[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Hello Sandro,

Am 29.12.2017 um 02:27 schrieb Sandro Tosi:
> Hello everyone,
> let me first apologize for the long time with no input from the
> reportbug maints.

Yes, we were eagerly interested in your comments for this feature but
had to move forward.

> i had a look a the patch and.. i'm not really happy :( it looks like
> the version format is the same for both security updates and stable
> updates: this means for every bug report (on a stable release against
> an updated package) the user will get a prompt if this is a regression
> due to a security update, and they may have no clue because all they
> did is dist-upgrading.

Unfortunately there is no way to differentiate between a security update
and a regular stable update. Stable updates can also include security
fixes which did not warrant a security announcement. The only way to
limit the amount of false notifications to both team mailing lists was
to create a prompt and to ask the user whether this is a security update
regression. If there is a better way to deal with this problem we should
do that.

> i'm not super-excited about making a synchronous call to
> distributions.json but let's say i can live with that (did you try
> your patch with the -O/--offline mode?)

No, I did not try the patch with the --offline flag because we assumed
internet access due to distributions.json.

> is there a way s-t.d.o can get
> queried at the same time to know if the current package/version comes
> from the secteam/lts or is coming from the pkg maintainer as a normal
> stable update?

I am not aware of a method to retrieve this information. Like I said
stable updates can also include security updates and the only way to
determine whether something is a stable/security update is to parse the
package version string. There is no differentiation at the moment.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: