Point Release Security, Reloaded
Published by Jon on July 8th, 2012 in Debian
When I first undertook the tracking of minor security fixes in point releases, I quickly out-scaled flat text files and a good memory. A Python library and sqlite database helped automate sending notifications and keeping tabs, but the manual work associated with tracking incoming bugs from the security team, applications to and responses from the release team, and the action or inaction of maintainers was still too time-consuming to be useful.
This weekend I deployed pyprsc2, with a public view at http://prsc.debian.net/tracker/<bug>. I had planned to do this at Debconf12, but given the circumstances… still, it needed doing anyway and what better time?
Result: my work now involves adding tracks where required; keeping an eye on the notified list for manual prods; and after a point release, archiving the included bugs and updating the suite version numbers. Bliss.
Features:
- automatic sync of metadata for new tracks
- automatic detection of bugs closed from unstable
- automatic notification (and unarchive if required)
- automatic, though manually triggered, prods
- automatic detection of stable/oldstable upload and RT acceptance
- public view of bug status, e.g. http://prsc.debian.net/tracker/660650
Todo:
- finish the views so that bug lists work, as well as detail
- add process documentation pages
- iron out the mailing so bugs.debian.org doesn’t throttle back submissions
- add ways to permit more contributors
- refactor where required; this was a learning exercise too
- publish the code
Technical:
prsc.debian.net leverages large parts of the Django MVC framework – in fact, this was really a learning exercise in disguise since I want to use Django on some more complex projects later. BTS synchronisation is handled by python-debianbts, and synchronisation with proposed-updates is through XML and lxml/objectify (thanks to the release team’s awesome XML queue viewer and Adam adding bug numbers to it). Since this was a learning exercise, some of the Python is probably questionable at best and downright wrong at worst, so it probably needs some work still.