Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
On Wed, 18 Feb 2015, Raphael Hertzog wrote:
One thing that comes to my mind is that we probably also want the
associated Debian bug number when there's an associated bug report.
So instead of a plain CVE identifier we probably want a hash:
{ 'id': 'CVE--', 'bug': '12345', 'severity': 'low' }
That way we could also export the severity and easily add more data
in case of future needs.
And I just thought that I would like to have the status... in particular
to differentiate no-dsa issues.
status: open|no-dsa|end-of-life|resolved ?
or just
status: open|resolved
no-dsa: True|False
This would suggest to have a single list of issues per suite and have
the status/severity in the data of each CVE:
'bind9': {
'squeeze': {
'CVE--': {
'status': 'open|resolved',
'severity': 'unimportant|low|normal|high|unknown',
'no-dsa': True|False,
'end-of-life': True|False,
},
...
],
'wheezy': [
...
]
},
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
Hi,
On Tue, 16 Sep 2014, Raphael Hertzog wrote:
Let's not continue that bad tradition. If anything it should provide
either YAML or JSON with something structured:
bind9:
squeeze:
open:
- CVE-XXX
- CVE-YYY
open-unimportant:
- ...
resolved:
- ...
wheezy:
...
One thing that comes to my mind is that we probably also want the
associated Debian bug number when there's an associated bug report.
So instead of a plain CVE identifier we probably want a hash:
{ 'id': 'CVE--', 'bug': '12345', 'severity': 'low' }
That way we could also export the severity and easily add more data
in case of future needs.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
On Tue, Sep 16, 2014 at 7:08 AM, Holger Levsen hol...@layer-acht.org wrote: the information gathered in the security-tracker should be displayed in the package tracker.d.o. It already is. The link is missing from the main description, it is present in the extended description though: https://tracker.debian.org/pkg/linux https://tracker.debian.org/action-items/17875 Each source package has a URL of the form https://security-tracker.debian.org/tracker/source-package/bind9 I think it would be useful to link to these URLs (for the historical data present) from the right-hand-side links section but the security tracker doesn't provide the required info. There is an interface for it, see https://security-tracker.debian.org/tracker/data/pts/1 Could we get a new URL that also has information about unimportant and resolved issues and DSAs? I would suggest a format like what lintian uses: bind9 2 0 52 28 https://security-tracker.debian.org/tracker/data/pts/2 -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
Hi, On Tue, 16 Sep 2014, Holger Levsen wrote: the information gathered in the security-tracker should be displayed in the package tracker.d.o. It's already there, see the 20 security issues in https://tracker.debian.org/pkg/linux When you click on the question mark you get access to the link. This should be improved so that the link is directly accessible without going through the extended info but the info should be there. Have you seen a package where there was no such entry and where it should have had one? Each source package has a URL of the form https://security-tracker.debian.org/tracker/source-package/bind9 bind9 is not in the list exported by the tracker at https://security-tracker.debian.org/tracker/data/pts/1 So the list seems to be limited to open issues in sid. We might want to improve this and provide a better overview of the release where security issues are open. Cheers, -- Raphaël Hertzog ◈ Debian Developer Discover the Debian Administrator's Handbook: → http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
Hi, On Tue, 16 Sep 2014, Paul Wise wrote: On Tue, Sep 16, 2014 at 7:08 AM, Holger Levsen hol...@layer-acht.org wrote: There is an interface for it, see https://security-tracker.debian.org/tracker/data/pts/1 Could we get a new URL that also has information about unimportant and resolved issues and DSAs? I would suggest a format like what lintian uses: bind9 2 0 52 28 Let's not continue that bad tradition. If anything it should provide either YAML or JSON with something structured: bind9: squeeze: open: - CVE-XXX - CVE-YYY open-unimportant: - ... resolved: - ... wheezy: ... jessie: ... sid: ... If you want anything more than that, it's probably better to grab directly the input data of the security tracker (CVE/list in secure-testing SVN repo). Cheers, -- Raphaël Hertzog ◈ Debian Developer Discover the Debian Administrator's Handbook: → http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
Hi, On Dienstag, 16. September 2014, Raphael Hertzog wrote: Let's not continue that bad tradition. If anything it should provide either YAML or JSON with something structured: I agree. Any preference? cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
Hi, On Dienstag, 16. September 2014, Paul Wise wrote: It already is. The link is missing from the main description, it is present in the extended description though: ui, wow, such a small icon. Could you please also make the words security issues a link?! Could we get a new URL that also has information about unimportant and resolved issues and DSAs? I would suggest a format like what lintian uses: rather than those, I'd rather have issues in other distros than sid first, eg, bind9 is not linked, despite there is one open security issue in wheezy (and several in squeeze(-lts+security) (The squeeze issues cannot be seen yet in the public instance of the sec- tracker _yet_ :) cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
On Tue, Sep 16, 2014 at 5:29 PM, Holger Levsen wrote: bind9 is not linked, despite there is one open security issue in wheezy (and several in squeeze(-lts+security) bind9 is missing from the security-tracker data export AFAICT. -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
On Tue, 16 Sep 2014, Holger Levsen wrote: On Dienstag, 16. September 2014, Raphael Hertzog wrote: Let's not continue that bad tradition. If anything it should provide either YAML or JSON with something structured: I agree. Any preference? JSON is more web-friendly, I would pick that. YAML is the best choice for files manually managed by humans but when it's generated by code, JSON is a better idea IMO. Cheers, -- Raphaël Hertzog ◈ Debian Developer Discover the Debian Administrator's Handbook: → http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
clone 761730 -1 reassign -1 security-tracker retitle 761730 tracker.d.o: please provide more detailed information about security issues retitle -1 security-tracker: please provide more information via JSON file for tracker.d.o block 761730 by -1 thanks On Dienstag, 16. September 2014, Raphael Hertzog wrote: JSON is more web-friendly, I would pick that. YAML is the best choice for files manually managed by humans but when it's generated by code, JSON is a better idea IMO. ack, thanks. cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
On Tue, September 16, 2014 09:10, Paul Wise wrote: Could we get a new URL that also has information about unimportant and resolved issues and DSAs? I would suggest a format like what lintian uses: Not sure what you'd use that additional info for, but I would heartily disrecommend to display unimportant issues in the PTS; the idea of unimportant is that they are just that, and that no action is needed. If we would display unimportant issues in the PTS, this would for some packages lead to semi-permanent notice of issues, thereby reducing the attention value when an actual issue is found. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
On Tue, 2014-09-16 at 16:42 +0200, Thijs Kinkhorst wrote: Not sure what you'd use that additional info for As I said perhaps less clearly in another mail, two things: To list a link to the security tracker in the right-hand-side links section for packages with (any) security issues, as we do for packages with pedantic lintian complaints. To list a link to the security tracker in the right-hand-side links section for packages with a history of security issues, because this would be interesting for users trying to decide to use a package and also for developers deciding if they want to adopt a package or reintroduce a package that was removed. packages lead to semi-permanent notice of issues I definitely wouldn't put them in the central 'action needed' column. -- bye, pabs http://bonedaddy.net/pabs3/ signature.asc Description: This is a digitally signed message part
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
package: tracker.debian.org severity: wishlist x-debbugs-cc: debian-security-trac...@lists.debian.org Hi, the information gathered in the security-tracker should be displayed in the package tracker.d.o. There is an interface for it, see https://security-tracker.debian.org/tracker/data/pts/1 This file lists source packages and the number of security issues. If there is none, no issues exist. Each source package has a URL of the form https://security-tracker.debian.org/tracker/source-package/bind9 Please implement this linking :-) cheers, Holger signature.asc Description: This is a digitally signed message part.
