Bug#761859: prototype ready
On Wed, Feb 25, 2015 at 10:36 AM, Raphael Hertzog hert...@debian.org wrote: Release is a general concept that includes multiple respositories. And in repositories you have finer-graind data by real repositories. That's what I was aiming for, yes. Sorry, I had a draft in my phone, but didn't send that to not create confusion with bad quoting. Richard -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAD77+gScera29rJpifGzHTruF_LHqosD5E+SMtiqNyRmMT=q...@mail.gmail.com
Bug#761859: prototype ready
On Tue, 24 Feb 2015, Holger Levsen wrote: On Dienstag, 24. Februar 2015, Richard Hartmann wrote: Depending on your layout, you don't really need two different JSON files, though. how would you distinguish between squeeze, which includes lts and security, and squeeze, which doesnt? Same for wheezy (and security and not). You could decide to different keys for the aggregated data and for the non-aggregated data. It's actually a good idea. It could look like this: pkg: CVE: ... repositories: squeeze: squeeze-lts: ... jessie: jessie-security: ... releases: squeeze: ... jessie: Release is a general concept that includes multiple respositories. And in repositories you have finer-graind data by real repositories. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150225093624.ga18...@home.ouaza.com
Bug#761859: prototype ready
On Mon, Feb 23, 2015 at 2:59 PM, Holger Levsen hol...@layer-acht.org wrote: surely. I just wasn't sure whether this should be done on the security-tracker side or by it's users... or I could provide two versions: json-full and json(- aggregated) - do you think that would be useful? To clarify, I replied to this mail and meant the part above. I see value in both having this is fixed in suite X and in this is fixed in those subsets of suite X. Depending on your layout, you don't really need two different JSON files, though. Richard -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAD77+gTZz6VjhDY71=ge7_sCoMSjbK3aA9k=ydgwbrosdvz...@mail.gmail.com
Bug#761859: prototype ready
Hi, On Dienstag, 24. Februar 2015, Paul Wise wrote: I think it would be useful to provide the non-aggregated version for folks who only use some of the stable suites. Not sure if the sectracker has information about stable-proposed-updates but if so it would be good to include it too. it hasn't, see #645201 track uploads to proposed-updates cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#761859: prototype ready
Hi, On Dienstag, 24. Februar 2015, Richard Hartmann wrote: Depending on your layout, you don't really need two different JSON files, though. how would you distinguish between squeeze, which includes lts and security, and squeeze, which doesnt? Same for wheezy (and security and not). cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#761859: prototype ready
Hi, On Montag, 23. Februar 2015, Raphael Hertzog wrote: The only missing data I see is the Debian bug report assigned to each CVE. I'll add that. And you call the file json but it contains YAML :-) yeah, fixed in the last attached patch, but I will rewrite it to actually output json... Otherwise, I see that you have the raw data per real suite (aka squeeze is never fixed, only squeeze-lts is fixed) and I would prefer having data consolidated by release (i.e. you get the squeeze status by merging squeeze, squeeze-security and squeeze-lts, wheezy by merging wheezy and wheezy-security, etc.). Is that possible ? surely. I just wasn't sure whether this should be done on the security-tracker side or by it's users... or I could provide two versions: json-full and json(- aggregated) - do you think that would be useful? cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#761859: prototype ready
Hi, On Montag, 23. Februar 2015, Paul Wise wrote: Hmm, it appears that these are the default urgency from NVD and the ones without asterisks are ones set by SVN committers. That doesn't appear to be a distinction worth preserving but it is fine to do so. I kept it under the premise of presenting the raw data. Please ensure that this json is linked to from the front page of the security tracker and from the security tracker documentation so that people building on it can find it easily. will do. I think for other consumers of the data (not distro-tracker), exposing fixed version numbers might be interesting. For instance, someone with 500 machines who aggregates host/package/version information and then correlates that with the list of security issues from the sectracker. i'll include this in the detailed json output. I should stop bike-shedding though :) :) Anyway, the current JSON is good for the distro-tracker from a content perspective (so please deploy) will do RSN :) cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#761859: prototype ready
On Sun, 22 Feb 2015, Holger Levsen wrote: new output is attached in compressed form. The only missing data I see is the Debian bug report assigned to each CVE. And you call the file json but it contains YAML :-) Otherwise, I see that you have the raw data per real suite (aka squeeze is never fixed, only squeeze-lts is fixed) and I would prefer having data consolidated by release (i.e. you get the squeeze status by merging squeeze, squeeze-security and squeeze-lts, wheezy by merging wheezy and wheezy-security, etc.). Is that possible ? Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150223133826.gb2...@home.ouaza.com
Bug#761859: prototype ready
On Mon, 2015-02-23 at 14:59 +0100, Holger Levsen wrote: surely. I just wasn't sure whether this should be done on the security-tracker side or by it's users... or I could provide two versions: json-full and json(- aggregated) - do you think that would be useful? I think it would be useful to provide the non-aggregated version for folks who only use some of the stable suites. Not sure if the sectracker has information about stable-proposed-updates but if so it would be good to include it too. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#761859: prototype ready
On Sun, 22 Feb 2015 00:37:49 +0100 Holger Levsen wrote: I have a prototype ready, see attached... I noticed that fixed issues are not listed, we need that so people can look up the security history of any package by clicking a 'security' link in the links section. Just an item link: True|False would be enough, True for anything that has any info in the security tracker. I see a bunch of urgency set to high** and medium**, should it be high and medium instead? I think it might be a good idea to include attack range information (local/remote/etc). -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#761859: prototype ready
On Sun, 2015-02-22 at 19:00 +0100, Holger Levsen wrote: On Sonntag, 22. Februar 2015, Paul Wise wrote: I see a bunch of urgency set to high** and medium**, should it be high and medium instead? this comes directly from the database, so I don't think it should be modified. Hmm, it appears that these are the default urgency from NVD and the ones without asterisks are ones set by SVN committers. That doesn't appear to be a distinction worth preserving but it is fine to do so. Please ensure that this json is linked to from the front page of the security tracker and from the security tracker documentation so that people building on it can find it easily. It is vastly more friendly to potential consumers than the current output consumed by the PTS and the current output consumed by debsecan. We've already had people looking for JSON and trying to use the debsecan data. I think for other consumers of the data (not distro-tracker), exposing fixed version numbers might be interesting. For instance, someone with 500 machines who aggregates host/package/version information and then correlates that with the list of security issues from the sectracker. I should stop bike-shedding though :) Anyway, the current JSON is good for the distro-tracker from a content perspective (so please deploy) but it doesn't load using the python JSON module so it is probably not valid JSON, I'd suggest using Python's json.dump instead of whatever method you are using now. with open('json') as f: data = json.load(f) ... Traceback (most recent call last): File stdin, line 1, in module File /usr/lib/python2.7/json/__init__.py, line 290, in load **kw) File /usr/lib/python2.7/json/__init__.py, line 338, in loads return _default_decoder.decode(s) File /usr/lib/python2.7/json/decoder.py, line 369, in decode raise ValueError(errmsg(Extra data, s, end, len(s))) ValueError: Extra data: line 1 column 4 - line 428027 column 1 (char 3 - 10590028) -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part