[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#761945: fixing links for DLAs in the security tracker

On 2017-03-29 17:02:44, Salvatore Bonaccorso wrote:
> Hi Antoine,

Hi!

> If you want to look at this part: There is a ./parse-dla.pl script in
> the webwml CVS, which is used to import the DLAs (this is an
> analogeous script to parse-advisory.pl which is used to import the
> DSAs).

I see... The scripts are in /english/security for anyone looking. And if
people are (like me) thinking "... wat.. CVS?" then yes, we are still
using this:

https://www.debian.org/devel/website/using_cvs

My cvs commandline finger memory is *definitely* still there though, so
that works for me. :)

> The "manual" steps one would perform are roughly:
>
> ./parse-dla.pl $message
> cvs add $year/dla-$nr.{wml,data}
> cvs commit -m '[DLA $nr] $source security update'

Is this something the security team performs as part of the DSA release
process? Or is this something the debian-www people do? I guess you need
write access to the repository and I see that *you* do, but is this
expected from everyone working on releasing public advisories, the same
way we need access to the security tracker?

And to import older entries, we'll need the original templates, which we
deliberately did *not* commit anywhere, so they are basically available
only as mailing list archives, and thus hard to find automatically.

I foresee difficulties in importing the missing data...

Here's the bits that are missing:

 * the last DLA on the website is DLA-445-2, which is basically the last
   DLA before squeeze support ended and wheezy was handed over

 * among those 445 DLAs, there are actually 31 missing:

   webwml$ cd english/security/; find -name 'dla-*.wml' | wc -l
   424

 * even worse, it seems there are at least 20 advisories missing from
   the website because regression uploads hide advisories, because our
   naming convention differs from DSA ("DLA-XXX-N", where XXX is the
   original advisory and N are regression updates)

   $ grep DLA- data/DLA/list | sed 's/.* DLA-//;s/ .*//' | sort -n | sed '/445-2/,$d' | wc -l
   465

 * the canonical list has 928 advisories:

   secure-testing$ grep DLA- data/DLA/list | wc -l 
   928

So, lots of work there.

> The background work leading to that was done by Frank Lichtenheld in
> #762255.

Great to see that! It does seem problematic to import regression updates
however.

> having something on the debian-wwww side which does this
> automatically, once a DSA or DLA arrives would help surely the
> debian-www team who then "only" have to do the translations and fix
> obvious mistakes. OTOH keep in mind: When the debian-wwww team imports
> a DSA or DLA they may need to do some adjustments so, I'm not sure if
> it's liked to have the automatism, since sometimes before cvs commit
> some changes need to be done on the .wml file. 

It looks like this is something that should be discussed with the www
people... Maybe a bug against www.debian.org?

This begs the question, however - wouldn't it be simpler to import those
advisories in the security tracker directly?

At least, we should figure out why the imports have ceased after
wheezy-LTS started...

> Writing the above a bit in a hurry let me know if unclear what I
> meant.

Thanks for the response!

A.

-- 
What this country needs is more unemployed politicians.
                        - Angela Davis
Reply to: