Hi Salvatore Thank you. I guess we should then have a warning printed since an empty version is something unusual.
Cheers // Ola On Sun, 20 Oct 2024 at 20:44, Salvatore Bonaccorso <car...@debian.org> wrote: > Hi, > > On Sat, Oct 19, 2024 at 11:06:02PM +0200, Ola Lundqvist wrote: > > Hi all > > > > Summary: > > Should gen-DSA/DLA/ELA allow the version to be empty/undefined? > > > > Details: > > I'm working on improving the gen-DSA/DLA/ELA tool. It is the same tool, > it > > just has slightly different functionality depending on the name. It is > the > > same source code. > > The improvement is to check that the CVEs mentioned in the DSA/DLA/ELA is > > related to the same software. This is to avoid accidental updates of > wrong > > CVE due to simple wrong spelling of the CVE. > > > > What I would like to know if there is ever a use-case to generate a > > DSA/DLA/ELA when the version of the software is unspecified? > > > > When you issue gen-DSA/DLA/ELA with a .changes file then the version is > > fetched from there. In that case there will always be a version set. > > > > However if you do not provide a .changes file then you are prompted for a > > version, but that only happens if you have the --save option. If you do > not > > provide the --save option or if you leave the version question field > blank > > the version will not be used. > > > > My question to you all are whether we should allow this or if we should > > print a warning/error message in this case. > > > > Or do you think there is a use-case when the version field should be > > possible to leave blank? > > If so, when? > > > > I'm asking since this has an impact on how the implemented code should > be. > > > > For more info about the work see here: > > > https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/190#note_522690 > > Well in the normal case you always want to provide a version, since > the sense of the file is to track the releases with a DSA. > > We had exactly one exception since the file exists with a DSA released > tracked there, which was released as DSA, associated with a CVE and > respective package, but not an update in a security supported suite, > and this was the xz-utils issue, were we released a DSA, this was > DSA-5649-1. > > https://lists.debian.org/debian-security-announce/2024/msg00057.html > > Regards, > Salvatore > > To unsubscribe from this group and stop receiving emails from it, send an > email to extended-lts-team+unsubscr...@freexian.com. > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
