On Wed, Jan 24, 2018 at 5:59 PM, Nis Martensen <nis.marten...@web.de> wrote:
> On 24-01-2018 19:37, Markus Koschany wrote:
>> Thanks. How do you catch the case when security updates are part of a
>> stable point release?
>
> This requires more effort. Does the package tracker offer a way to
> query such information? The only other idea I have right now involves
> inspecting the latest entry in changelog.Debian.gz. ("Was the package
> uploaded by the maintainer or one of the normal uploaders?") Do you
> have other ideas on how a user might know whether a package update
> delivered in a stable point release was a security update?
>
> Would it be feasible to make all security updates available via the
> security update channel? Then the simple suggested method would be
> sufficient. But it is probably infeasible, otherwise it would be done?
>
> If there is no good way, maybe asking your question only for the
> packages identified by the proposed method would be acceptable as a
> first step, until a reliable approach is developed?
>
>
> But perhaps Sandro may even be willing to accept a patch based on your
> original version string pattern matching, if his other concerns are
> addressed. Sandro, what do you think?
i like the idea of trying hard to avoid to ask questions to the users
so maybe we can do something like
* check if that version is coming from the debian-security repo
** if so, copy the relevant security team
** if not, ask the user
in neither case is acceptable to sys.exit() if you cant connect to the
internet: either you decide a default address for this case, or print
a warning message that you cant fetch the needed information and the
sec team wont be copied in the repo.
thanks both for working together on reaching consensus
--
Sandro "morph" Tosi
My website: http://sandrotosi.me/
Me at Debian: http://wiki.debian.org/SandroTosi
G+: https://plus.google.com/u/0/+SandroTosi
