Re: Who's using Debian
Hi Paulo, On 05.08.2024 20:32, Paulo Henrique de Lima Santana wrote: Hi, Em 05/08/2024 08:44, Salvatore Bonaccorso escreveu: Hi Paulo, Thanks a lot! Was this pushed already to the git repository? Asking since I did not saw the page and neither a commit in https://salsa.debian.org/webmaster-team/webwml/-/tree/master/english/users?ref_type=heads File is there now. https://salsa.debian.org/webmaster-team/webwml/-/commit/8d488de525a2395d72e55ea8cea84ed9fad0d1bc Thanks a lot! Small remark: now I believe it is under the wrong section, it should be under 'edu' as the ETH Zurich is an education institution (note it was marked as such in my initial request). Thanks a lot for your work within the debian-www team! Regards, Salvatore
Re: Who's using Debian
Hi Paulo, On 31.07.2024 14:23, Paulo Henrique de Lima Santana wrote: Hi Salvatore, Thank you for your message! I added your page now, and It will published soon here: https://www.debian.org/users/org/ethz Thanks a lot! Was this pushed already to the git repository? Asking since I did not saw the page and neither a commit in https://salsa.debian.org/webmaster-team/webwml/-/tree/master/english/users?ref_type=heads Regards, Salvatore
Who's using Debian
Hi We would like to add an entry for https://www.debian.org/users/ for our organization, with the following information: Organization: Swiss Federal Institute of Technology Zurich, Department of Information Technology and Electrical Engineering (D-ITET), ETH Zurich, Switzerland Organization type: educational Homepage: https://ee.ethz.ch/ We have about 135 servers and 310 clients running Debian. We have chosen Debian because of stability, functionality, philosophy, level of development, security support, flexibility and adaptability. Regards, Salvatore
Re: new redirects for www.d.o/security and www.d.o/lts/security
Hi Thomas, On Fri, Jan 05, 2024 at 12:06:58AM +0100, Thomas Lange wrote: > Hi all, > > we now redirect all DSA/DLA URLs under security and lts/security with > or without having the year in the path and with or without a version > to their announcement mail: > Examples: > /security/dsa-5576 > /security/2023/dsa-5576-2 > lts/security/2023/dla-3686-1 > lts/security/dla-3686 > > All URLs like dsa-5576-2 or dla-3686-1 are redirected to the specified > versions of the DSA. A URL containing only a DSA/DLA number but no > version currently redirect to version -1. In the future it may > redirect to the most recent version. > All redirects are not case sensitive. Thanks a lot for your great work and invested time on this topic! > @security-tracker admins: > A page like https://security-tracker.debian.org/tracker/DSA-5576 > redirects to > https://security-tracker.debian.org/tracker/DSA-5576-2 > On this page you have a link to the "Source Debian" which is a link to > https://www.debian.org/security/2023/dsa-5576. > Currently this is a wrong link to dsa-5576-1. > > The easiest way would be to make the "Source Debian" links always > redirect to the announcement number including the version, but without > the year. So for > https://security-tracker.debian.org/tracker/DSA-5576-2 > change this link to > https://www.debian.org/security/DSA-5576-2 > similar for the DLAs and so on. Thanks, will look into it and see that we can align as well those and make the adjusted reference in the tracker. Regards, Salvatore
Re: upcoming changes of the web pages /security and /lts/security
Hi Thomas, On Mon, Dec 25, 2023 at 09:14:51PM +0100, Thomas Lange wrote: > Hi all, > > as announced on Dec 7th, I have now removed the old index.wml files > and renamed new.wml to index.wml in the webwml repository under > security/ and lts/security/. > > = > IMPORTANT > = > Now the security team and the LTS team do not need to manually prepare > a .wml and .data file for each advisory. > Please stop creating those files for new advisories. > = > > For the translators: > Please stop translating old advisories. > We still have to adjust the translation headers because of the > renaming from new.wml to index.wml. > > A hint for the languages which did not had a translation for new.wml > until now. Here are some more infos, how I created the new.wml files: > > english/security/new.wml is a copy of english/security/index.wml with some > changes. > You will see the change history (including a rename from dsa.wml to > new.wml) by > $ git log -p --follow 3160b3931961~1.. index.wml > > For lts/security/new.wml use > $ git log -p --follow a1010f1cb6fd~1.. index.wml > > > > I still need to do some cleanup and check if everything works. > The new index.wml files are not yet created yet but this will be done > in the next hours. Thanks for all your work on this front. Regards, Salvatore
Re: https://security-team.debian.org/ needs an update
Hi, On Tue, Sep 12, 2023 at 12:04:18PM -0400, Boyuan Yang wrote: > Hi, > > This website is managed by Debian Security Team. Forwarding your mail there. > > Meanwhile, you are welcome to contribute to this website at > https://salsa.debian.org/security-tracker-team/security-tracker/tree/master/doc/security-team.d.o > . This was updated earlier, thanks for reporting. Regards, Salvatore
Re: sources.list 4 bullseye-security
Hi Paul, On Sun, Jul 04, 2021 at 05:27:56AM +, Paul Wise wrote: > On Sat, Jul 3, 2021 at 9:31 PM Salvatore Bonaccorso wrote: > > > I have pushed > > https://salsa.debian.org/webmaster-team/webwml/-/commit/4ca2253325130f7e96bf2644d31cf5a95fdf7bcc > > Note that updating translations at the same time as the English page > causes more work for the translation teams, who have to bump the > translation check header. If you first commit the English change and > then commit the translation changes, you can use ./smart_change.pl > (see --help for instructions) to bump the translation check headers in > the second commit. Okay thanks for pointing that out, was surely not the intention to cause more work. > > Once bullseye will be released the example sources.list entry in > > https://www.debian.org/security/#keeping-secure will need to be > > adapted as well to match bullseye's sources.list entry for the > > security archive. > > I've made a commit that means this will be automatically updated at > release time: > > https://salsa.debian.org/webmaster-team/webwml/-/commit/06a365347b5545c26d162ef4887514d171f5dcd0 Thanks! Regards, Salvatore
Re: sources.list 4 bullseye-security
Hi, On Sun, Jun 27, 2021 at 04:52:26PM -0400, Boyuan Yang wrote: > Hi, > > (This email originally appears on > https://lists.debian.org/debian-www/2021/05/msg00017.html ) > > 在 2021-05-15星期六的 12:47 +0200,Harald Dunkel写道: > > Hi folks, > > > > Obviously > > > > https://wiki.debian.org/NewInBullseye > > and > > https://www.debian.org/releases/bullseye/errata > > > > disagree about the bullseye-security entry in sources.list. Not to > > mention that the deb-src line is missing on both. > > TL;DR: Both will work: > > deb http://security.debian.org/debian-security bullseye-security main > deb http://security.debian.org/ bullseye-security main > > Besides, I believe end users are not supposed to know deb-src line for > security repos. Adding such info provides zero benefit except for confusing > users. > > > I would highly appreciate a web page listing a full sources.list > > file for bullseye, > > I am forwarding your email to the security team in case they want a unified > format on Debian webpages (www.debian.org and wiki.debian.org). Please contact > the Debian WWW Team if a change is needed. Please use the form which is used in the release-notes: https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive I have pushed https://salsa.debian.org/webmaster-team/webwml/-/commit/4ca2253325130f7e96bf2644d31cf5a95fdf7bcc . Once bullseye will be released the example sources.list entry in https://www.debian.org/security/#keeping-secure will need to be adapted as well to match bullseye's sources.list entry for the security archive. Regards, Salvatore
Bug#985427: Wrong DLA number for spice CVEs
For the record, the security-tracker ships the authoritative
assignment, they are:
[31 Aug 2018] DLA-1488-1 mariadb-10.0 - security update
{CVE-2018-3058 CVE-2018-3063 CVE-2018-3064 CVE-2018-3066}
[jessie] - mariadb-10.0 10.0.36-0+deb8u1
[31 Aug 2018] DLA-1486-1 spice - security update
{CVE-2018-10873}
[jessie] - spice 0.12.5-1+deb8u6
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec38e10ec1289c204c18999585bcbf7967ad7413
and
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdaa7f41280c397e155037320704cde369172aae
So the wepage of DLA 1488 should just be correct to for the mariadb-10.0
announcement. (The spice DLA seems to have been sent out twice).
Regards,
Salvatore
Bug#859122: about 500 DLAs missing from the website
Hi,
On Sat, Feb 09, 2019 at 03:55:44AM +0100, Laura Arjona Reina wrote:
> * We still need the Apache redirects, so the people that try the old
> URLs (wether directly because they knew, or via the security tracker),
> find the files they need. What we need to do is send a patch to
>
> https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/templates/apache-www.debian.org.erb
>
> that sets the redirect from
> https://www.debian.org/security/any_year/dla-whatever to
> https://www.debian.org/security/lts/any_year/dla-whatever
>
> * Adaptation in the security tracker so the new URL paths are used from
> now on is also needed.
I have the attached patch commited in a local branch, but want first
to confirm is this the final intended URL to reach the DLAs?
Regards,
Salvatore
>From ceda9e3d1fc38f505462bce8c0aa4cdd2b165d87 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso
Date: Tue, 12 Feb 2019 08:10:16 +0100
Subject: [PATCH] Adapt URL to DLA advisories in a
https://www.debian.org/security/lts/
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As discussed in https://bugs.debian.org/859122 DLAs and DSAs will be
separated in different supages. This needs adaption for the URL
referenced in the source fields of the security-tracker for DLAs.
Thanks: Laura Arjona Reina, Holger Levsen and Antoine Beaupré
---
bin/tracker_service.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bin/tracker_service.py b/bin/tracker_service.py
index 971f4b4e38eb..a2ea755d8f39 100755
--- a/bin/tracker_service.py
+++ b/bin/tracker_service.py
@@ -1574,7 +1574,7 @@ Debian bug number.'''),
for (date,) in self.db.cursor().execute(
"SELECT release_date FROM bugs WHERE name = ?", (dla,)):
(y, m, d) = date.split('-')
-return url.absolute("https://www.debian.org/security/%d/dla-%d";
+return url.absolute("https://www.debian.org/security/lts/%d/dla-%d";
% (int(y), int(number)))
return None
--
2.20.1
Re: about 500 DLAs missing from the website
Hi Antoinie, [adding team@s.d.o to CC] Thanks for working on this. On Fri, Feb 01, 2019 at 01:44:10PM -0500, Antoine Beaupré wrote: > On 2018-12-19 18:05:36, Antoine Beaupré wrote: > > The DLAs are visible here: > > > > https://www-staging.debian.org/security/2018/dla-1580 > > > > One thing that's unclear is how the entries get added to the main list > > in: > > > > https://www-staging.debian.org/security/2018/ > > > > That still needs to be cleared up. > > That's actually in the webwml code, I opened a MR to add those: > > https://salsa.debian.org/webmaster-team/webwml/merge_requests/50 IMHO they should not be mixed into the same namespace as the DSAs. https://www.debian.org/security/ is very specific to the debian-security-announce list and contains items for e.g. contacting the Debian security team or referecing the respective FAQ. I think having a dedicated https://www.debian.org/lts/ where those can be collected and having further information on LTS would be somehow better. This will need an adjustment to the tracker side as well so that sources filed for Debian LTS DLA's will not link to https://www.debian.org/security/$year/dla-$nr . If a dedicated subpage is not needed and the only purpose is to link to a webversion, and the DLA's do not show up in the overall view then possibly the status quo is still okay. What do you think? Regards, Salvatore
Bug#910467: www.debian.org: security/2018/dsa-4309.wml points twice to CVE-2018-16151
Hi, On Sat, Oct 06, 2018 at 08:11:48PM +0200, Rafa wrote: > Package: www.debian.org > Severity: minor > > Dear Maintainers, > > Page security/2018/dsa-4309.wml points twice to CVE-2018-16151. It probably > should point to CVE-2018-16151 and to CVE-2018-16152, instead. Yes that is right, I have commited the following change: https://salsa.debian.org/webmaster-team/webwml/commit/a5b7ec0c0184954ce50a1cba985b7f783185f781 Regards, Salvatore
Re: Stretch 9.2 announcement: dead link for ruby-rack-cors DSA
Hi
On Wed, Oct 11, 2017 at 10:39:05PM +0200, Moritz Mühlenhoff wrote:
> On Wed, Oct 11, 2017 at 10:29:32PM +0200, Salvatore Bonaccorso wrote:
> > Hi Adam,
> >
> > On Wed, Oct 11, 2017 at 09:15:08PM +0100, Adam D. Barratt wrote:
> > > On Wed, 2017-10-11 at 22:08 +0200, Holger Wansing wrote:
> > > > at https://www.debian.org/News/2017/20171007 the DSA link for ruby-
> > > > rack-cors
> > > > is dead:
> > > >
> > > > https://www.debian.org/security/2017/dsa-3931
> > > >
> > > > There is no such DSA.
> > > > And also no such announcement on https://lists.debian.org/debian-secu
> > > > rity-announce/
> > > >
> > >
> > > It's in DSA/list in the secure-testing repository:
> > >
> > > [10 Aug 2017] DSA-3931-1 ruby-rack-cors - security update
> > > {CVE-2017-11173}
> > > [stretch] - ruby-rack-cors 0.4.0-1+deb9u1
> > >
> > > which is where the stable tools got the information from to begin with.
> > >
> > > The package is also in http://security.debian.org/debian-security/pool/
> > > updates/main/r/ruby-rack-cors/
> > >
> > > So it looks like the announcement went missing somehow. team@security
> > > CCed for comment.
> >
> > Indeed, it looks that the announcement at least never arived in d-s-a.
> >
> > I wonder if after two monts now it makes still sense to send the
> > advisory or at least just import the text for the website.
>
> That's the DSA text, no idea why it got lost. Surely doesn't make sense to
> re-send it two months later:
I imported the text into webwml repository, so at least the webpage
will show up.
Regards,
Salvatore
Re: Stretch 9.2 announcement: dead link for ruby-rack-cors DSA
Hi Adam,
On Wed, Oct 11, 2017 at 09:15:08PM +0100, Adam D. Barratt wrote:
> On Wed, 2017-10-11 at 22:08 +0200, Holger Wansing wrote:
> > at https://www.debian.org/News/2017/20171007 the DSA link for ruby-
> > rack-cors
> > is dead:
> >
> > https://www.debian.org/security/2017/dsa-3931
> >
> > There is no such DSA.
> > And also no such announcement on https://lists.debian.org/debian-secu
> > rity-announce/
> >
>
> It's in DSA/list in the secure-testing repository:
>
> [10 Aug 2017] DSA-3931-1 ruby-rack-cors - security update
> {CVE-2017-11173}
> [stretch] - ruby-rack-cors 0.4.0-1+deb9u1
>
> which is where the stable tools got the information from to begin with.
>
> The package is also in http://security.debian.org/debian-security/pool/
> updates/main/r/ruby-rack-cors/
>
> So it looks like the announcement went missing somehow. team@security
> CCed for comment.
Indeed, it looks that the announcement at least never arived in d-s-a.
I wonder if after two monts now it makes still sense to send the
advisory or at least just import the text for the website.
As nobody so far complained, I guess that's an indication that it's
not widely used on stable (yet).
Regards,
Salvatore
https://www.debian.org/distrib/archive: Link to Debian Archives should be plain HTTP transport protocol
Hi [In case needed, please CC me on replies, not subscribed to the list] The link to the Debian Archives on https://www.debian.org/distrib/archive should not be available via https. Details can be found at https://lists.debian.org/debian-user/2017/03/msg00306.html . archive.debian.org is not available via https. Regards, Salvatore
Re: typo: DSA-3688-1 nss update
Hi It's actually not a typo, but we might have better used a wording like 2:3.23-1 or earlier versions. In fact it is that the jessie-security upload fixes the mentioned issues in the 2:3.26-1+debu8u1. But for unstable fixes were included in versions 2:3.19.1-1, 2:3.20.1-1, 2:3.21-1 or 2:3.23-1. Regards, Salvatore signature.asc Description: PGP signature
Re: Bug#737755: security.debian.org: Inconsistent version of DSA 2855-1 / libav
Hi Moritz, hi Helge, On Wed, Feb 05, 2014 at 07:52:32PM +0100, Moritz Mühlenhoff wrote: > On Wed, Feb 05, 2014 at 07:43:20PM +0100, Helge Kreutzmann wrote: > > Hello Moritz, > > thanks for your ultra fast reply. > > > > On Wed, Feb 05, 2014 at 07:32:37PM +0100, Moritz Mühlenhoff wrote: > > > On Wed, Feb 05, 2014 at 07:24:47PM +0100, Helge Kreutzmann wrote: > > > > Package: security.debian.org > > > > Severity: normal > > > > Tags: security > > > > > > > > According to [1], [2] and [3] the latest version of libav in > > > > security.debian.org should be 6:0.8.9-1. However, on amd64 the version > > > > shown with apt-listchanges is 6:0.8.10-1 (from Feb 4th, if that > > > > matters). > > > > > > That was a copy&paste error, I've just fixed the Debian Security Tracker. > > > > Thanks. I just wondered because I believed that debian/changelog > > determines the package version. > > > > > Can you please update the website? > > > > I'm not sure who'm you've talking to. In the past I did translations > > on www.debian.org. In principle (looking at access rights) I could > > also work in the english directory (aeons ago I did this when I worked > > on the alpha pages). However, I'm unable to change p.d.o. nor > > security.debian.org. > > Ok, I though you're part of debian-www, adding them to CC. Btw, the advisory was not yet in the cvs repository, so have added it with the correct version. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140205210158.GA28216@eldamar.local
Bug#509139: link for package browser on http://www.debian.org/devel/todo/
Package: www.debian.org Severity: minor Hi On http://www.debian.org/devel/todo/ in the section regarding the "The Debian package browser", two links are not working (at least at the point of writing this report). First the links "still have to be tagged" (http://debian.vitavonni.de/packagebrowser/?tags=not-yet-tagged) and "The tag browser homepage" (http://debian.vitavonni.de/packagebrowser/) Kind regards Salvatore -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Layout Problem in dsa-753 webpage?
Hello There is a "Layout" Problem on the Webpage http://www.debian.org/security/2005/dsa-753 Just after "Fixed in:", the links to the deb- packages, original-tar.gz's and so one aren't formatet "properly". I hope it was apropriate to report a such a "small" problem. Excuse please my very bad english. Greetings Salvatore Bonaccorso -- GMX DSL = Maximale Leistung zum minimalen Preis! 2000 MB nur 2,99, Flatrate ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
