[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: reportbug: please inform security and lts teams about security update regressions

Hi,
On Sun, Dec 10, 2017 at 01:35:43PM +0100, Salvatore Bonaccorso wrote:
> Hi Guido,
> 
> On Sun, Dec 10, 2017 at 12:59:05PM +0100, Guido Günther wrote:
> > Hi,
> > On Sun, Dec 10, 2017 at 12:51:38PM +0100, Salvatore Bonaccorso wrote:
> > > Hi
> > > 
> > > On Sun, Dec 10, 2017 at 10:00:55AM +0100, Salvatore Bonaccorso wrote:
> > > > Hi
> > > > 
> > > > Cc'ing explicitly Guido and Raphael, who commented before.
> > > > 
> > > > On Sat, Dec 09, 2017 at 03:25:14PM +0100, Markus Koschany wrote:
> > > > > Hi,
> > > > > 
> > > > > I have updated my patch for reportbug. Now emails are sent only to one
> > > > > of the team mailing lists based on the release number in the version
> > > > > string. There is apparently no simple way to determine the relationship
> > > > > between release number, code name, suite and whether this is a LTS
> > > > > release. So we came up with a simple json file which provides this kind
> > > > > of information and can be adjusted as time goes by. We think that
> > > > > security-tracker.debian.org would be a good place for this file but I'd
> > > > > appreciate it if someone from the security team told us the exact location.
> > > > > 
> > > > > See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878088#45
> > > > 
> > > > So let me first understand the information you would need from that
> > > > file (here in sort-of-yaml):
> > > > 
> > > > ----cut---------cut---------cut---------cut---------cut---------cut-----
> > > > wheezy:
> > > >   major-version: 7
> > > >   support: lts
> > > > jessie:
> > > >   major-version: 8
> > > >   support: security
> > > > stretch:
> > > >   major-version: 9
> > > >   support: security
> > > > buster:
> > > >   major-version: 10
> > > >   support: none
> > > > bullseye:
> > > >   major-version: 11
> > > >   support: none
> > > > ----cut---------cut---------cut---------cut---------cut---------cut-----
> > > 
> > > But rather in JSON than YAML. Florian would not recommend using YAML, and
> > > furthermore it's more consistent with the tracker itself.
> > > 
> > > ----cut---------cut---------cut---------cut---------cut---------cut-----
> > > {
> > >   "wheezy": {
> > >     "major-version": "7",
> > >     "support": "lts"
> > >   },
> > >   "jessie": {
> > >     "major-version": "8",
> > >     "support": "security"
> > >   },
> > >   "stretch": {
> > >     "major-version": "9",
> > >     "support": "security"
> > >   },
> > >   "buster": {
> > >     "major-version": "10",
> > >     "support": "none"
> > >   },
> > >   "bullseye": {
> > >     "major-version": "11",
> > >     "support": "none"
> > >   }
> > > }
> > > ----cut---------cut---------cut---------cut---------cut---------cut-----
> > > 
> > > and beeing accessible under https://security-tracker.debian.org/tracker/distributions.json
> > 
> > That makes as lot of sense! (I used YAML in the example for readability,
> > output of the tracker should be JSON). The main reason why I'd prefer
> > the tracker is that we can update the file ourselves when switching
> > releases.
> 
> Yes I can understand why you prefer the security-tracker itself. My
> convern was (and still in back on my head), we add more mappings. But
> with eabove, we do not need to take care of stable->oldstable, etc ...
> just add the who-is-supporting field.
> 
> A version of the above is live on the security-tracker, but I have not
> yet commited the changes. I would first like to know: are you happy
> with the 'major-version' nomenclature, otherwise we could change it to
> 'version'. 'support' should maybe 'support-by'?

Looks good to me.
Cheers,
 -- Guido
Reply to: