[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: improving the report-vuln script

On 2017-03-31 21:32:27, Salvatore Bonaccorso wrote:
> Hi Antoine,
> I just have pushed your changes (and only the minor changes, but not
> all).

Excellent, thanks.


> JFTR. If you use reportbug this *is* actually the behaviour, so
> actually no policy-change in that sense. Whoever uses reportbug, and
> adds tag 'security' to the report, then the X-Debbugs-CC to the two
> lists is added automatically:
> https://sources.debian.net/src/reportbug/7.1.5/bin/reportbug/#L2085

yep, that's what I figured... it's just the script header says to use
"mutt", which didn't add those headers of course.


> Again, the secrutiy-tracker is based on source-packages so I would
> think having this as default for report-vuln would make sense. But we
> can leave it as default to 'Package:'. Do you have capacity to
> implement the feature with --src to change the header? Otherwise I
> will look into it.

I noticed you did just that, so I don't think anything is necessary on
my part, right?

>> i'd vote for "affected" as it's unambiguous. we could then also have
>> "--fixed" if we so desire. ;)
> Well --fixed would be wrong :). It is the found version triaged were
> the vulnerability present ;-). Ok I agree with you --version is
> unclear, so let's stick with your --affected.

Oh, what I meant is we could use "--affected" for the versions we know
are vulnerable and "--fixed" for the versions that are *not* affected.

Actually, now that I think about it, maybe "--found" would be more
appropriate than "--affected", as it reuses the vocabulary of the bts


This all looks good to me for now. Next time I open such bugs i may find
other issues and will roll a new patchset as necessary.



Reply to: