[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: reportbug: please inform security and lts teams about security update regressions



Hi Markus,

On Sun, Dec 10, 2017 at 03:58:30PM +0100, Markus Koschany wrote:
> Am 10.12.2017 um 13:35 schrieb Salvatore Bonaccorso:
> [...]
> >>> and beeing accessible under https://security-tracker.debian.org/tracker/distributions.json
> >>
> >> That makes as lot of sense! (I used YAML in the example for readability,
> >> output of the tracker should be JSON). The main reason why I'd prefer
> >> the tracker is that we can update the file ourselves when switching
> >> releases.
> > 
> > Yes I can understand why you prefer the security-tracker itself. My
> > convern was (and still in back on my head), we add more mappings. But
> > with eabove, we do not need to take care of stable->oldstable, etc ...
> > just add the who-is-supporting field.
> > 
> > A version of the above is live on the security-tracker, but I have not
> > yet commited the changes. I would first like to know: are you happy
> > with the 'major-version' nomenclature, otherwise we could change it to
> > 'version'. 'support' should maybe 'support-by'?
> 
> Hi,
> 
> IMO my version of distributions.json did the same thing. We only can
> deduce the version from the package, so the version was the key and the
> values were "lts", "oldstable", "stable". Everything else is not supported.
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?att=2;bug=878088;filename=distribution.json;msg=45
> 
> For the next LTS this file would look like
> 
> 8: "lts"
> 9: "stable"
> 
> and then
> 
> 8: "lts"
> 9: "oldstable"
> 10: "stable"
> 
> 
> More information is not required. The code looks like that:
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=878088;filename=reportbug.debdiff;msg=45
> 
> 
> Of course I can also use the new json file. If I don't hear any further
> objections I am going to use
> 
> https://security-tracker.debian.org/tracker/distributions.json
> 
> from now on. I intend to release an update of reportbug for Wheezy next
> week. Please contact me if you are interested in an upgrade for Jessie
> and Stretch as well.

I have made the above change now live/commited. The file is still thus
extensible and for futher (and future use). Thanks for your work on
that! (as a personal note on my side, would have prefered to get less
pressure).

For jessie and stretch: such an update should go in via a point
release (like for the debian-security-support package updates). We
have not heard anything yet on the implementation side from the
maintainer, Sandro, did you got Markus updates/proposals? Your input
would be very appreciated :)

Regards,
Salvatore


Reply to: