On 2017-03-29 17:02:44, Salvatore Bonaccorso wrote: > Hi Antoine, Hi!
> If you want to look at this part: There is a ./parse-dla.pl script in > the webwml CVS, which is used to import the DLAs (this is an > analogeous script to parse-advisory.pl which is used to import the > DSAs). I see... The scripts are in /english/security for anyone looking. And if people are (like me) thinking "... wat.. CVS?" then yes, we are still using this: https://www.debian.org/devel/website/using_cvs My cvs commandline finger memory is *definitely* still there though, so that works for me. :) > The "manual" steps one would perform are roughly: > > ./parse-dla.pl $message > cvs add $year/dla-$nr.{wml,data} > cvs commit -m '[DLA $nr] $source security update' Is this something the security team performs as part of the DSA release process? Or is this something the debian-www people do? I guess you need write access to the repository and I see that *you* do, but is this expected from everyone working on releasing public advisories, the same way we need access to the security tracker? And to import older entries, we'll need the original templates, which we deliberately did *not* commit anywhere, so they are basically available only as mailing list archives, and thus hard to find automatically. I foresee difficulties in importing the missing data... Here's the bits that are missing: * the last DLA on the website is DLA-445-2, which is basically the last DLA before squeeze support ended and wheezy was handed over * among those 445 DLAs, there are actually 31 missing: webwml$ cd english/security/; find -name 'dla-*.wml' | wc -l 424 * even worse, it seems there are at least 20 advisories missing from the website because regression uploads hide advisories, because our naming convention differs from DSA ("DLA-XXX-N", where XXX is the original advisory and N are regression updates) $ grep DLA- data/DLA/list | sed 's/.* DLA-//;s/ .*//' | sort -n | sed '/445-2/,$d' | wc -l 465 * the canonical list has 928 advisories: secure-testing$ grep DLA- data/DLA/list | wc -l 928 So, lots of work there. > The background work leading to that was done by Frank Lichtenheld in > #762255. Great to see that! It does seem problematic to import regression updates however. > having something on the debian-wwww side which does this > automatically, once a DSA or DLA arrives would help surely the > debian-www team who then "only" have to do the translations and fix > obvious mistakes. OTOH keep in mind: When the debian-wwww team imports > a DSA or DLA they may need to do some adjustments so, I'm not sure if > it's liked to have the automatism, since sometimes before cvs commit > some changes need to be done on the .wml file. It looks like this is something that should be discussed with the www people... Maybe a bug against www.debian.org? This begs the question, however - wouldn't it be simpler to import those advisories in the security tracker directly? At least, we should figure out why the imports have ceased after wheezy-LTS started... > Writing the above a bit in a hurry let me know if unclear what I > meant. Thanks for the response! A. -- What this country needs is more unemployed politicians. - Angela Davis
