[Reportbug-commits] [SCM] Reportbug - reports bugs in the Debian distribution branch, master, updated. 4.9-93-g0e62e8e

Sandro Tosi morph at debian.org
Sat Apr 10 07:03:28 UTC 2010 

The following commit has been merged in the master branch:
commit 0e62e8e3a8924751ce857d6f66122afa05c9ca96
Author: Sandro Tosi <morph at debian.org>
Date:   Sat Apr 10 09:02:28 2010 +0200

    in case of a bug for an undisclosed vulnerability (tagged 'security'), report it to the private Security Team mailing list instead of to the public BTS (to coordinate the release of the fix); thanks to Chris Lawrence for the report and to the Sec Team for review; Closes: #474187

diff --git a/bin/reportbug b/bin/reportbug
index 09ea1da..a11bd7a 100755
--- a/bin/reportbug
+++ b/bin/reportbug
@@ -1914,6 +1914,13 @@ For more details, please see: http://www.debian.org/devel/wnpp/''')
         else:
             tags = ''
 
+        if 'security' in taglist:
+            if ui.yes_no(
+                'Are you reporting an undisclosed vulnerability? If so, in order to responsibly disclose the issue, it should not be sent to the public BTS right now, but instead to the private Security Team mailing list.',
+                'Yes, it is an undisclosed vulnerability, send this report to the private Security Team mailing list and not to the BTS.',
+                'No, it is already a publicly disclosed vulnerability, send this report to the BTS.', False):
+                sendto = 'team at security.debian.org'
+
         # Execute bug script
         if self.options.bugscript and bugexec and not self.options.kudos:
             if os.path.exists('handle_bugscript'):
@@ -1946,7 +1953,7 @@ For more details, please see: http://www.debian.org/devel/wnpp/''')
             elif addinfo:
                 incfiles = addinfo
 
-        if bts == 'debian' and 'security' in taglist:
+        if bts == 'debian' and 'security' in taglist and sendto != 'team at security.debian.org':
             ewrite('Will send a CC of this report to the Debian Security and Testing Security Team.\n')
             listcc += ['Debian Security Team <team at security.debian.org>']
             listcc += ['Debian Testing Security Team <secure-testing-team at lists.alioth.debian.org>']
diff --git a/debian/changelog b/debian/changelog
index 1334995..adc34fb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -16,6 +16,10 @@ reportbug (4.12) UNRELEASED; urgency=low
       adding a note in the Justification pseudo-header if the package was built
       successfully in the past; thanks to Alexander Schmehl for the report;
       Closes: #390466
+    - in case of a bug for an undisclosed vulnerability (tagged 'security'),
+      report it to the private Security Team mailing list instead of to the
+      public BTS (to coordinate the release of the fix); thanks to Chris
+      Lawrence for the report and to the Sec Team for review; Closes: #474187
   * reportbug/submit.py
     - clarify that in case no acknowledge is received, then there was an error;
       thanks to mpapet for the report; Closes: #575418
@@ -63,7 +67,7 @@ reportbug (4.12) UNRELEASED; urgency=low
       script to remove that notice); thanks to Chris Walker for the report;
       Closes: #488414
 
- -- Sandro Tosi <morph at debian.org>  Tue, 06 Apr 2010 23:44:58 +0200
+ -- Sandro Tosi <morph at debian.org>  Sat, 10 Apr 2010 08:59:38 +0200
 
 reportbug (4.11) unstable; urgency=low
 

-- 
Reportbug - reports bugs in the Debian distribution

More information about the Reportbug-commits mailing list