On Mon, May 29, 2000 at 12:31:01AM -0700, Joey Hess wrote:
> What I'm wondering is if there is some prodedure we can put in place to
> facilitate the security team in making announcements of security fixes.
Isn't this essentially the point of setting urgency to "high" in
debian/changelog? I realise that that urgency isn't really used for much
at the moment, but there's no real reason why it couldn't be, is there?
Maybe adding something like:
sub announce_security_fix() {
return
if ($$changes{urgency} ne "high" || !$$changes{architecture}{source});
my ($shortsumm,$action) = @_;
my $list = $DI::securityteam;
if ($action) {
open(MAIL, "| $sendmail") || die "$!";
print MAIL "Return-PATH: $myemail
From: $$changes{maintainer822}
To: $list
Subject: Security fix $$changes{source} $$changes{version} installed \("
.join(" ",keys %($$changes{architecture}})."\)
Installed:
$shortsumm
%%changes{cfilecontents}
";
close MAIL; $? && die "$?";
}
}
...called from install() in dinstall.pl with DI::securityteam set to
"security@debian.org", or something.
Or they could procmail -devel-changes for, ummm,
:0 bc
* Architecture:.*source
* Urgency: high
mail/check-me-for-security-updates
or similar too.
OTOH, this only works if people use high urgency consistently. The first
changelog I looked at was:
Source: boa
Binary: boa
Architecture: source i386
Version: 0.94.8.1-1
Distribution: unstable frozen
Urgency: low
Maintainer: Jonathon D Nelson <jnelson@boa.org>
Description:
boa - Lightweight and High Performance WebServer
Changes:
boa (0.94.8.1-1) unstable frozen; urgency=low
.
* Include 1-line upstream fix for bad umask call (security issue)
so, YMMV.
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG encrypted mail preferred.
``We reject: kings, presidents, and voting.
We believe in: rough consensus and working code.''
-- Dave Clark
Attachment:
pgpSEDpRGe52G.pgp
Description: PGP signature