[Reportbug-maint] Bug#878088: Bug#878088: Bug#878088: reportbug: please inform security and lts teams about security update regressions

Sandro Tosi morph at debian.org
Wed Jan 24 00:16:40 UTC 2018 

sorry but did you even actually test your patch? this is the CC list:

X-Debbugs-Cc: morph at debian.org, t, e, a, m, @, s, e, c, u, r, i, t, y,
., d, e, b, i, a, n, ., o, r, g

this wont work i guess; just use listcc += as in the rest of the code?

On Tue, Jan 23, 2018 at 3:12 PM, Markus Koschany <apo at debian.org> wrote:
>
>
> Am 23.01.2018 um 05:19 schrieb Sandro Tosi:
>>> What can we do to get this feature into reportbug?
>>
>> * did you update the patch to include the new contact field in
>> distribution.json and not hardcode the email address?
>
> Done.
>
>> * did you test what happen in offline mode and fix the eventual regression?
>
> I have tested reportbug with
>
> reportbug --offline <package>

the point is that in offline mode, it should *not* use any network
(you know, like if you are offline) and thus default to not copy the
security team and skip the entire branch, smth like "if pkgversion and
not options.offline"

>
> and added a try/except block to catch any exceptions that may occur with
> Python Requests (timeouts, network errors, etc.). If we reach this point
> in our code without a network connection, the program will exit because
> we need the information in distributions.json to proceed. Otherwise
> everything else works as expected.

please support the --timeout cli option and fail gracefully if you
cant contact security.d.o (sys.exit if you cant reach it is extremely
rude to users!) by not copying the security team.

>
>> i did a quick check on the number of bugs reported in a week, and over
>> the 600+ bugs filed, less than 30 where for a stable release (either
>> stretch or previous ones); i think you may also clarify that prompt,
>> as i suspect users will get rather confused "how am i supposed to know
>> if this is a security update? i just apt-get upgrade the system and
>> now this package doesnt work" kind of scenario.
>
> I don't know how I can clarify this prompt at the moment. I have added
> it because the security team does not want to be informed of any bug
> report against a package with a stable update or security update. The
> description of the Y/N choice is quite clear. If you are not sure, press
> N. Otherwise just hit the Enter key. Before we can evaluate the
> usefulness of this prompt we need some data from experience.

Did you check Nis suggestion at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878088#199 to check
apt-cache output (possibly via python3-apt) to see if that version is
coming from the updates stream? since it's on the table and you didnt
comment on it yet, i wanted to point it out.


-- 
Sandro "morph" Tosi
My website: http://sandrotosi.me/
Me at Debian: http://wiki.debian.org/SandroTosi
G+: https://plus.google.com/u/0/+SandroTosi

More information about the Reportbug-maint mailing list