[Reportbug-maint] Bug#878088: reportbug: please inform security and lts teams about security update regressions

Markus Koschany apo at debian.org
Mon Oct 9 17:47:46 UTC 2017

Package: reportbug
Version: 7.1.7
Severity: wishlist
Tags: patch


the Debian LTS Team and the Debian Security Team would like to propose
a new feature for reportbug.

We discussed this at DebConf 17 during the LTS BoF and shortly on
debian-lts [1] that it would make sense to inform both teams about
regressions introduced by security updates. We usually receive
word from the maintainer or users who report issues directly to
our mailing lists or IRC channels.

However we have also discovered that some regressions were never
reported to us. Hence we propose the following feature for reportbug:

If the bug is reported against a package with a version number that
indicates a security update like +deb7u1 or ~deb8u3, both team mailing
lists should be added to CC after the bug reporter confirms that this
is a regression caused by a security update. The confirmation check is
necessary to prevent too many false positives since similar version
strings are used for regular stable updates. However the default is true
because it is better to receive one e-mail too many as to miss the
regression. Of course this could be changed if it turns out that we
receive too many unwarranted reports.

Please find attached my proposed patch.



[1] https://lists.debian.org/debian-lts/2017/08/msg00034.html
-------------- next part --------------
diff -Nru reportbug-7.1.7/bin/reportbug reportbug-7.1.7+nmu1/bin/reportbug
--- reportbug-7.1.7/bin/reportbug	2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7+nmu1/bin/reportbug	2017-10-09 01:26:16.000000000 +0200
@@ -1926,6 +1926,22 @@
             listcc += ui.get_multiline(
                 'Enter any additional addresses this report should be sent to; press ENTER after each address.')
+        # If the bug is reported against a package with a version that
+        # indicates a security update add the security and lts teams to CC
+        # after user confirmation
+        is_security_update = False
+        if pkgversion:
+            regex = re.compile('(\+|~)deb\d+u\d+')
+            if regex.search(pkgversion):
+                if ui.yes_no('Do you want to report a regression because of a security update? ',
+                             'Yes, please inform the LTS and security teams.',
+                             'No or I am not sure.', True):
+                    is_security_update = True
+        if is_security_update:
+            email_address = ['debian-lts at lists.debian.org','team at security.debian.org']
+            listcc.extend(email_address)
         if severity and rtype:
             severity = debbugs.convert_severity(severity, rtype)

More information about the Reportbug-maint mailing list