Now with the patch.
On Wed, Apr 20, 2022 at 05:08:20PM +0200, Sylvain Beucler wrote: > During my last front-desk week I noticed that we tend to miss or delay > some buster security updates, in particular those that come in point > releases, and a few batches of minor postponed fixes. See for > instance, 'dpdk' [1] or 'mailman' [2]. > > Attached is a patch to 'bin/lts-cve-triage.py' to help exhibit those > updates so we schedule them in dla-needed.txt. This includes fixes > from stable/oldstable point releases or past DSAs, but excludes issues > explicitly ignored, and old fixes from back when buster was unstable. > > The current output is manageable (40-50 packages), and I plan to trim > it further down by properly tagging <ignored> some no-dsa issues that > are not meant to be fixed in stretch (see e.g. 'ark' [3]), and tagging > <end-of-life> a few others (e.g. 'node-*'). > > At this point front-desk can proceed as usual using the enhanced > 'lts-cve-triage.py' output. Front-desk may need to use 'no-dsa' > sparingly in the future, in favor of its 'postponed' and 'ignored' > sub-states [4], so as to better help the tool. > > What do you think? > > Cheers! > Sylvain Beucler > Debian LTS Team > > [1] https://security-tracker.debian.org/tracker/source-package/dpdk > [2] https://security-tracker.debian.org/tracker/source-package/mailman > [3] https://security-tracker.debian.org/tracker/source-package/ark > [4] > https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
diff --git a/bin/lts-cve-triage.py b/bin/lts-cve-triage.py index bda1606819..6590f975a5 100755 --- a/bin/lts-cve-triage.py +++ b/bin/lts-cve-triage.py @@ -64,6 +64,9 @@ LIST_NAMES = ( ('triage_possible_easy_fixes', ('Issues not yet triaged for {lts}, but already fixed in {next_lts}') .format(**RELEASES)), + ('triage_possible_missed_fixes', + ('Issues postponed for {lts}, but fixed in {next_lts} via DSA or point releases') + .format(**RELEASES)), ('triage_other_not_triaged_in_next_lts', ('Other issues to triage for {lts} (not yet triaged for {next_lts})') .format(**RELEASES)), @@ -154,10 +157,20 @@ for pkg in tracker.iterate_packages(): if status_in_next_lts.status == 'resolved': add_to_list('possible_easy_fixes', pkg, issue) + # <no-dsa>/<postponed>/<ignored>/<unimportant>/<undetermined> elif status_in_lts.status == 'ignored': if (status_in_lts.reason == 'no-dsa' and status_in_next_lts.status == 'open'): add_to_list('unexpected_nodsa', pkg, issue) + elif (status_in_lts.reason == 'no-dsa' and + status_in_next_lts.status == 'resolved'): + # include fixes from DSA or stable/oldstable point releases + # exclude issues explicitly ignored, and old fixes back in unstable + nodsa_reason = issue.data['releases'][RELEASES['lts']]['nodsa_reason'] + fixed_version = issue.data['releases'][RELEASES['next_lts']]['fixed_version'] + if (nodsa_reason != 'ignored' and + ('~deb' in fixed_version or '+deb' in fixed_version)): + add_to_list('triage_possible_missed_fixes', pkg, issue) elif status_in_lts.reason == 'undetermined': add_to_list('undetermined', pkg, issue)