Bug#761061: tracker doesnt show closed issues as done

To: 761061@bugs.debian.org
Subject: Bug#761061: tracker doesnt show closed issues as done
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 10 Sep 2014 17:01:43 +0200
Message-id: <[🔎] 20140910150143.GA8592@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 761061@bugs.debian.org
In-reply-to: <[🔎] 201409101406.03227.holger@layer-acht.org>
References: <[🔎] 201409101406.03227.holger@layer-acht.org>

Hi,

On Wed, Sep 10, 2014 at 02:06:01PM +0200, Holger Levsen wrote:
> package: security-tracker
> severity: important
> x-debbugs-cc: debian-lts@lists.debian.org
> 
> Hi,
> 
> the tracker doesnt show issues which are "only" closed in the security or lts 
> subreleases as closed, as for example can be seen on https://security-
> tracker.debian.org/tracker/source-package/file
> 
> eg https://security-tracker.debian.org/tracker/CVE-2014-3478 is closed in both 
> wheezy-security as well as squeeze-lts, yet the /tracker/source-package/file 
> lists it as open.
>
> (There pages like https://security-tracker.debian.org/tracker/CVE-2014-3478 
> also are less clean, but at least they contain the right info visibly, just a 
> bit scrambled.)
> 
> I believe the bug is in getBugsForSourcePackage() in lib/python/security_db.py 
> but I couldn't yet wrap my head around it properly to fix it. 
> 
> There seem to be several functions (in security_db.py) which only deal with 
> the releases (sid, jessie, wheezy, squeeze) but not the subreleases (security, 
> lts).

The tabular view clearly would need some improvement and making clear
where the fix is already, e.g. wheezy-security but not yet wheezy. I
try to explain. The version tracked on the individual CVE pages is
*correct* from the following point of view:  A fix is in wheezy-security
already, but not yet accepted into the wheezy suite. This happen, when
the release team accepts an upload through security, which get
uploaded to wheezy-proposed-updates-NEW to be intregrated into an
upcoming poing release[*]. It is not enough from stable point of view
for having the fix available in stable to have it only on
wheezy-security -- it also needs to be included into a wheezy point
release.

Thus for example taking CVE-2014-3478 we have:

squeeze, squeeze (security) 5.04-5+squeeze5 vulnerable
squeeze (lts)               5.04-5+squeeze6 fixed
wheezy                      5.11-2+deb7u3   vulnerable
wheezy (security)           5.11-2+deb7u4   fixed
jessie, sid                 1:5.19-2        fixed

One issue is: with -lts this will never happen that packages will be
integrated into squeeze,  as there will be no pint releases including
the -lts fixes into squeeze.

 [*] As an example were this does not happen currently is openjdk-7.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#761061: tracker doesnt show closed issues as done
  - From: Holger Levsen <holger@layer-acht.org>

References:
- Bug#761061: tracker doesnt show closed issues as done
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Processed: retitle
Next by Date: Bug#761061: tracker doesnt show closed issues as done
Previous by thread: Bug#761061: tracker doesnt show closed issues as done
Next by thread: Bug#761061: tracker doesnt show closed issues as done
Index(es):
- Date
- Thread