Hi, On Sat, Oct 19, 2024 at 11:06:02PM +0200, Ola Lundqvist wrote: > Hi all > > Summary: > Should gen-DSA/DLA/ELA allow the version to be empty/undefined? > > Details: > I'm working on improving the gen-DSA/DLA/ELA tool. It is the same tool, it > just has slightly different functionality depending on the name. It is the > same source code. > The improvement is to check that the CVEs mentioned in the DSA/DLA/ELA is > related to the same software. This is to avoid accidental updates of wrong > CVE due to simple wrong spelling of the CVE. > > What I would like to know if there is ever a use-case to generate a > DSA/DLA/ELA when the version of the software is unspecified? > > When you issue gen-DSA/DLA/ELA with a .changes file then the version is > fetched from there. In that case there will always be a version set. > > However if you do not provide a .changes file then you are prompted for a > version, but that only happens if you have the --save option. If you do not > provide the --save option or if you leave the version question field blank > the version will not be used. > > My question to you all are whether we should allow this or if we should > print a warning/error message in this case. > > Or do you think there is a use-case when the version field should be > possible to leave blank? > If so, when? > > I'm asking since this has an impact on how the implemented code should be. > > For more info about the work see here: > https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/190#note_522690
Well in the normal case you always want to provide a version, since the sense of the file is to track the releases with a DSA. We had exactly one exception since the file exists with a DSA released tracked there, which was released as DSA, associated with a CVE and respective package, but not an update in a security supported suite, and this was the xz-utils issue, were we released a DSA, this was DSA-5649-1. https://lists.debian.org/debian-security-announce/2024/msg00057.html Regards, Salvatore
