[Secure-testing-team] bts usertags for CVE ids

[Joey Hess]

In honor of CAN to CVE switchover day, I've written a program that will
notice changes in the testing security teams's database of security
issues, and uses this to set/unset usertags (with
debian-security at lists.debian.org as the "user") in the BTS. So for any
CVE that we record as having a bug report, that bug report will be
automatically usertagged with the CVE id.

The program has imported all our existing (unfortunatly not complete for the
whole history of the team) information about security bugs, so 520 bugs
already have CVE usertags now. You can see some of them here:

http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security;users=debian-security@lists.debian.org

(Or anywhere else in the BTS by adding 
 ";users=debian-security at lists.debian.org" to the end of a URL.)

The program also adds another tag, "tracked" for all bugs that have an
entry in our list. This is to help in finding bugs that we're not
tracking. Here for example is a view into the BTS of security bugs
categorised[1] based on whether or not they are currently tracked
by the testing security team:

http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security;users=debian-security@lists.debian.org;ordering=tracked

Any changes should be reflected in the BTS within half an hour of the
commit to our repository. Of course anyone can also add (or remove) CVE
id usertags to bugs on their own if they want to.

-- 
see shy jo

[1] Using the following usercategory definition, if you're curious:

user debian-security at lists.debian.org

usercategory is-tracked [hidden]
  * Tracked or not [tag=]
    + tracked [tracked]
    + untracked []

usercategory tracked
  * is-tracked
  * status
  * severity
  * category
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051019/3fe45e81/attachment.pgp