[Reportbug-maint] Bug#878088: Bug#878088: reportbug: please inform security and lts teams about security update regressions

Guido Günther agx at sigxcpu.org
Mon Jan 29 12:43:09 UTC 2018 

Hi,
On Mon, Jan 29, 2018 at 01:29:59PM +0100, Markus Koschany wrote:
> [sorry forgot to CC the rest]
> 
> Hello,
> 
> Am 29.01.2018 um 09:30 schrieb Guido Günther:
> > Hi Markus,
> > thanks for pursuing this! Some minor nitpicks:
> >
> > On Mon, Jan 29, 2018 at 12:11:03AM +0100, Markus Koschany wrote:
> > [..snip..]
> >> +            if utils.is_security_update(package, pkgversion):
> >> +                if ui.yes_no('Do you want to report a regression
> because of a security update? ',
> >> +                             'Yes, please inform the LTS and
> security teams.',
> >> +                             'No or I am not sure.', True):
> >> +                    regex = re.compile('(\+|~)deb(\d+)u(\d+)')
> >> +                    secversion = regex.search(pkgversion)
> >> +                    distnumber = secversion.group(2)
> >> +                    support = 'none'
> >
> > Using
> >
> >    support = None
> >
> > is a bit more pythonic.
> 
> support = None was part of the very first iterations of this patch but
> the string 'none' is used in distributions.json nowadays. I initialize
> the variable with the same value and then I compare the value in our
> support key. None is not equal to 'none' and caused an error when
> Salvatore changed this value in distributions.json.
> 
> >> +                    email_address = []
> >> +                    try:
> >> +                        r =
> requests.get('https://security-tracker.debian.org/tracker/distributions.json',
> >> +                                    timeout=self.options.timeout)
> >
> > This will not catch 404 or similar http status codes. If you don't care
> > about the type of error you can just do …
> >
> >                            r.raise_for_status()
> >
> > … ff you dont handle the error this …
> >
> >> +                        data = r.json()
> >
> > … will fail like:
> >
> [...]
> >
> > … The raise_for_status exception is caught here alreadyx since
> > requests.exceptions.HTTPError is a subclass of
> > requests.exceptions.RequestException):
> [...]
> 
> I thought requests.exceptions.RequestException is the exception base
> class of Python requests and catches all cases? If not, would

Yes, that catch is already correct (just wanted to point this out). The
r.raise_for_status() is the important part to not trip up r.json().
Cheers,
 -- Guido

> 
> except (requests.exceptions.RequestException,
> requests.exceptions.HTTPError):
> 
> suffice?
> 
> > It would also improve readability if this whole code block moved into
> a get_security_contact()
> > function.
> 
> Maybe.
> 
> Markus
> 
> 
> 
>

More information about the Reportbug-maint mailing list