Bug#878088: reportbug: please inform security and lts teams about security update regressions

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#878088: reportbug: please inform security and lts teams about security update regressions
From: Markus Koschany <apo@debian.org>
Date: Mon, 09 Oct 2017 19:47:46 +0200
Message-id: <[🔎] 150757126693.20035.16799442332781134254.reportbug@conan>
Reply-to: Markus Koschany <apo@debian.org>, 878088@bugs.debian.org

Package: reportbug
Version: 7.1.7
Severity: wishlist
Tags: patch


Hi,

the Debian LTS Team and the Debian Security Team would like to propose
a new feature for reportbug.

We discussed this at DebConf 17 during the LTS BoF and shortly on
debian-lts [1] that it would make sense to inform both teams about
regressions introduced by security updates. We usually receive
word from the maintainer or users who report issues directly to
our mailing lists or IRC channels.

However we have also discovered that some regressions were never
reported to us. Hence we propose the following feature for reportbug:

If the bug is reported against a package with a version number that
indicates a security update like +deb7u1 or ~deb8u3, both team mailing
lists should be added to CC after the bug reporter confirms that this
is a regression caused by a security update. The confirmation check is
necessary to prevent too many false positives since similar version
strings are used for regular stable updates. However the default is true
because it is better to receive one e-mail too many as to miss the
regression. Of course this could be changed if it turns out that we
receive too many unwarranted reports.

Please find attached my proposed patch.

Regards,

Markus

[1] https://lists.debian.org/debian-lts/2017/08/msg00034.html

diff -Nru reportbug-7.1.7/bin/reportbug reportbug-7.1.7+nmu1/bin/reportbug
--- reportbug-7.1.7/bin/reportbug	2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7+nmu1/bin/reportbug	2017-10-09 01:26:16.000000000 +0200
@@ -1926,6 +1926,22 @@
             listcc += ui.get_multiline(
                 'Enter any additional addresses this report should be sent to; press ENTER after each address.')
 
+        # If the bug is reported against a package with a version that
+        # indicates a security update add the security and lts teams to CC
+        # after user confirmation
+        is_security_update = False
+        if pkgversion:
+            regex = re.compile('(\+|~)deb\d+u\d+')
+            if regex.search(pkgversion):
+                if ui.yes_no('Do you want to report a regression because of a security update? ',
+                             'Yes, please inform the LTS and security teams.',
+                             'No or I am not sure.', True):
+                    is_security_update = True
+
+        if is_security_update:
+            email_address = ['debian-lts@lists.debian.org','team@security.debian.org']
+            listcc.extend(email_address)
+
         if severity and rtype:
             severity = debbugs.convert_severity(severity, rtype)

Reply to:

Prev by Date: Re: CVE-2017-14103 / graphicsmagick
Next by Date: CVE-2017-15185/mp3splt (was: Re: CVE-2017-11735 in mp3split / libvorbis)
Previous by thread: Re: Call for testing: dnsmasq security update
Next by thread: CVE-2017-15185/mp3splt (was: Re: CVE-2017-11735 in mp3split / libvorbis)
Index(es):
- Date
- Thread