[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: to reiterate, why are there no security updates on the front page? (Or, 17 security holes the security team hasn't told you about)

On Mon, May 29, 2000 at 12:31:01AM -0700, Joey Hess wrote:
> What I'm wondering is if there is some prodedure we can put in place to
> facilitate the security team in making announcements of security fixes.

Isn't this essentially the point of setting urgency to "high" in
debian/changelog? I realise that that urgency isn't really used for much
at the moment, but there's no real reason why it couldn't be, is there?

Maybe adding something like:

sub announce_security_fix() {
        if ($$changes{urgency} ne "high" || !$$changes{architecture}{source});

    my ($shortsumm,$action) = @_;
    my $list = $DI::securityteam;

    if ($action) {
        open(MAIL, "| $sendmail") || die "$!";
        print MAIL "Return-PATH: $myemail
From: $$changes{maintainer822}
To: $list
Subject: Security fix $$changes{source} $$changes{version} installed \("
	.join(" ",keys %($$changes{architecture}})."\)


        close MAIL; $? && die "$?";

...called from install() in dinstall.pl with DI::securityteam set to
"security@debian.org", or something.

Or they could procmail -devel-changes for, ummm,

:0 bc
* Architecture:.*source
* Urgency: high

or similar too.

OTOH, this only works if people use high urgency consistently. The first
changelog I looked at was:

	Source: boa
	Binary: boa
	Architecture: source i386
	Distribution: unstable frozen
	Urgency: low
	Maintainer: Jonathon D Nelson <jnelson@boa.org>
	 boa        - Lightweight and High Performance WebServer
	 boa ( unstable frozen; urgency=low
	   * Include 1-line upstream fix for bad umask call (security issue)

so, YMMV.


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG encrypted mail preferred.

  ``We reject: kings, presidents, and voting.
                 We believe in: rough consensus and working code.''
                                      -- Dave Clark

Attachment: pgpSEDpRGe52G.pgp
Description: PGP signature

Reply to: