#783491 security-tracker: document what needs to be done on releases and other archive changes

#783491#5
Date:
2015-04-27 13:07:34 UTC
From:
To:
package: security-tracker
severity: wishlist

Hi,

3fa31ab2a22a7e6db606899ca3ee6cb45a7884d1 / svnr33868 is commit showing what
needs to be done on upgrades, specifically these files need to be updated:

Makefile	 	# search for release-names
bin/tracker_data.py	# search for release-names
bin/tracker_service.py	# search for release-names and "-backports"
lib/python/debian_support.py	# search for release-names
lib/python/dist_config.py	# search for release-names
lib/python/security_db.py	# search for release-names

This should be documented in doc/README.releases. (And now I have this I'm
pondering to just do and not file this bug... but that's 5 more minutes,
so...)

And also rather obviously, this could (+should) be trimmed down by refactoring
- or a rewrite ;-)


cheers,
	Holger

#783491#10
Date:
2015-04-27 17:38:34 UTC
From:
To:
On Mon, 27 Apr 2015 15:07:34 +0200 Holger Levsen wrote:

[...]

Hi Holger,
I am sorry to ask, but... is this commit supposed to be already live?

I am asking since I still see a tracker situation inconsistent with the
release of jessie.
For instance the testing [1] status page lists, among several other
vulnerabilities:

chromium-browser	CVE-2015-1237	high**	yes	fixed in testing-security

but the corresponding page [2] states that the security issue is fixed
in jessie (security), stretch, and sid.

[1] https://security-tracker.debian.org/tracker/status/release/testing
[2] https://security-tracker.debian.org/tracker/CVE-2015-1237

I am under the impression that the testing [1] status page is still
actually talking about jessie, rather than stretch...

#783491#15
Date:
2015-04-27 17:59:16 UTC
From:
To:
Hi Francesco,

yes it is.

I'd suggest to let this post-release situation resolve itself a bit (eg I also
see inconsistencies on packages.qa.d.o and tracker.d.o), do some jessie
installations or upgrades (+file bugs there if you encounter them), be happy
about the release and look at again at the security-tracker in a day or two.


cheers,
	Holger

#783491#20
Date:
2015-05-01 09:20:26 UTC
From:
To:
On Mon, 27 Apr 2015 19:59:16 +0200 Holger Levsen wrote:

[..]
[...]
[...]

The tracker situation still seems to be broken to me...

#783491#25
Date:
2015-05-04 22:41:17 UTC
From:
To:
On Fri, 1 May 2015 11:20:26 +0200 Francesco Poli wrote:

[...]

Still broken...

#783491#30
Date:
2015-05-05 04:49:32 UTC
From:
To:
Hi

I think two more changes were actually needed to get the testing
status view show the correct information: r34072 and 34073.

https://security-tracker.debian.org/tracker/status/release/testing

should look better now.

Regards,
Salvatore

#783491#35
Date:
2015-05-05 09:04:38 UTC
From:
To:
Hi Salvatore,

good catch, thanks!


cheers,
	Holger

#783491#40
Date:
2015-05-05 21:28:15 UTC
From:
To:
On Tue, 5 May 2015 06:49:32 +0200 Salvatore Bonaccorso wrote:

[...]

Yes, it seems to be much more plausible!   ;-)

Thanks a lot.

#783491#45
Date:
2015-05-08 17:11:17 UTC
From:
To:
Hi all,

FTR/for documentation: I as well reverted a change to
bin/add-dsa-needed.sh since it otherwise looked as well at
oldoldstable and generated "wrong" suggestions for addition to
dsa-needed.txt. (r34131)

Reference is added as well in
https://wiki.debian.org/SuitesAndReposExtension#secure-testing

Regards,
Salvatore