[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: reportbug: please inform security and lts teams about security update regressions

Hi Salvatore,

Am 12.12.2017 um 07:19 schrieb Salvatore Bonaccorso:
> I have made the above change now live/commited. The file is still thus
> extensible and for futher (and future use). Thanks for your work on
> that! (as a personal note on my side, would have prefered to get less
> pressure).

Sorry, I didn't want to put pressure on you. The email was just a
declaration of intent to NMU reportbug in Wheezy and a last call for
further suggestions. I haven't got a reply from Sandro yet. I filed
#878088 on 9.10 and attached my initial patch, pinged the bug report
again on 3.11, asked for feedback on both mailing lists on 28.11,
incorporated requested changes in the following days and eventually send
the final call on 10.12. I believe there was plenty of time to react. If
there is anything to change we can always do that in a another revision.

> For jessie and stretch: such an update should go in via a point
> release (like for the debian-security-support package updates). We
> have not heard anything yet on the implementation side from the
> maintainer, Sandro, did you got Markus updates/proposals? Your input
> would be very appreciated :)

I intend to submit a new version of reportbug with my patch (attached)
for Jessie and Stretch next week.


diff -Nru reportbug-7.1.7/bin/reportbug reportbug-7.1.7/bin/reportbug
--- reportbug-7.1.7/bin/reportbug	2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7/bin/reportbug	2017-05-29 22:00:17.000000000 +0200
@@ -32,6 +32,8 @@
 import optparse
 import re
 import locale
+import requests
+import json
 import subprocess
 import shlex
 import email
@@ -1926,6 +1928,33 @@
             listcc += ui.get_multiline(
                 'Enter any additional addresses this report should be sent to; press ENTER after each address.')
+        # If the bug is reported against a package with a version that
+        # indicates a security update add the security or lts team to CC
+        # after user confirmation
+        is_security_update = False
+        if pkgversion:
+            regex = re.compile('(\+|~)deb(\d+)u(\d+)')
+            secversion = regex.search(pkgversion)
+            if secversion:
+                if ui.yes_no('Do you want to report a regression because of a security update? ',
+                             'Yes, please inform the LTS and security teams.',
+                             'No or I am not sure.', True):
+                    is_security_update = True
+                    distnumber = secversion[2]
+                    r = requests.get('https://security-tracker.debian.org/tracker/distributions.json')
+                    data = r.json()
+                    support = 'none'
+                    for key, value in data.items():
+                        if distnumber in value['major-version']:
+                            support = value['support']
+        if is_security_update and support != 'none':
+            if support == 'lts':
+                email_address = ['debian-lts@lists.debian.org']
+            else:
+                email_address = ['team@security.debian.org']
+            listcc.extend(email_address)
         if severity and rtype:
             severity = debbugs.convert_severity(severity, rtype)

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: