[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: reportbug: please inform security and lts teams about security update regressions

Hi Guido,

On Sun, Dec 10, 2017 at 12:59:05PM +0100, Guido Günther wrote:
> Hi,
> On Sun, Dec 10, 2017 at 12:51:38PM +0100, Salvatore Bonaccorso wrote:
> > Hi
> > 
> > On Sun, Dec 10, 2017 at 10:00:55AM +0100, Salvatore Bonaccorso wrote:
> > > Hi
> > > 
> > > Cc'ing explicitly Guido and Raphael, who commented before.
> > > 
> > > On Sat, Dec 09, 2017 at 03:25:14PM +0100, Markus Koschany wrote:
> > > > Hi,
> > > > 
> > > > I have updated my patch for reportbug. Now emails are sent only to one
> > > > of the team mailing lists based on the release number in the version
> > > > string. There is apparently no simple way to determine the relationship
> > > > between release number, code name, suite and whether this is a LTS
> > > > release. So we came up with a simple json file which provides this kind
> > > > of information and can be adjusted as time goes by. We think that
> > > > security-tracker.debian.org would be a good place for this file but I'd
> > > > appreciate it if someone from the security team told us the exact location.
> > > > 
> > > > See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878088#45
> > > 
> > > So let me first understand the information you would need from that
> > > file (here in sort-of-yaml):
> > > 
> > > ----cut---------cut---------cut---------cut---------cut---------cut-----
> > > wheezy:
> > >   major-version: 7
> > >   support: lts
> > > jessie:
> > >   major-version: 8
> > >   support: security
> > > stretch:
> > >   major-version: 9
> > >   support: security
> > > buster:
> > >   major-version: 10
> > >   support: none
> > > bullseye:
> > >   major-version: 11
> > >   support: none
> > > ----cut---------cut---------cut---------cut---------cut---------cut-----
> > 
> > But rather in JSON than YAML. Florian would not recommend using YAML, and
> > furthermore it's more consistent with the tracker itself.
> > 
> > ----cut---------cut---------cut---------cut---------cut---------cut-----
> > {
> >   "wheezy": {
> >     "major-version": "7",
> >     "support": "lts"
> >   },
> >   "jessie": {
> >     "major-version": "8",
> >     "support": "security"
> >   },
> >   "stretch": {
> >     "major-version": "9",
> >     "support": "security"
> >   },
> >   "buster": {
> >     "major-version": "10",
> >     "support": "none"
> >   },
> >   "bullseye": {
> >     "major-version": "11",
> >     "support": "none"
> >   }
> > }
> > ----cut---------cut---------cut---------cut---------cut---------cut-----
> > 
> > and beeing accessible under https://security-tracker.debian.org/tracker/distributions.json
> 
> That makes as lot of sense! (I used YAML in the example for readability,
> output of the tracker should be JSON). The main reason why I'd prefer
> the tracker is that we can update the file ourselves when switching
> releases.

Yes I can understand why you prefer the security-tracker itself. My
convern was (and still in back on my head), we add more mappings. But
with eabove, we do not need to take care of stable->oldstable, etc ...
just add the who-is-supporting field.

A version of the above is live on the security-tracker, but I have not
yet commited the changes. I would first like to know: are you happy
with the 'major-version' nomenclature, otherwise we could change it to
'version'. 'support' should maybe 'support-by'?

Regards,
Salvatore
Reply to: