Bug#761859: security-tracker json deployed

To: Holger Levsen <holger@layer-acht.org>
Cc: 761859@bugs.debian.org, Paul Wise <pabs@debian.org>
Subject: Bug#761859: security-tracker json deployed
From: Raphael Hertzog <hertzog@debian.org>
Date: Mon, 9 Mar 2015 16:39:23 +0100
Message-id: <[🔎] 20150309153923.GA19921@home.ouaza.com>
Reply-to: Raphael Hertzog <hertzog@debian.org>, 761859@bugs.debian.org
In-reply-to: <[🔎] 201503091613.28293.holger@layer-acht.org>
References: <201502261709.05537.holger@layer-acht.org> <[🔎] 20150309105902.GA9582@home.ouaza.com> <[🔎] 201503091613.28293.holger@layer-acht.org>

On Mon, 09 Mar 2015, Holger Levsen wrote:
> I dont, as I've converted the previous yaml output to json, because I liked 
> the humand readability of the result...

Even for the YAML output I would have used a YAML library, so it doesn't
make more sense for me :-)

> > That said your "repositories" field is weird for now... first it's an array
> > and not a dictionnary for a reason that I don't understand. And the values
> > contain only a dictionnary with a single key mapping "codename =>
> > version".
> 
> it's the current version as opposed in that repo...

I don't understand. IIRC we said the content of "repositories" and
"releases" was supposed to have the same structure. The only difference
was that it applied to different versions of packages.

>  
> > > And then I thought, urgency would be a per issue field (and thus would be
> > > the same for different suites), with the exception that the (suite
> > > specific) "end- of-life" information is also stored there.
> > > Turned out I was wrong, there are many more cases where the urgency of
> > > issues *is* suite-specific (plus, issues can affect several packages.)
> > I looked at some of the cases you listed, but the original CVE file only
> > has a single urgency... it might be that this urgency is not in line with
> > the urgency retrieved from NVD but that's OK. Our urgency should override
> > that one for our needs.
> 
> when there are suite specific urgencies, the json lists those...

Well, I'm saying that I was agreeing with you. The severity ought to be a
issue/package property, not a issue/package/repository one. And I don't
understand the discrepancy you get because for me there are only two
sources of "urgencies":
- those set on lines like "- tcllib 1.16-dfsg-2 (low; bug #780100)"
- those coming from the NVD database

And in the problematic cases that you listed I only saw one priority set
with a line of the first type (and never found multiple priorities with
lines like "[squeeze] - <package> <something> (low; ...)".

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to:

Follow-Ups:
- Bug#761859: security-tracker json deployed
  - From: Holger Levsen <holger@layer-acht.org>

References:
- Bug#761859: security-tracker json deployed
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Bug#761859: security-tracker json deployed
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Re: Bug#761859: security-tracker json deployed
Next by Date: Bug#761859: security-tracker json deployed
Previous by thread: Re: Bug#761859: security-tracker json deployed
Next by thread: Bug#761859: security-tracker json deployed
Index(es):
- Date
- Thread