[Reportbug-maint] Bug#783400: reportbug: include package taint information in reportbug reports

Sandro Tosi morph at debian.org
Mon May 4 00:00:57 UTC 2015


On Sun, May 3, 2015 at 6:49 PM, Michael Gilbert <mgilbert at debian.org> wrote:
> On Sat, May 2, 2015 at 1:14 PM, Sandro Tosi wrote:
>>> and/or non-debian sources.list in reportbug
>>> reports generated on such systems.
>>
>> how does a non-debian entry in sources.list look like? with debian
>> mirrors and internal/organizational mirrors, the chance of false
>> positive/negative is very high.
>
> It could be a matter of looking for packages that aren't in a Packages
> file with a correct checksum specified by an InRelease file signed by
> one of the Debian Archive Signing keys (using files cached in
> /var/lib/apt/lists).  If the cache is missing or there is something
> wrong, could state that in the report instead.

a package could be only in the local cache, because superseded by a
newer version, so it wont be in the Packages and thus the check will
report a fail positive. It seems very fragile. also, this seems like a
very corner case (a package maintain both inside and outside debian,
with a clear "communication breakdown" between the 2 parties), so
either Debian provides a way to retrieve the information if a package
is coming from a Debian archive or not, I not inclined to introduce
another heuristic in reportbug.

Regards,
-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi



More information about the Reportbug-maint mailing list