Bug#784214: marked as done (make sure regression updates are documented)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 4 May 2015 14:49:27 +0200
with message-id <201505041449.43255.holger@layer-acht.org>
and subject line Re: Bug#784214: allow manual override for the regression DLA/DSA Id
has caused the Debian Bug report #784214,
regarding make sure regression updates are documented
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
784214: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784214
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: allow manual override for the regression DLA/DSA Id
• From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
• Date: Mon, 04 May 2015 09:09:04 +0200
• Message-id: <[🔎] 20150504070904.31824.87508.reportbug@minobo.das-netzwerkteam.de>

Package: security-tracker
Severity: wishlist
Tags: patch

Hi,

attached is a patch that adds manual DLA/DSA id override support if an
upload tackles a regression already announce via an earlier DSA/DLA.

Current use case / example:

  xorg-server <ver>+deb6u1 (DLA-120-1) fixed CVE-2014-8092
  xorg-server <ver>+deb6u2 (DLA-218-1) fixed some other CVE (irrelevant here)
  xorg-server <ver>+deb6u3 (DLA-120-2) fixes CVE-2015-3418 (regression of
                           fix for CVE-2014-8092)

At the moment: when using bin/genDLA like this:

  $ bin/gen-DLA  --save xorg-server regression CVE-2015-3418

.... the script will create a follow-DLA for 218-1 (i.e., 218-2). Whereas
the correct/wanted DLA id would be 120-2.

The attached patch allows one to specify the DLA id to follow up on with
the "regression" keyword. Thus, with the patch applied, I can do this:

  $ bin/gen-DLA  --save xorg-server regression:120-1 CVE-2015-3418

.... which then will provide me with a DLA-120-2 mail template and put
the prepared upload of my xorg-server package into data/DLA/list.

What could be added:

  o check, if the manual specified override exists and is for the same package

light+love,
Mike


-- System Information:
Debian Release: 8.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Index: bin/gen-DSA
===================================================================
--- bin/gen-DSA	(revision 34054)
+++ bin/gen-DSA	(working copy)
@@ -157,8 +157,12 @@
 shift
 
 TYPE=security
-if [ regression = "$1" ]; then
+REGRESSION_DAID=
+if printf '%s' "$1" | grep -Eq '^regression(|:[0-9]+(-[0-9]+|))$'; then
     TYPE=regression
+    if printf '%s' "$1" | grep -Eq '^regression:([0-9]+(-[0-9]+|))$'; then
+	REGRESSION_DAID=$(printf '%s' "$1" | sed -r 's/^regression:([0-9]+(-[0-9]+|))/\1/')
+    fi
     shift
 fi
 
@@ -235,7 +239,11 @@
 
 if [ -z "$DAID" ]; then
     if [ "$TYPE" = regression ]; then
-	latest_daid="$(sed -nr '/'"$IDMODE"'-[0-9]+-[0-9]+'" $PACKAGE "'/{s/^.+'"$IDMODE"'-[0]*([0-9-]+).*$/\1/;p;q}' data/$IDMODE/list)"
+	if [ -z "$REGRESSION_DAID" ]; then
+		latest_daid="$(sed -nr '/'"$IDMODE"'-[0-9]+-[0-9]+'" $PACKAGE "'/{s/^.+'"$IDMODE"'-[0]*([0-9-]+).*$/\1/;p;q}' data/$IDMODE/list)"
+	else
+		latest_daid="$REGRESSION_DAID"
+	fi
 	revision=${latest_daid#*-}
 	daid=${latest_daid%-*}
     else

--- End Message ---

--- Begin Message ---

• To: 784214-done@bugs.debian.org
• Subject: Re: Bug#784214: allow manual override for the regression DLA/DSA Id
• From: Holger Levsen <holger@layer-acht.org>
• Date: Mon, 4 May 2015 14:49:27 +0200
• Message-id: <201505041449.43255.holger@layer-acht.org>
• In-reply-to: <[🔎] 20150504122336.Horde.yPa0ZY6hoGB-hJosOTKLeg1@mail.das-netzwerkteam.de>
• References: <[🔎] 20150504070904.31824.87508.reportbug@minobo.das-netzwerkteam.de> <[🔎] 201505041009.06027.holger@layer-acht.org> <[🔎] 20150504122336.Horde.yPa0ZY6hoGB-hJosOTKLeg1@mail.das-netzwerkteam.de>

Hi Mike,

On Montag, 4. Mai 2015, Mike Gabriel wrote:
> Done that for the LTS team:
> https://wiki.debian.org/LTS/Development?action=diff&rev1=84&rev2=85

Thanks.
 
> Anywhere else?

I don't think so, this is rather clear:

$ ./bin/gen-DLA 
usage: ./bin/gen-DLA [--save] [--embargoed|--unembargo] [DLA] package 
[regression] [cve(s) [bugnumber(s)]]
       'DLA' is the DLA number, required when issuing a revision

(same for gen-DSA)


Thus closing, thanks.


cheers,
	Holger

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---