[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Markus Koschany apo at debian.org
Wed Nov 29 19:00:12 UTC 2017


Hi!

On Wed, 29 Nov 2017 00:09:28 +0100 Raphael Geissert
<geissert at debian.org> wrote:
> Hi,
> 
> On 9 October 2017 at 19:47, Markus Koschany <apo at debian.org> wrote:
> [...]
> > If the bug is reported against a package with a version number that
> > indicates a security update like +deb7u1 or ~deb8u3, both team mailing
> > lists should be added to CC after the bug reporter confirms that this
> > is a regression caused by a security update.
> 
> Perhaps reportbug could check the package's changelog to determine
> whether the latest update was a security or LTS one. It could do so by
> looking for the sec team's or LTS' snippet on the latest version.
> 
> Then and only then it could also ask for confirmation, as in: "is the
> bug a recent regression?", and CC the corresponding team. For
> instance, there's no need to CC the security team for regressions by
> LTS updates.

Adding both teams to CC was intentional because a regression might
affect more than one Debian distribution at the same time and sometimes
people just detect it in stable/oldstable/oldoldstable first but the
same bug affects the rest as well. Of course if we communicate such
regressions between both teams, we can change this behavior.

I don't see any mechanism or code in reportbug that deals with parsing
the changelog at the moment which means this idea is rather intrusive.
If we really want to go this route then we have to make sure that those
changelog strings are unambiguous like "Non-maintainer upload by the
security team" or "Non-maintainer upload by the LTS team". External
contributors which are not part of both teams also have to adhere to
this naming scheme.

I would prefer this solution. At the moment we check for the version
string and I think that's sufficient for an initial check. The following
actions should be triggered by the user himself by answering specific
questions. What do you think about adding a second question after "Do
you want to report a regression because of a security update?"

Is this regression in Debian's LTS release?

Yes, this bug is in the LTS release. -> only CC the LTS team
No, this bug is not in the LTS release -> CC the security team

What do you think about that? Please also ask the other team members for
their opinion.

Cheers,

Markus


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/reportbug-maint/attachments/20171129/0995efe5/attachment.sig>


More information about the Reportbug-maint mailing list