Package: dput Version: 1.1.3 X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
In chromium, I have the following code snippet to verify that when someone is doing an upload to stable-security, the changelog entry actually includes CVEs:
https://salsa.debian.org/chromium-team/chromium/-/commit/e518b008008fd7d6a42319aed718bdb595ff5092Unfortunately, this is the wrong place to be doing the check, as there are times when an upload is messed up and I need to release a second version that lacks CVEs. Ultimately, my opinion is that this kind of thing should be in dput - automated checks should be looking not just at the latest changelog entry, but at all the included changelog entries to the .changes file (as generated when using the -v<version> argument). This also seems like the kind of thing that would be a helpful reminder for other security uploads as well*. This would be for security-master uploads only, rather than anything going into a stable point releases.
Dput already has /usr/share/dput/helper/security-warning to verify that the uploader really does want to upload to security-master. I'm happy to provide a patch/MR to add an additional check for CVEs listed in the .changes file, and prompt the user ("No CVEs listed in the changelog despite this being a security upload; they should really be there. Do you want to continue despite lack of CVEs? [y/N]") if there are no CVEs. It would require modifying dput's execute_command() to pass additional arguments to helper scripts.
Please let me know if you're amenable to this, and I'll prepare it.* security-team, please tell me if I'm wrong and it would be overly annoying.
OpenPGP_signature.asc
Description: OpenPGP digital signature
