[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Usage of gen-DSA/DLA/ELA



Hi all

Summary:
Should gen-DSA/DLA/ELA allow the version to be empty/undefined?

Details:
I'm working on improving the gen-DSA/DLA/ELA tool. It is the same tool, it just has slightly different functionality depending on the name. It is the same source code.
The improvement is to check that the CVEs mentioned in the DSA/DLA/ELA is related to the same software. This is to avoid accidental updates of wrong CVE due to simple wrong spelling of the CVE.

What I would like to know if there is ever a use-case to generate a DSA/DLA/ELA when the version of the software is unspecified?

When you issue gen-DSA/DLA/ELA with a .changes file then the version is fetched from there. In that case there will always be a version set.

However if you do not provide a .changes file then you are prompted for a version, but that only happens if you have the --save option. If you do not provide the --save option or if you leave the version question field blank the version will not be used.

My question to you all are whether we should allow this or if we should print a warning/error message in this case.

Or do you think there is a use-case when the version field should be possible to leave blank?
If so, when?

I'm asking since this has an impact on how the implemented code should be.

For more info about the work see here:
https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/190#note_522690

Cheers

// Ola

--
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------


Reply to: