[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

On 24-01-2018 19:37, Markus Koschany wrote: > Thanks. How do you catch the case when security updates are part of a > stable point release? This requires more effort. Does the package tracker offer a way to query such information? The only other idea I have right now involves inspecting the

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Am 24.01.2018 um 19:32 schrieb Nis Martensen: > How about this? > > import apt > > def is_security_update(pkgname, version): > try: > p = apt.Cache()[pkgname] > except: > return False > > if version not in p.versions: > return False > > if

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

How about this? import apt def is_security_update(pkgname, version): try: p = apt.Cache()[pkgname] except: return False if version not in p.versions: return False if 'Debian-Security' in [o.label for o in p.versions[version].origins]:

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Am 24.01.2018 um 16:56 schrieb Nis Martensen: > Let me describe my suggestion in more detail: > > - Instead of having the "is this a security version" check > implemented directly in bin/reportbug as a version number check, there > could be a new function "is_security_update(package, version)"

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Let me describe my suggestion in more detail: - Instead of having the "is this a security version" check implemented directly in bin/reportbug as a version number check, there could be a new function "is_security_update(package, version)" in reportbug/utils.py. You can move the version number

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

2018-01-23 15:58 GMT+01:00 Sandro Tosi : > point releases usually include all the security updates from the > previous point release, so they would come from the "main" repo and > not the security one That would only be a problem if they are then no longer available via the

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

On Tue, Jan 23, 2018 at 4:30 AM, Nis Martensen wrote: > It might be possible to determine whether an installed package is a > security update by inspecting the output of apt-cache policy pkgname. > Not sure if this information can also be obtained used python3-apt. point

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

It might be possible to determine whether an installed package is a security update by inspecting the output of apt-cache policy pkgname. Not sure if this information can also be obtained used python3-apt. ___ Reportbug-maint mailing list

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi Sandro, On Thu, Dec 28, 2017 at 08:30:34PM -0500, Sandro Tosi wrote: > >> +if is_security_update and support != 'none': > >> +if support == 'lts': > >> +email_address = ['debian-...@lists.debian.org'] > >> +else: > >> +

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

>> +if is_security_update and support != 'none': >> +if support == 'lts': >> +email_address = ['debian-...@lists.debian.org'] >> +else: >> +email_address = ['t...@security.debian.org'] >> +listcc.extend(email_address) >> +

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Am 21.12.2017 um 22:42 schrieb Salvatore Bonaccorso: [...] > Don't worry anymore. It was as well not about all the timeline, I'm > aware when you did the initial ping, but rather on the "we think it > needs a change on security tracker and want this information exposed > ... I want to do the

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi Markus, On Wed, Dec 13, 2017 at 01:34:05PM +0100, Markus Koschany wrote: > Hi Salvatore, > > Am 12.12.2017 um 07:19 schrieb Salvatore Bonaccorso: > [...] > > I have made the above change now live/commited. The file is still thus > > extensible and for futher (and future use). Thanks for your

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Am 13.12.2017 um 15:11 schrieb Guido Günther: > Hi Markus, > (trimming the cc: list a bit since this is just a minor nit): > > [..snip..] >> +for key, value in data.items(): >> +if distnumber in value['major-version']: > > distnumber ==

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi Markus, (trimming the cc: list a bit since this is just a minor nit): [..snip..] > +for key, value in data.items(): > +if distnumber in value['major-version']: distnumber == value['major-version'] might be better since with distnumber = 1 it

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi Salvatore, Am 12.12.2017 um 07:19 schrieb Salvatore Bonaccorso: [...] > I have made the above change now live/commited. The file is still thus > extensible and for futher (and future use). Thanks for your work on > that! (as a personal note on my side, would have prefered to get less >

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi Markus, On Sun, Dec 10, 2017 at 03:58:30PM +0100, Markus Koschany wrote: > Am 10.12.2017 um 13:35 schrieb Salvatore Bonaccorso: > [...] > >>> and beeing accessible under > >>> https://security-tracker.debian.org/tracker/distributions.json > >> > >> That makes as lot of sense! (I used YAML in

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi, On Sun, Dec 10, 2017 at 01:35:43PM +0100, Salvatore Bonaccorso wrote: > Hi Guido, > > On Sun, Dec 10, 2017 at 12:59:05PM +0100, Guido Günther wrote: > > Hi, > > On Sun, Dec 10, 2017 at 12:51:38PM +0100, Salvatore Bonaccorso wrote: > > > Hi > > > > > > On Sun, Dec 10, 2017 at 10:00:55AM

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Am 10.12.2017 um 13:35 schrieb Salvatore Bonaccorso: [...] >>> and beeing accessible under >>> https://security-tracker.debian.org/tracker/distributions.json >> >> That makes as lot of sense! (I used YAML in the example for readability, >> output of the tracker should be JSON). The main reason

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi Guido, On Sun, Dec 10, 2017 at 12:59:05PM +0100, Guido Günther wrote: > Hi, > On Sun, Dec 10, 2017 at 12:51:38PM +0100, Salvatore Bonaccorso wrote: > > Hi > > > > On Sun, Dec 10, 2017 at 10:00:55AM +0100, Salvatore Bonaccorso wrote: > > > Hi > > > > > > Cc'ing explicitly Guido and Raphael,

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi, On Sun, Dec 10, 2017 at 12:51:38PM +0100, Salvatore Bonaccorso wrote: > Hi > > On Sun, Dec 10, 2017 at 10:00:55AM +0100, Salvatore Bonaccorso wrote: > > Hi > > > > Cc'ing explicitly Guido and Raphael, who commented before. > > > > On Sat, Dec 09, 2017 at 03:25:14PM +0100, Markus Koschany

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi On Sun, Dec 10, 2017 at 10:00:55AM +0100, Salvatore Bonaccorso wrote: > Hi > > Cc'ing explicitly Guido and Raphael, who commented before. > > On Sat, Dec 09, 2017 at 03:25:14PM +0100, Markus Koschany wrote: > > Hi, > > > > I have updated my patch for reportbug. Now emails are sent only to

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi Cc'ing explicitly Guido and Raphael, who commented before. On Sat, Dec 09, 2017 at 03:25:14PM +0100, Markus Koschany wrote: > Hi, > > I have updated my patch for reportbug. Now emails are sent only to one > of the team mailing lists based on the release number in the version > string. There

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi, On Sat, Dec 09, 2017 at 03:28:09PM +0100, Markus Koschany wrote: > Am 09.12.2017 um 15:21 schrieb Guido Günther: > [...] > > Looks good in principle. I would use a slightly different json format > > though (using YAML for readability): > > > > wheezy: > >major: 7 > >alias:

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Am 09.12.2017 um 15:21 schrieb Guido Günther: [...] > Looks good in principle. I would use a slightly different json format > though (using YAML for readability): > > wheezy: >major: 7 >alias: oldoldstable > jessy: >major: 8 >alias: oldstable > stretch: >major: 9 >

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi, I have updated my patch for reportbug. Now emails are sent only to one of the team mailing lists based on the release number in the version string. There is apparently no simple way to determine the relationship between release number, code name, suite and whether this is a LTS release. So we

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi, On Wed, Dec 06, 2017 at 08:48:17AM +0100, Markus Koschany wrote: > On Fri, 1 Dec 2017 09:28:26 +0100 Guido =?iso-8859-1?Q?G=FCnther?= > wrote: > [...] > > I would rather not make psql connections from reportbug. http is > > ubiquitous and can be proxied. That's why I

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

On Wed, 6 Dec 2017 13:15:59 +0100 Raphael Geissert wrote: > Hi, > > On 6 Dec 2017 08:48, "Markus Koschany" wrote: > > I have updated the patch according to your suggestions. It's a bit > strange that we can't match release numbers and code name already. I

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi, On 6 Dec 2017 08:48, "Markus Koschany" wrote: I have updated the patch according to your suggestions. It's a bit strange that we can't match release numbers and code name already. I think it would be best to implement this feature somewhere else but for the sake of moving

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

On Fri, 1 Dec 2017 09:28:26 +0100 Guido =?iso-8859-1?Q?G=FCnther?= wrote: [...] > I would rather not make psql connections from reportbug. http is > ubiquitous and can be proxied. That's why I mentioned the security > tracker. The nice thing about the security tracker is that we

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi Markus, On Thu, Nov 30, 2017 at 06:38:27PM +0100, Markus Koschany wrote: > On Wed, 29 Nov 2017 22:49:55 +0100 Guido =?iso-8859-1?Q?G=FCnther?= > wrote: > [...] > > Can't we deduce if it's LTS from either the packages version number or from > > /etc/debian_version. Once we

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

On Wed, 29 Nov 2017 22:49:55 +0100 Guido =?iso-8859-1?Q?G=FCnther?= wrote: [...] > Can't we deduce if it's LTS from either the packages version number or from > /etc/debian_version. Once we have the code name or number we could do a > simple HTTP call to check if this is stable,

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi Markus, Great this is still moving forward! On Wed, Nov 29, 2017 at 08:00:12PM +0100, Markus Koschany wrote: > Hi! [..snip..] > I would prefer this solution. At the moment we check for the version > string and I think that's sufficient for an initial check. The following > actions should be

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi! On Wed, 29 Nov 2017 00:09:28 +0100 Raphael Geissert wrote: > Hi, > > On 9 October 2017 at 19:47, Markus Koschany wrote: > [...] > > If the bug is reported against a package with a version number that > > indicates a security update like +deb7u1 or

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi, On 9 October 2017 at 19:47, Markus Koschany wrote: [...] > If the bug is reported against a package with a version number that > indicates a security update like +deb7u1 or ~deb8u3, both team mailing > lists should be added to CC after the bug reporter confirms that this >

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hello, I still haven't got a response for Debian bug #878088 and I wonder if we should implement this feature in Wheezy (and Jessie/Stretch if the security team agrees) now. Are there any objections, hints, recommendations? Regards, Markus signature.asc Description: OpenPGP digital signature

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hi, is there anything that we can do to help getting this into unstable? Would it be ok to patch the reportbug versions in Wheezy, Jessie and Stretch to use this feature? Regards, Markus signature.asc Description: OpenPGP digital signature ___

[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Package: reportbug Version: 7.1.7 Severity: wishlist Tags: patch Hi, the Debian LTS Team and the Debian Security Team would like to propose a new feature for reportbug. We discussed this at DebConf 17 during the LTS BoF and shortly on debian-lts [1] that it would make sense to inform both