[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 265-1] unattended-upgrades security update

On  Fr 03 Jul 2015 13:08:25 CEST, Christian Mack wrote:


Am 03.07.2015 um 13:03 schrieb Mike Gabriel:
Hi Holger,

On  Fr 03 Jul 2015 12:48:06 CEST, Holger Levsen wrote:


On Freitag, 3. Juli 2015, Mike Gabriel wrote:
The only way I can think of in terms of making this more fool proof, I
guess, is by rejecting mails to debian-lts-announce if

   o a used DLA has not been reserved via the secure-testing SVN repo
   o the DLA has been reserved in the SVN repo, but for another package

there is another way, which is probably easier to implement: parse
announce mails and automatically add those DLAs to svn if that hasnt
been done

Yeah, I thought of this approach, as well...

It will not always succeed, though, as there can be (normally is) a
delay between running bin/genDLA and actually sending the DLA mail.

My delays normally are:

  o write up a nice announcement text
  o possibly have lunch break inbetween
  o answer someone's phone or deal with people coming into my office

In the meantime, someone else may have run bin/genDLA as well and
actually committed the DLA number (I had that once already with Santiago).

I guess we can capture something like 80% of the cases (which is good
already) by auto-committing DLA's that come in via the d-l-a list, but
for a 100% fix-up, we may need to bounce mails, it feels.

Though, I am not fully sure here, just lacking imagination here. ;-)

Can this svn commit for the DLA number not be done within bin/genDLA ?

Well... Actually it could. Good point. Let me get some feedback from the security team as genDLA is a symlink to genDSA which is the main tool used by the security team.


mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de


Attachment: pgpeVvWduqzUe.pgp
Description: Digitale PGP-Signatur

Reply to: