Secure testing team - May 2012 - update sid/testing fixed version in data/CVE/list based on DSA?

Hi,

as far as I understand it, when generating a DSA, the fixed version for
Squeeze is added to data/DSA/list and that is used by Joey scripts to
put the fixed version in data/CVE/list later (so one doesn''t have to
manually put it). Couldn''t that be done for Sid/Testing versions when
possible, since we already put those in the DSA file?

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120530/8ebcbd45/attachment.pgp>

On Wed, May 30, 2012 at 07:55:50AM +0200, Yves-Alexis Perez
wrote:
> Hi,
> 
> as far as I understand it, when generating a DSA, the fixed version for
> Squeeze is added to data/DSA/list and that is used by Joey scripts to
> put the fixed version in data/CVE/list later (so one doesn''t have
to
> manually put it). Couldn''t that be done for Sid/Testing versions
when
> possible, since we already put those in the DSA file?
> 
> Regards,
> -- 
> Yves-Alexis
Are these scripts in SVN somewhere? I would like to read the code. I am also
wondering if it is possible to change date from DSA-list to 2012-05-30 format?

- Henri Salo

On mer., 2012-05-30 at 10:18 +0300, Henri Salo wrote:
> On Wed, May 30, 2012 at 07:55:50AM +0200, Yves-Alexis Perez wrote:
> > Hi,
> > 
> > as far as I understand it, when generating a DSA, the fixed version
for
> > Squeeze is added to data/DSA/list and that is used by Joey scripts to
> > put the fixed version in data/CVE/list later (so one doesn''t
have to
> > manually put it). Couldn''t that be done for Sid/Testing
versions when
> > possible, since we already put those in the DSA file?
A little correction, the fixed version is not added magically to
data/CVE/list indeed, it''s just used by the tracker to show the
(supposed) fixed version, I mean the second part of the web page. But
still, it''d be nice to have the sid/testing fixed version there too.
I''ll look at providing a patch.
> > 
> > Regards,
> > -- 
> > Yves-Alexis
> 
> Are these scripts in SVN somewhere? 
Yes, look in bin/ and lib (not sure exactly where though)


-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120530/db843269/attachment.pgp>

On mer., 2012-05-30 at 13:11 +0200, Yves-Alexis Perez
wrote:
> A little correction, the fixed version is not added magically to
> data/CVE/list indeed, it''s just used by the tracker to show the
> (supposed) fixed version, I mean the second part of the web page. But
> still, it''d be nice to have the sid/testing fixed version there
too.
> I''ll look at providing a patch. 
In fact, as confusing as it may be, it doesn''t really make sense.

There are two data sources for fixed version:

* DSA/list for stable uploads
* CVE/list for sid uploads
(and, I guess, DTSA/list for testing uploads, though it''s a bit
deprecated nowadays, but that might happen more often during a freeze?)

The thing is, we already put the sid/testing fixed version in the DSA
text, so we could as well put it in data/DSA/list and have it propagated
to CVE/list and the tracker by the scripts (which might actually be
already supported).

What do you think?

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120530/62ea9b82/attachment.pgp>