[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Processed: reassign

On Fri, Jan 25, 2008 at 04:34:21PM +0100, Thijs Kinkhorst wrote:
> On Thu, January 24, 2008 23:56, Moritz Muehlenhoff wrote:
> > The solution would be a script, which is subscribed to d-s-a, transforms
> > the advisory mails and auto-commits them. If a transformation error is
> > detected, a note can be sent to debian-www@l.d.o and fixed manually.
> We are going to change the format of the mails anyway when Sarge is EOL,
> which happens in 10 weeks: at that point we can drop the MD5 sums from the
> emails, making it also unnecessary for the web version to link to the
> mailinglist mail as we have to do now.

I don't think the md5sums should be dropped for d-s-a, but we could 
drop the download instructions, since apt serves a better job now:

| wget url
|         will fetch the file for you
| dpkg -i file.deb
|         will install the referenced file.

The web version could still drop the md5sums away, though.
> Would it be an idea to implement the changes at that time? The format
> changes anyway, so it seems like a good time to implement a good parsing
> script. I'm willing to do that and make it autocommit things if they can
> be correctly parsed.

Thanks, that would be nice.
> A whole different stragegy would be to base ourselves on the tracker,
> however, that doesn't currently have all relevant information (most
> prominently the freeform description of the vulnerability). On the other
> hand the tracker has all other relevant info (package name, "subject"
> description of problem, versions for different suites, CVE-ids) in a
> structured form. We could turn it around and make the website source its
> information there, and find a way to add things that are currently missing
> to the tracker. One can imagine this setup:
> * The list on the front page is just as it is now, and generated from the
> tracker;
> * The per-item page is also generated from the tracker and includes CVE
> id's, fixed versions and an auto-generated link to the mailinglist
> archives with the full text of the DSA.
> This would make the web versions more "basic" but with the key data, and
> those looking for more detail can be referred to the archived mail.

That could be done at some later point, but involves much more work.

For now I'd like to see the http://www.debian.org/security/nonvulns-sarge
and http://www.debian.org/security/nonvulns-etch URLs replaced by the
tracker. Maintaining these two is a duplication of work and they are 
likely less correct than the Security Tracker. Thanks to whoever maintains
these, but they should  get in touch with debian-security-tracker@lists.debian.org
and merge the efforts.


Reply to: