if you use svn, if you use git-svn like me, you're on your > >own). > > Why not also commit the changes to the dla-needed.txt file? I just forgot about it. You're right we should do that too. What about this then (not entirely tested, I use git-svn): diff --git a/bin/gen-DSA b/bin/gen-DSA index 395a8f1..9156d0b 100755 --- a/bin/gen-DSA +++ b/bin/gen-DSA @@ -368,4 +368,17 @@ EOF sed -rn '/^'"$PACKAGE"'\b/{: next;n;/^\s/b next;d};p' $needed_file > $needed_file.new mv $needed_file.new $needed_file echo "$IDMODE text written to ./$IDMODE-$DAID" +if [ "$IDMODE" = "DLA" ]; then + warn "you need to commit the changes to data/$IDMODE/list to actually reserve the $IDMODE number and avoid conflicts with others." + if [ -d .svn ]; then + idmode=$(echo "$IDMODE" | tr A-Z a-z) + echo "Here are the pending changes:" + svn diff data/$IDMODE/list data/$idmode-needed.txt + echo -n "Do you want to commit them now ? [Yn] " + read reply + if [ "$reply" = "Y" ] || [ "$reply" = "" ] || [ "$reply" = "y" ]; then + svn commit data/$IDMODE/list data/$idmode-needed.txt + fi + fi +fi fi Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150704062527.ga10...@home.ouaza.com
Re: bin/genDLA proposal: auto-commit requested DLA numbers (was: Re: [SECURITY] [DLA 265-1] unattended-upgrades security update)
Hi Raphael, On Fr 03 Jul 2015 21:19:14 CEST, Raphael Hertzog wrote: On Fri, 03 Jul 2015, Mike Gabriel wrote: I just discussed this with Moritz Mühlenhoff on #debian-security. His request is to leave all genDSA specific stuff in the genD{S,L}A script untouched. What about the attached patch ? It displays a colorful warning and offers to commit only the modified file (if you use svn, if you use git-svn like me, you're on your own). Why not also commit the changes to the dla-needed.txt file? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpIM_kTaERIc.pgp Description: Digitale PGP-Signatur
Re: bin/genDLA proposal: auto-commit requested DLA numbers (was: Re: [SECURITY] [DLA 265-1] unattended-upgrades security update)
On Fri, Jul 03, 2015 at 09:19:14PM +0200, Raphael Hertzog wrote: > On Fri, 03 Jul 2015, Mike Gabriel wrote: > > I just discussed this with Moritz Mühlenhoff on #debian-security. His > > request is to leave all genDSA specific stuff in the genD{S,L}A script > > untouched. > > What about the attached patch ? > > It displays a colorful warning and offers to commit only the > modified file (if you use svn, if you use git-svn like me, you're on your > own). > > I can make that conditional on IDMODE=DLA but I believe it can be useful > for the security team too. You can skip the commit if you have a good > reason and it avoids you typing one command in other cases. No, keep gen-DSA for DSA as-is -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150703204042.ga19...@inutil.org
Re: bin/genDLA proposal: auto-commit requested DLA numbers (was: Re: [SECURITY] [DLA 265-1] unattended-upgrades security update)
On Fri, 03 Jul 2015, Mike Gabriel wrote: > I just discussed this with Moritz Mühlenhoff on #debian-security. His > request is to leave all genDSA specific stuff in the genD{S,L}A script > untouched. What about the attached patch ? It displays a colorful warning and offers to commit only the modified file (if you use svn, if you use git-svn like me, you're on your own). I can make that conditional on IDMODE=DLA but I believe it can be useful for the security team too. You can skip the commit if you have a good reason and it avoids you typing one command in other cases. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ diff --git a/bin/gen-DSA b/bin/gen-DSA index 395a8f1..82d3c64 100755 --- a/bin/gen-DSA +++ b/bin/gen-DSA @@ -368,4 +368,12 @@ EOF sed -rn '/^'"$PACKAGE"'\b/{: next;n;/^\s/b next;d};p' $needed_file > $needed_file.new mv $needed_file.new $needed_file echo "$IDMODE text written to ./$IDMODE-$DAID" +warn "you need to commit the changes to data/$IDMODE/list to actually reserve the $IDMODE number and avoid conflicts with others." +if [ -d .svn ]; then + echo -n "Do you want to commit it now ? [Yn] " + read reply + if [ "$reply" = "Y" ] || [ "$reply" = "" ] || [ "$reply" = "y" ]; then + svn commit data/$IDMODE/list + fi +fi fi
bin/genDLA proposal: auto-commit requested DLA numbers (was: Re: [SECURITY] [DLA 265-1] unattended-upgrades security update)
Hi all, On Fr 03 Jul 2015 13:49:29 CEST, Mike Gabriel wrote: Can this svn commit for the DLA number not be done within bin/genDLA ? Well... Actually it could. Good point. Let me get some feedback from the security team as genDLA is a symlink to genDSA which is the main tool used by the security team. I just discussed this with Moritz Mühlenhoff on #debian-security. His request is to leave all genDSA specific stuff in the genD{S,L}A script untouched. For the LTS workflow, we could consider this: (a) Adding option --commit which does the SVN commit directly, only available if also --save is given (b) Commit directly, if --save is given. Allow old functionality of --save in conjunction with a new option --no-commit. Feedback, thoughts? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpSBKDG6zDJM.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 265-1] unattended-upgrades security update
On Fr 03 Jul 2015 13:08:25 CEST, Christian Mack wrote: Hello Am 03.07.2015 um 13:03 schrieb Mike Gabriel: Hi Holger, On Fr 03 Jul 2015 12:48:06 CEST, Holger Levsen wrote: Hi, On Freitag, 3. Juli 2015, Mike Gabriel wrote: The only way I can think of in terms of making this more fool proof, I guess, is by rejecting mails to debian-lts-announce if o a used DLA has not been reserved via the secure-testing SVN repo o the DLA has been reserved in the SVN repo, but for another package there is another way, which is probably easier to implement: parse debian-lts- announce mails and automatically add those DLAs to svn if that hasnt been done already. Yeah, I thought of this approach, as well... It will not always succeed, though, as there can be (normally is) a delay between running bin/genDLA and actually sending the DLA mail. My delays normally are: o write up a nice announcement text o possibly have lunch break inbetween o answer someone's phone or deal with people coming into my office In the meantime, someone else may have run bin/genDLA as well and actually committed the DLA number (I had that once already with Santiago). I guess we can capture something like 80% of the cases (which is good already) by auto-committing DLA's that come in via the d-l-a list, but for a 100% fix-up, we may need to bounce mails, it feels. Though, I am not fully sure here, just lacking imagination here. ;-) Can this svn commit for the DLA number not be done within bin/genDLA ? Well... Actually it could. Good point. Let me get some feedback from the security team as genDLA is a symlink to genDSA which is the main tool used by the security team. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgp_J569sZdR_.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 265-1] unattended-upgrades security update
Hello Am 03.07.2015 um 13:03 schrieb Mike Gabriel: > Hi Holger, > > On Fr 03 Jul 2015 12:48:06 CEST, Holger Levsen wrote: > >> Hi, >> >> On Freitag, 3. Juli 2015, Mike Gabriel wrote: >>> The only way I can think of in terms of making this more fool proof, I >>> guess, is by rejecting mails to debian-lts-announce if >>> >>>o a used DLA has not been reserved via the secure-testing SVN repo >>>o the DLA has been reserved in the SVN repo, but for another package >> >> there is another way, which is probably easier to implement: parse >> debian-lts- >> announce mails and automatically add those DLAs to svn if that hasnt >> been done >> already. > > Yeah, I thought of this approach, as well... > > It will not always succeed, though, as there can be (normally is) a > delay between running bin/genDLA and actually sending the DLA mail. > > My delays normally are: > > o write up a nice announcement text > o possibly have lunch break inbetween > o answer someone's phone or deal with people coming into my office > > In the meantime, someone else may have run bin/genDLA as well and > actually committed the DLA number (I had that once already with Santiago). > > I guess we can capture something like 80% of the cases (which is good > already) by auto-committing DLA's that come in via the d-l-a list, but > for a 100% fix-up, we may need to bounce mails, it feels. > > Though, I am not fully sure here, just lacking imagination here. ;-) > Can this svn commit for the DLA number not be done within bin/genDLA ? Kind regards, Christian Mack -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/55966d29.10...@web.de
Re: [SECURITY] [DLA 265-1] unattended-upgrades security update
Hi Holger, On Fr 03 Jul 2015 12:48:06 CEST, Holger Levsen wrote: Hi, On Freitag, 3. Juli 2015, Mike Gabriel wrote: The only way I can think of in terms of making this more fool proof, I guess, is by rejecting mails to debian-lts-announce if o a used DLA has not been reserved via the secure-testing SVN repo o the DLA has been reserved in the SVN repo, but for another package there is another way, which is probably easier to implement: parse debian-lts- announce mails and automatically add those DLAs to svn if that hasnt been done already. Yeah, I thought of this approach, as well... It will not always succeed, though, as there can be (normally is) a delay between running bin/genDLA and actually sending the DLA mail. My delays normally are: o write up a nice announcement text o possibly have lunch break inbetween o answer someone's phone or deal with people coming into my office In the meantime, someone else may have run bin/genDLA as well and actually committed the DLA number (I had that once already with Santiago). I guess we can capture something like 80% of the cases (which is good already) by auto-committing DLA's that come in via the d-l-a list, but for a 100% fix-up, we may need to bounce mails, it feels. Though, I am not fully sure here, just lacking imagination here. ;-) Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgp3qT6o4mScO.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 265-1] unattended-upgrades security update
Hi, On Freitag, 3. Juli 2015, Mike Gabriel wrote: > The only way I can think of in terms of making this more fool proof, I > guess, is by rejecting mails to debian-lts-announce if > >o a used DLA has not been reserved via the secure-testing SVN repo >o the DLA has been reserved in the SVN repo, but for another package there is another way, which is probably easier to implement: parse debian-lts- announce mails and automatically add those DLAs to svn if that hasnt been done already. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: [SECURITY] [DLA 265-1] unattended-upgrades security update
Hi Michael, hi LTS team, On Do 02 Jul 2015 11:17:41 CEST, Michael Vogt wrote: Package: unattended-upgrades Version: 0.62.2+squeeze1 CVE ID : CVE-2015-1330 Bug: LP: #1466380 It was discovered that unattended-upgrades, a script for automatic installation of security upgrades, did not properly authenticate downloaded packages when the force-confold or force-confnew dpkg options were enabled via the DPkg::Options::* apt configuration. We recommend that you upgrade your unattended-upgrades package. I just saw Michael's DLA announcement and realize that I have used the same DLA for pykerberos today. Such an issue occurs, if people use bin/genDLA (from secure-testing repo), but don't push the resulting changes back to the secure-testing SVN. (@Michael: Don't feel bad about this. It is a weakness in the workflow (sorry for saying that). I will check documentation later, to make sure it is very obvious that DLA mails may only be sent if that DLA number has been requested previously and also checked into SVN. I suppose that you have not pushed to SVN _before_ sending your DLA mail, right? As it seems, you haven't pushed the DLA entry in secure-testing at all, so far, right?). This has happened before and I feel we need to get this DLA requesting/mail-sending system more fool proof, especially for DDs/DMs not directly involved with the LTS team and not so accustomed to the LTS team's workflow. The only way I can think of in terms of making this more fool proof, I guess, is by rejecting mails to debian-lts-announce if o a used DLA has not been reserved via the secure-testing SVN repo o the DLA has been reserved in the SVN repo, but for another package Feedback, comments? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpD6YCUlUBhe.pgp Description: Digitale PGP-Signatur