Am Thu, May 01, 2025 at 10:13:24PM +0200 schrieb Salvatore Bonaccorso:
> Hi Andres,
>
> [very personal opinion]
>
> On Thu, May 01, 2025 at 01:22:00PM -0400, Andres Salomon wrote:
> > Package: dput
> > Version: 1.1.3
> > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
> >
> > In chromium, I have the following code snippet to verify that when someone
> > is doing an upload to stable-security, the changelog entry actually includes
> > CVEs:
> >
> > https://salsa.debian.org/chromium-team/chromium/-/commit/e518b008008fd7d6a42319aed718bdb595ff5092
> >
> > Unfortunately, this is the wrong place to be doing the check, as there are
> > times when an upload is messed up and I need to release a second version
> > that lacks CVEs. Ultimately, my opinion is that this kind of thing should be
> > in dput - automated checks should be looking not just at the latest
> > changelog entry, but at all the included changelog entries to the .changes
> > file (as generated when using the -v<version> argument). This also seems
> > like the kind of thing that would be a helpful reminder for other security
> > uploads as well*. This would be for security-master uploads only, rather
> > than anything going into a stable point releases.
> >
> > Dput already has /usr/share/dput/helper/security-warning to verify that the
> > uploader really does want to upload to security-master. I'm happy to provide
> > a patch/MR to add an additional check for CVEs listed in the .changes file,
> > and prompt the user ("No CVEs listed in the changelog despite this being a
> > security upload; they should really be there. Do you want to continue
> > despite lack of CVEs? [y/N]") if there are no CVEs. It would require
> > modifying dput's execute_command() to pass additional arguments to helper
> > scripts.
> >
> > Please let me know if you're amenable to this, and I'll prepare it.
> >
> >
> > * security-team, please tell me if I'm wrong and it would be overly
> > annoying.
>
> With above disclaimer/note: I would rather prefer to not have to ack
> another warning for a security-master upload. I think we have to work
> diligent enough already in particular for instance when handling
> embargoed uploads. You are defintively right that the "normal case"
> will include CVE id references, but not necessarily.
>
> In the end if the majority will though like to have such a warning,
> then so be it. The target distributions needs to match as well anyway
> for having it accepted into the queues for security-master (and there
> is already a check beforehand).
I think it would be fine: the vast majority of uploads to security-master
will have a CVE already known and already includes one and for the handful
of cornercases where it's not the case it's just a matter of confirmation
with 'y'. I think this would be useful particularly for the uploads
prepared by maintainers (since they do uploads less often than security
team members)
Cheers,
Moritz
