Bug#717082: marked as done (XSS on developer.php)
Your message dated Wed, 17 Sep 2014 02:23:22 + with message-id and subject line qa.debian.org bug fixed in revision 3262 has caused the Debian Bug report #717082, regarding XSS on developer.php to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 717082: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717082 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: qa.debian.org Severity: important The following links shows XSS flaws, it will show an alert on Firefox and put a marquee on the site. http://qa.debian.org/developer.php?login=";>alert(1) http://qa.debian.org/developer.php?gpg_key=%22%3E%3Cmarquee%3E http://qa.debian.org/developer.php?package=%27%22%3E%3Cmarquee%3Es Additional variables seems to be affected too. - Fernando --- End Message --- --- Begin Message --- Version: 3262 This bug was closed by Paul Wise (pabs) in SVN revision 3262. Note that it might take some time until the qa.debian.org code has been updated and cronjobs have picked up changed data. Commit message: Fix XSS issues in DDPO (Closes: #717082) Patch-by: Daniel Lintott --- End Message ---
Re: reportbug reports are not sent
Hi, Reportbug sends mails via your local mail server by default. Did you try to look at your local mails. You probably should save it in a temporary file and file it by mail if not. Cheers, Joseph On Tue, Sep 16, 2014 at 8:10 PM, anatoly techtonik wrote: > Hi, > > I am trying to send reports, but they don't seem to appear in tracker. > Is it possible to make report warn if there are some undelivered > reports and how to process them? > > Please, CC. > -- > anatoly t. > > > -- > To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: > https://lists.debian.org/CAPkN8xJ8LEfKPU8WD55YygU8PjKKxriqs7vGA4TE76Y=44_...@mail.gmail.com > -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/capqicoxj-0in6exoc_gryfx4j_n5vozn+9n8aryvhyqvzk7...@mail.gmail.com
Processed: Re: Bug#761697: DDPO: showing package adopted by third-party as being mine
Processing control commands: > merge 736715 761697 Bug #736715 [qa.debian.org] DDPO shouldn't list packages under their maintainer in stable Bug #761697 [qa.debian.org] DDPO: showing package adopted by third-party as being mine Merged 736715 761697 -- 736715: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736715 761697: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761697 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b761697.14108930335198.transcr...@bugs.debian.org
Bug#761697: DDPO: showing package adopted by third-party as being mine
Control: merge 736715 761697 Hi Eriberto, On 16/09/14 18:14, Eriberto wrote: > > I need to know if is right or not then I will can close the bug. > Discovered this actually #736715 [1], so merging the two bugs accordingly. Regards Daniel [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736715 signature.asc Description: OpenPGP digital signature
reportbug reports are not sent
Hi, I am trying to send reports, but they don't seem to appear in tracker. Is it possible to make report warn if there are some undelivered reports and how to process them? Please, CC. -- anatoly t. -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAPkN8xJ8LEfKPU8WD55YygU8PjKKxriqs7vGA4TE76Y=44_...@mail.gmail.com
Processed: XSS on developer.php
Processing control commands: > tags -1 + patch Bug #717082 [qa.debian.org] XSS on developer.php Added tag(s) patch. -- 717082: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717082 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b717082.14108883674784.transcr...@bugs.debian.org
Bug#717082: XSS on developer.php
Control: tags -1 + patch Attached is a patch that prevents the XSS flaws previously mentioned. Regards, Daniel Index: common-html.php === --- common-html.php (revision 3261) +++ common-html.php (working copy) @@ -398,7 +398,7 @@ { if (($key == 'login') or ($key == 'package') or ($key == 'gpg_key')) { -$action .= html_input_hidden($key,$_GET[$key]); +$action .= html_input_hidden($key,htmlspecialchars($_GET[$key])); } } return $action; signature.asc Description: OpenPGP digital signature
Bug#761697: DDPO: showing package adopted by third-party as being mine
Hi Daniel, Ok, you are right. I adopted pdfcrack in January and the package is showed in old maintainer's DDPO[1]. I need to know if is right or not then I will can close the bug. Cheers, Eriberto [1] https://qa.debian.org/developer.php?login=nacho%40debian.org 2014-09-16 13:18 GMT-03:00 Daniel Lintott : > > On 15/09/14 21:41, Daniel Lintott wrote: >> Ah... Now I see... it's being picked up as being co-maintained. At a >> guess this is caused by the change of maintainer causing two email >> address in one of the DDPO databases. > > Okay... I think I've unravelled what is happening here. > > Because you *used* to upload the package (which is still in stable) DDPO > picks you up as an uploader (highlighted in blue) > > Another example of this can be seen at [1] for the gns3 and dynamips > packages which I maintain now. > > So the question here is whether a prior maintainer should still see the > package listed in their DDPO, whilst there name is present on the a > version of the package that exists in Debian (e.g. in stable)? > > Cheers, > > Daniel > > [1] https://qa.debian.org/developer.php?login=e...@debian.org > -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cap+dxjd3z5d_1bm6hl7ewwifocvgthvk4c4mvm308jvodaa...@mail.gmail.com
Bug#761697: DDPO: showing package adopted by third-party as being mine
On 15/09/14 21:41, Daniel Lintott wrote: > Ah... Now I see... it's being picked up as being co-maintained. At a > guess this is caused by the change of maintainer causing two email > address in one of the DDPO databases. Okay... I think I've unravelled what is happening here. Because you *used* to upload the package (which is still in stable) DDPO picks you up as an uploader (highlighted in blue) Another example of this can be seen at [1] for the gns3 and dynamips packages which I maintain now. So the question here is whether a prior maintainer should still see the package listed in their DDPO, whilst there name is present on the a version of the package that exists in Debian (e.g. in stable)? Cheers, Daniel [1] https://qa.debian.org/developer.php?login=e...@debian.org signature.asc Description: OpenPGP digital signature
Bug#754658: please display the package's description
On Tue, Sep 16, 2014 at 7:40 PM, Ben Hutchings wrote: > I think this fall back should not be used, except for packages that > build a single binary. It results in nonsense like: The heuristics used by the old PTS are probably better. A summary: When only one binary package, use the description from it. When more than one binary package but one has the same name as the source package, use the description from that. Otherwise, use "source package". -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6HzcM=GK7CRLi0LfF=1blmhz6cmmvjaqdjbob6fdt5...@mail.gmail.com
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
On Tue, 2014-09-16 at 16:42 +0200, Thijs Kinkhorst wrote: > Not sure what you'd use that additional info for As I said perhaps less clearly in another mail, two things: To list a link to the security tracker in the right-hand-side links section for packages with (any) security issues, as we do for packages with pedantic lintian complaints. To list a link to the security tracker in the right-hand-side links section for packages with a history of security issues, because this would be interesting for users trying to decide to use a package and also for developers deciding if they want to adopt a package or reintroduce a package that was removed. > packages lead to semi-permanent notice of issues I definitely wouldn't put them in the central 'action needed' column. -- bye, pabs http://bonedaddy.net/pabs3/ signature.asc Description: This is a digitally signed message part
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
On Tue, September 16, 2014 09:10, Paul Wise wrote: > Could we get a new URL that also has information about unimportant and > resolved issues and DSAs? I would suggest a format like what lintian > uses: Not sure what you'd use that additional info for, but I would heartily disrecommend to display unimportant issues in the PTS; the idea of unimportant is that they are just that, and that no action is needed. If we would display unimportant issues in the PTS, this would for some packages lead to semi-permanent notice of issues, thereby reducing the attention value when an actual issue is found. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/554a939c52f0eac6847a4d6f4f9eb943.squir...@aphrodite.kinkhorst.nl
Processed: retitle 761861 to debsources: allow to override detected language type
Processing commands for cont...@bugs.debian.org: > retitle 761861 debsources: allow to override detected language type Bug #761861 [qa.debian.org] allow to override detected language type Changed Bug title to 'debsources: allow to override detected language type' from 'allow to override detected language type' > thanks Stopping processing here. Please contact me if you need assistance. -- 761861: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761861 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.14108705774341.transcr...@bugs.debian.org
Bug#761869: debsources: "update statistics" stage is too slow
Package: qa.debian.org Severity: normal User: qa.debian@packages.debian.org Usertags: debsources The "update statistics" stage of Debsources updated is currently too slow, taking ~12 minutes on the current sources.d.n machine. It could be easily optimized by avoiding redoing queries for each live suites (currently: 9), where each query will do a sequential scan (due to count(*), despite "index mostly scan") over the same data. Instead, we can use GROUP BY queries, taking at once stats for all suites. (See proof of concept and benchmarks available in doc/update-stats-query.bench.sql) -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140916123840.17340.76075.reportbug@timira.takhisis.invalid
Processed: Re: Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
Processing commands for cont...@bugs.debian.org: > clone 761730 -1 Bug #761730 [tracker.debian.org] tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG Bug 761730 cloned as bug 761859 > reassign -1 security-tracker Bug #761859 [tracker.debian.org] tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG Bug reassigned from package 'tracker.debian.org' to 'security-tracker'. Ignoring request to alter found versions of bug #761859 to the same values previously set Ignoring request to alter fixed versions of bug #761859 to the same values previously set > retitle 761730 tracker.d.o: please provide more detailed information about > security issues Bug #761730 [tracker.debian.org] tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG Changed Bug title to 'tracker.d.o: please provide more detailed information about security issues' from 'tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG' > retitle -1 security-tracker: please provide more information via JSON file > for tracker.d.o Bug #761859 [security-tracker] tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG Changed Bug title to 'security-tracker: please provide more information via JSON file for tracker.d.o' from 'tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG' > block 761730 by -1 Bug #761730 [tracker.debian.org] tracker.d.o: please provide more detailed information about security issues 761730 was not blocked by any bugs. 761730 was not blocking any bugs. Added blocking bug(s) of 761730: 761859 > thanks Stopping processing here. Please contact me if you need assistance. -- 761730: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761730 761859: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761859 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.141086958929656.transcr...@bugs.debian.org
Bug#761867: debsources: conjunctive (AND-ed) ctags search
Package: qa.debian.org Severity: wishlist User: qa.debian@packages.debian.org Usertags: debsources We should have a new kind of search under /search that allows to search for files that contain all of a given number of ctags symbols provided by the user. Note that, differently from the current ctags search that returns indivudual locations within files, this new search should probably return entire files, possibly highlighting the lines containing the requested ctags. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140916122813.15935.4791.reportbug@timira.takhisis.invalid
Bug#761864: debsources: /latest redirection for /data URLs
Package: qa.debian.org Severity: wishlist User: qa.debian@packages.debian.org Usertags: debsources [ bug originally reported by Simon Paillard ] /latest redirection currently works only for the webapp, but not for the static data served directly by the web server, and most notably stuff under /data . We should be uniform and implement /latest redirection for /data To implement that, we could either generate static redirection maps for Apache at each update run. Or decide that /data stuff can be served by the webapp (assessing the corresponding performance penalty) and reuse the code we already have in place for the redirection. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140916122532.15868.50687.reportbug@timira.takhisis.invalid
Bug#761863: debsources: use relative paths in cache/sources.txt
Package: qa.debian.org Severity: minor User: qa.debian@packages.debian.org Usertags: debsources A typical cache/sources.txt line currently looks like this: susv3 6.1 contrib /srv/debsources/testdata/mirror/pool/contrib/s/susv3/susv3_6.1.dsc /srv/debsources/sources/contrib/s/susv3/6.1 jessie,squeeze,wheezy,sid the use of absolute paths is undesirable and has no good reason to exist. We should use relative paths: - 4th field should be relative to conf['mirror_dir'] - 5th field should be relative to conf['sources_dir'] (see test_updater.py for reference) bin/foreach should then be adapted to work properly with relative paths sources.txt. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2014091614.15661.70245.reportbug@timira.takhisis.invalid
Bug#761861: allow to override detected language type
Package: qa.debian.org Severity: normal User: qa.debian@packages.debian.org Usertags: debsources [ bug originally reported by Stuart Prescott ] The heuristics used to detect language type could be wrong (of course), it would be nice to allow overriding detected language type with a ?lang=... URL parameter. A related problem is that we might wrongly detect that some file is not a text-like file, and hence only offer to download it, rather than render it on the web. E.g. http://sources.debian.net/src/make/latest/doc/make.info-4/ currently can only be downloaded, in spite of info being a textual file format. In terms of code the semantic of a new "lang" URL parameter should therefore be twofold: - on one hand its presence should override the detection done by libmagic to decide whether to render or download a file (see http://anonscm.debian.org/cgit/qa/debsources.git/tree/python/models.py#n652 ) - on the other hand the language specified should override the heuristic based language detection. To simply force web display without requiring any highlighting, we could use something like ?lang=none -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140916121836.15349.10059.reportbug@timira.takhisis.invalid
Re: Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
clone 761730 -1 reassign -1 security-tracker retitle 761730 tracker.d.o: please provide more detailed information about security issues retitle -1 security-tracker: please provide more information via JSON file for tracker.d.o block 761730 by -1 thanks On Dienstag, 16. September 2014, Raphael Hertzog wrote: > JSON is more web-friendly, I would pick that. > > YAML is the best choice for files manually managed by humans but when it's > generated by code, JSON is a better idea IMO. ack, thanks. cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
On Tue, 16 Sep 2014, Holger Levsen wrote: > On Dienstag, 16. September 2014, Raphael Hertzog wrote: > > Let's not continue that bad tradition. If anything it should provide > > either YAML or JSON with something structured: > > I agree. Any preference? JSON is more web-friendly, I would pick that. YAML is the best choice for files manually managed by humans but when it's generated by code, JSON is a better idea IMO. Cheers, -- Raphaël Hertzog ◈ Debian Developer Discover the Debian Administrator's Handbook: → http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140916120311.gg23...@x230-buxy.home.ouaza.com
Bug#754658: please display the package's description
On Fri, 2014-08-29 at 13:18 -0700, Andrew Starr-Bochicchio wrote: > The attached patch adds the short description under the source package > name. The current PTS only uses the short description if there is a > binary package that has the same name as the source package. If not, > it just displays "Source package" I have decided to fall back to the > short description for the first binary package instead. [...] I think this fall back should not be used, except for packages that build a single binary. It results in nonsense like: linux Xen system with Linux 3.16 on 64-bit PCs (meta-package) That description comes from the xen-linux-system-3.16-1-amd64 binary package; I don't how that would be the 'first' binary package. Using the package currently listed first in the control file, we would get: linux Linux kernel source for version 3.16 with Debian patches But this is still not a very sensible summary of the source package. Ben. -- Ben Hutchings Beware of programmers who carry screwdrivers. - Leonard Brandwein signature.asc Description: This is a digitally signed message part
buildd.debian.org/status/ broken (Was: Seqan used to build on kfreebsd but does not any more)
Hi, On Tue, Sep 16, 2014 at 10:49:08AM +0100, Steven Chamberlain wrote: > > On 16/09/14 10:35, Andreas Tille wrote: > > the package seqan currently in testing previously built on all > > architectures except sparc (even on kfreebsd-*)[1]. I needed to > > fix some onrelated build issue and now the recent build log on > > kfreebsd[2] says: > > > [1] https://buildd.debian.org/status/package.php?p=seqan&suite=jessie > > Huh? According to this it has _never_ built on kfreebsd: > https://buildd.debian.org/status/logs.php?pkg=seqan&arch=kfreebsd-amd64 > > (it is not marked as out-of-date either so is not a blocker for > migration, it only waits for the mips build) > > I'd say the "jessie" view is misleading or, broken. As Steven pointed out the jessie view seems to be broken. I'm forwarding this to debian-qa for further inspection. Kind regards Andreas. -- http://fam-tille.de -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140916111909.gk4...@an3as.eu
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
On Tue, Sep 16, 2014 at 5:29 PM, Holger Levsen wrote: > bind9 is not linked, despite there is one open security issue in wheezy (and > several in squeeze(-lts+security) bind9 is missing from the security-tracker data export AFAICT. -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6enfk-x8jujlk70ggoz7ztyl7cnupxzsrp_9aiku_0...@mail.gmail.com
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
Hi, On Dienstag, 16. September 2014, Raphael Hertzog wrote: > Let's not continue that bad tradition. If anything it should provide > either YAML or JSON with something structured: I agree. Any preference? cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
Hi, On Dienstag, 16. September 2014, Paul Wise wrote: > It already is. The link is missing from the main description, it is > present in the extended description though: ui, wow, such a small icon. Could you please also make the words "security issues" a link?! > Could we get a new URL that also has information about unimportant and > resolved issues and DSAs? I would suggest a format like what lintian > uses: rather than those, I'd rather have issues in other distros than sid first, eg, bind9 is not linked, despite there is one open security issue in wheezy (and several in squeeze(-lts+security) (The squeeze issues cannot be seen yet in the public instance of the sec- tracker _yet_ :) cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#702908: marked as done (PTS: display sponsor of accepted package)
Your message dated Tue, 16 Sep 2014 16:35:06 +0800 with message-id <1410856506.32372.34.ca...@debian.org> and subject line PTS: 702908: fixed in the new tracker has caused the Debian Bug report #702908, regarding PTS: display sponsor of accepted package to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 702908: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702908 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: qa.debian.org Severity: wishlist User: qa.debian@packages.debian.org Usertag: pts Hi, it would be nice if PTS would also show the signer (i.e. sponsor) of a newly uploaded package - if different from the person who packaged it. Regards Markus Wanner signature.asc Description: OpenPGP digital signature --- End Message --- --- Begin Message --- This bug has been fixed in the new tracker: https://tracker.debian.org/pkg/libhdf4 [2014-09-14] Accepted libhdf4 4.2.10-1 (source all amd64) into unstable (Johan Van de Wauw) (signed by: Aurelien Jarno) -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part --- End Message ---
Processed: reassign 539014 to tracker.debian.org
Processing commands for cont...@bugs.debian.org: > reassign 539014 tracker.debian.org Bug #539014 [qa.debian.org] qa.debian.org: show link to removal bug on package QA page Bug reassigned from package 'qa.debian.org' to 'tracker.debian.org'. Ignoring request to alter found versions of bug #539014 to the same values previously set Ignoring request to alter fixed versions of bug #539014 to the same values previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 539014: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539014 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.141085610726610.transcr...@bugs.debian.org
Processed: reassign 561228 to tracker.debian.org
Processing commands for cont...@bugs.debian.org: > reassign 561228 tracker.debian.org Bug #561228 [qa.debian.org] VCS-CVS are converted to bogus hyperlinks Bug reassigned from package 'qa.debian.org' to 'tracker.debian.org'. Ignoring request to alter found versions of bug #561228 to the same values previously set Ignoring request to alter fixed versions of bug #561228 to the same values previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 561228: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561228 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.141085588324941.transcr...@bugs.debian.org
Processed: reassign 499577 to tracker.debian.org, reassign 678574 to tracker.debian.org
Processing commands for cont...@bugs.debian.org: > # reassigning bugs that may eventually be fixed in the new tracker instead > reassign 499577 tracker.debian.org Bug #499577 [qa.debian.org] "parse" lowThresholdNmu page Bug reassigned from package 'qa.debian.org' to 'tracker.debian.org'. Ignoring request to alter found versions of bug #499577 to the same values previously set Ignoring request to alter fixed versions of bug #499577 to the same values previously set > # qa backend does not export this info > reassign 678574 tracker.debian.org Bug #678574 [qa.debian.org] PTS removal bug detection misfires for partial removals Bug reassigned from package 'qa.debian.org' to 'tracker.debian.org'. Ignoring request to alter found versions of bug #678574 to the same values previously set Ignoring request to alter fixed versions of bug #678574 to the same values previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 499577: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499577 678574: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678574 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.141085549622510.transcr...@bugs.debian.org
Bug#761811: tracker.debian.org: add support for mentors.debian.net
Package: tracker.debian.org Severity: wishlist mentors.d.n offers a place for new contributors to upload packages that need to be sponsored. There is an apt repository at [1] containing those packages. It supports all the usual suites plus an UNRELEASED suite for packages that aren't yet ready to be uploaded to Debian. It doesn't yet appear to have Release files so the tracker will need to download Sources files manually. For all packages that are not yet in Debian, please add pages on the tracker for them with a notice in the action column: Sponsoring is needed[2] to get this package into Debian. For packages already in Debian and also in the main suites from the mentors site (but not UNRELEASED) please add an action item to the action section with link to [2]: Sponsoring is needed[2] to get a new version of this package into Debian. For all packages mentioned in any suite, please provide a link to [2] named 'mentors' with title 'prospective packages from new contributors' in the right hand links section. 1. http://mentors.debian.net/debian/ 2. http://mentors.debian.net/package/{package} -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
Hi, On Tue, 16 Sep 2014, Paul Wise wrote: > On Tue, Sep 16, 2014 at 7:08 AM, Holger Levsen wrote: > > There is an interface for it, see > > https://security-tracker.debian.org/tracker/data/pts/1 > > Could we get a new URL that also has information about unimportant and > resolved issues and DSAs? I would suggest a format like what lintian > uses: > > bind9 2 0 52 28 Let's not continue that bad tradition. If anything it should provide either YAML or JSON with something structured: bind9: squeeze: open: - CVE-XXX - CVE-YYY open-unimportant: - ... resolved: - ... wheezy: ... jessie: ... sid: ... If you want anything more than that, it's probably better to grab directly the input data of the security tracker (CVE/list in secure-testing SVN repo). Cheers, -- Raphaël Hertzog ◈ Debian Developer Discover the Debian Administrator's Handbook: → http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140916074457.gc25...@x230-buxy.home.ouaza.com
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
Hi, On Tue, 16 Sep 2014, Holger Levsen wrote: > the information gathered in the security-tracker should be displayed in the > package tracker.d.o. It's already there, see the "20 security issues" in https://tracker.debian.org/pkg/linux When you click on the question mark you get access to the link. This should be improved so that the link is directly accessible without going through the extended info but the info should be there. Have you seen a package where there was no such entry and where it should have had one? > Each source package has a URL of the form > https://security-tracker.debian.org/tracker/source-package/bind9 bind9 is not in the list exported by the tracker at https://security-tracker.debian.org/tracker/data/pts/1 So the list seems to be limited to open issues in sid. We might want to improve this and provide a better overview of the release where security issues are open. Cheers, -- Raphaël Hertzog ◈ Debian Developer Discover the Debian Administrator's Handbook: → http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140916072541.gb25...@x230-buxy.home.ouaza.com
Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG
On Tue, Sep 16, 2014 at 7:08 AM, Holger Levsen wrote: > the information gathered in the security-tracker should be displayed in the > package tracker.d.o. It already is. The link is missing from the main description, it is present in the extended description though: https://tracker.debian.org/pkg/linux https://tracker.debian.org/action-items/17875 > Each source package has a URL of the form > https://security-tracker.debian.org/tracker/source-package/bind9 I think it would be useful to link to these URLs (for the historical data present) from the right-hand-side links section but the security tracker doesn't provide the required info. > There is an interface for it, see > https://security-tracker.debian.org/tracker/data/pts/1 Could we get a new URL that also has information about unimportant and resolved issues and DSAs? I would suggest a format like what lintian uses: bind9 2 0 52 28 https://security-tracker.debian.org/tracker/data/pts/2 -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6GiHFkL=y01oomwxzfusfd9uqhc1bkqsqbcp4hzimx...@mail.gmail.com