[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions
Guido Günther
agx at sigxcpu.org
Fri Dec 1 08:28:26 UTC 2017
Hi Markus,
On Thu, Nov 30, 2017 at 06:38:27PM +0100, Markus Koschany wrote:
> On Wed, 29 Nov 2017 22:49:55 +0100 Guido =?iso-8859-1?Q?G=FCnther?=
> <agx at sigxcpu.org> wrote:
> [...]
> > Can't we deduce if it's LTS from either the packages version number or from
> > /etc/debian_version. Once we have the code name or number we could do a
> > simple HTTP call to check if this is stable, oldstable or lts.
> >
> > I don't know of a page that exposes this information in JSON or similar
> > but if we don't have it we could add another page to the security
> > tracker like:
> >
> > GET /tracker/data/releases
> >
> > { 'stretch': 'stable',
> > 'jessie': 'oldstable',
> > 'wheezy': 'lts'
> > }
> >
> > We then wouldn't be dependent on the string parsing in the changelog.
>
> Hi Guido,
>
> yes, in general that should be possible. Parsing /etc/debian_version
> might be dangerous though because it is well possible that someone
> reports a Wheezy bug from a development system running Sid or his
> workstation running stable. This might lead to wrong information.
>
> Don't we already have the UDD database which tracks all package
> information in a convenient manner? It should be possible to lookup the
> version number and query the corresponding distribution/release code
> name. Looking at [1] I can find at least a releases table. If we create
> another table like your JSON idea it should be possible to match code
> name and suite. I don't know if this information is already present in
> UDD or if we have to create it first. We would need to import psycopg2
> for database connections and thus a dependency on python3-psycopg2.
>
> Perhaps it might even more sense to add this feature to
> python3-debianbts, which is already a dependency of python3-reportbug,
> or more precisely the BTS itself. Perhaps it's already there and I just
> don't know it.
I would rather not make psql connections from reportbug. http is
ubiquitous and can be proxied. That's why I mentioned the security
tracker. The nice thing about the security tracker is that we can change
what's stable, oldstable or lts without involving anybody else.
Cheers,
-- Guidox
More information about the Reportbug-maint
mailing list