Re: reportbug: please inform security and lts teams about security update regressions
- To: Guido Günther <agx@sigxcpu.org>,	878088@bugs.debian.org
- Cc: apo@debian.org, Debian LTS <debian-lts@lists.debian.org>,	"team@security.debian.org" <team@security.debian.org>,	geissert@debian.org
- Subject: Re: reportbug: please inform security and lts teams about security update regressions
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 10 Dec 2017 13:35:43 +0100
- Message-id: <[🔎] 20171210123543.hqskrwnb77ghmvoa@lorien.valinor.li>
- Mail-followup-to: Guido Günther <agx@sigxcpu.org>,	878088@bugs.debian.org, apo@debian.org,	Debian LTS <debian-lts@lists.debian.org>,	"team@security.debian.org" <team@security.debian.org>,	geissert@debian.org
- In-reply-to: <[🔎] 20171210115905.GA8714@bogon.m.sigxcpu.org>
- References: <687054c7-d52a-786c-a0f2-93985d87d0fe@debian.org> <[🔎] ad8060ab-29df-fed0-5bac-6d3c331731d1@debian.org> <[🔎] 20171210090055.GB30428@eldamar.local> <[🔎] 20171210115138.GA19589@eldamar.local> <[🔎] 20171210115905.GA8714@bogon.m.sigxcpu.org>
Hi Guido,
On Sun, Dec 10, 2017 at 12:59:05PM +0100, Guido Günther wrote:
> Hi,
> On Sun, Dec 10, 2017 at 12:51:38PM +0100, Salvatore Bonaccorso wrote:
> > Hi
> > 
> > On Sun, Dec 10, 2017 at 10:00:55AM +0100, Salvatore Bonaccorso wrote:
> > > Hi
> > > 
> > > Cc'ing explicitly Guido and Raphael, who commented before.
> > > 
> > > On Sat, Dec 09, 2017 at 03:25:14PM +0100, Markus Koschany wrote:
> > > > Hi,
> > > > 
> > > > I have updated my patch for reportbug. Now emails are sent only to one
> > > > of the team mailing lists based on the release number in the version
> > > > string. There is apparently no simple way to determine the relationship
> > > > between release number, code name, suite and whether this is a LTS
> > > > release. So we came up with a simple json file which provides this kind
> > > > of information and can be adjusted as time goes by. We think that
> > > > security-tracker.debian.org would be a good place for this file but I'd
> > > > appreciate it if someone from the security team told us the exact location.
> > > > 
> > > > See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878088#45
> > > 
> > > So let me first understand the information you would need from that
> > > file (here in sort-of-yaml):
> > > 
> > > ----cut---------cut---------cut---------cut---------cut---------cut-----
> > > wheezy:
> > >   major-version: 7
> > >   support: lts
> > > jessie:
> > >   major-version: 8
> > >   support: security
> > > stretch:
> > >   major-version: 9
> > >   support: security
> > > buster:
> > >   major-version: 10
> > >   support: none
> > > bullseye:
> > >   major-version: 11
> > >   support: none
> > > ----cut---------cut---------cut---------cut---------cut---------cut-----
> > 
> > But rather in JSON than YAML. Florian would not recommend using YAML, and
> > furthermore it's more consistent with the tracker itself.
> > 
> > ----cut---------cut---------cut---------cut---------cut---------cut-----
> > {
> >   "wheezy": {
> >     "major-version": "7",
> >     "support": "lts"
> >   },
> >   "jessie": {
> >     "major-version": "8",
> >     "support": "security"
> >   },
> >   "stretch": {
> >     "major-version": "9",
> >     "support": "security"
> >   },
> >   "buster": {
> >     "major-version": "10",
> >     "support": "none"
> >   },
> >   "bullseye": {
> >     "major-version": "11",
> >     "support": "none"
> >   }
> > }
> > ----cut---------cut---------cut---------cut---------cut---------cut-----
> > 
> > and beeing accessible under https://security-tracker.debian.org/tracker/distributions.json
> 
> That makes as lot of sense! (I used YAML in the example for readability,
> output of the tracker should be JSON). The main reason why I'd prefer
> the tracker is that we can update the file ourselves when switching
> releases.
Yes I can understand why you prefer the security-tracker itself. My
convern was (and still in back on my head), we add more mappings. But
with eabove, we do not need to take care of stable->oldstable, etc ...
just add the who-is-supporting field.
A version of the above is live on the security-tracker, but I have not
yet commited the changes. I would first like to know: are you happy
with the 'major-version' nomenclature, otherwise we could change it to
'version'. 'support' should maybe 'support-by'?
Regards,
Salvatore
Reply to: