Debian Bug report logs - #436161
debtags: New tags for security support

Package: debtags; Maintainer for debtags is Enrico Zini <enrico@debian.org>; Source for debtags is src:debtags.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sun, 5 Aug 2007 22:03:01 UTC

Severity: normal

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: debtags: New tags for security support
Date: Sun, 05 Aug 2007 23:59:31 +0200
Package: debtags
Severity: normal

Please add support for the following tags, as discussed during
DebConf in Edinburgh:

* [etch|lenny]-security-unsupported to flag that a source package has no
  support by the Security Team. It should be distribution-specific to
  allow revoking support for individual suites, as it was necessary for
  Mozilla in Sarge.
* security-local-use-only (or something similar, I'm unsure about the exact
  naming), to indicate that security support only applies to local, trusted users.
  An example: SQL-Ledger has a horrible security track record, so we only
  support to run it behind an authenticated HTTP zone. It's still a useful
  software and limiting support is a viable choice; doing accounting carries
  a whole lot of implicit trust anyway.

Once implemented in debtags we need support in apt, etc.

If you have any questions, please come back to me. I'm also available
on #debian-security

Cheers,
        Moritz

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash



Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #10 received at 436161@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>
Cc: 436161@bugs.debian.org
Subject: Re: debtags: New tags for security support
Date: Sat, 18 Aug 2007 18:16:33 +0200
On Sun, Aug 05, 2007 at 11:59:31PM +0200, Moritz Muehlenhoff wrote:

> Please add support for the following tags, as discussed during
> DebConf in Edinburgh:
> 
> * [etch|lenny]-security-unsupported to flag that a source package has no
>   support by the Security Team. It should be distribution-specific to
>   allow revoking support for individual suites, as it was necessary for
>   Mozilla in Sarge.
> * security-local-use-only (or something similar, I'm unsure about the exact
>   naming), to indicate that security support only applies to local, trusted users.

> Once implemented in debtags we need support in apt, etc.

I think these things might be a good idea. Though I would expect a more
general discussion on the mailinglist(s) about why these tags are 
needed, when and how they would be used. I for one would rather not have
a package in a release than have a package that is not supported by the
security team. So maybe we should also discuss alternatives like 
backports + security and procedures on how to find and communicate about
packages that have lots of security issues or are very hard to fix by
backported security updates?

Cheers

Luk



Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@enricozini.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #15 received at 436161@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@enricozini.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 436161@bugs.debian.org
Cc: debtags-devel@lists.alioth.debian.org
Subject: Re: Bug#436161: debtags: New tags for security support
Date: Tue, 21 Aug 2007 10:42:58 +0100
[Message part 1 (text/plain, inline)]
On Sun, Aug 05, 2007 at 11:59:31PM +0200, Moritz Muehlenhoff wrote:

> Please add support for the following tags, as discussed during
> DebConf in Edinburgh:
> 
> * [etch|lenny]-security-unsupported to flag that a source package has no
>   support by the Security Team. It should be distribution-specific to
>   allow revoking support for individual suites, as it was necessary for
>   Mozilla in Sarge.
> * security-local-use-only (or something similar, I'm unsure about the exact
>   naming), to indicate that security support only applies to local, trusted users.
>   An example: SQL-Ledger has a horrible security track record, so we only
>   support to run it behind an authenticated HTTP zone. It's still a useful
>   software and limiting support is a viable choice; doing accounting carries
>   a whole lot of implicit trust anyway.

Hi Moritz, thanks for opening this bug.  I'm totally in favour of this.

This seems to be the right place to also paste the other notes that I
took during the BOF at DebConf:

 - low-popularity packages can delegate security to the maintainers
 - support-level tags
    - Auto-generated tags
       - orphaned
       - MIA maintainer
       - old RC bugs
    - Team-generated tags
       - security team won't support
          - possibly, suite-specific no-security-support tags
       - suited for local use only
         (web-based double entry accunt system)
         (usable in the local network, but don't export on internet)
    - DD-introduced tags in control file
       - self-declared fringe package
       - self-declared dead-upstream
       - self-declared dead-upstream but DD will fix bugs
    - What else?
       - brainstorm personal best practices/metrics for choosing packages
       - package depends on orphaned packages
       - development status (alpha, beta, production, ...)
       - "I don't use this package anymore" (could be computed by
         scanning RFA bugs)


Ciao,

Enrico

-- 
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@enricozini.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #20 received at 436161@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@enricozini.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 436161@bugs.debian.org
Subject: Re: Bug#436161: debtags: New tags for security support
Date: Mon, 17 Sep 2007 13:14:19 +0200
[Message part 1 (text/plain, inline)]
On Sun, Aug 05, 2007 at 11:59:31PM +0200, Moritz Muehlenhoff wrote:

> Please add support for the following tags, as discussed during
> DebConf in Edinburgh:
> * [etch|lenny]-security-unsupported to flag that a source package has no
[...]
> * security-local-use-only (or something similar, I'm unsure about the exact
[...]

Hello Moritz,

I finally got time for this.  I really care about it.

Please find attached a tarball that implements a first prototype.

To give it a first try, you can put it online as, for example,
http://security.debian.org/tags, then add this line to
/etc/debtags/sources.list:

  tags http://security.debian.org/tags

Running debtags update will download the tags and index them.


All the Debian package managers, with the exception of adept, do not
currently support merging tags in this way.  I can however easily
implement merging tags and vocabulary from your tag source when I build
the tag override files that are installed in the Packages file.


Therefore a first step could be that you (security team) maintain a tag
source at your liking (like you have in the attached tarball), then I
can fetch it and merge it in the packages file.


With the same method I can implement more extra tag sources merged into
the Packages file, like for the proposals posted elsewhere in this bug
report of generating tags from wnpp entries.  Having the tag sources
merged in this way also prevents these extra tags to be edited by anyone
on the tagging interface at http://debtags.alioth.debian.org/edit.html


Ciao,

Enrico

-- 
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #25 received at 436161@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Enrico Zini <enrico@enricozini.org>, 436161@bugs.debian.org
Subject: Re: Bug#436161: debtags: New tags for security support
Date: Mon, 17 Sep 2007 13:35:17 +0200
[Message part 1 (text/plain, inline)]
Hi,
* Enrico Zini <enrico@enricozini.org> [2007-09-17 13:22]:
> On Sun, Aug 05, 2007 at 11:59:31PM +0200, Moritz Muehlenhoff wrote:
[...] 
> Please find attached a tarball that implements a first prototype.
> 
> To give it a first try, you can put it online as, for example,
> http://security.debian.org/tags, then add this line to
> /etc/debtags/sources.list:
[...] 
What you described really sounds very cool but you forgot 
the tarball.
Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@enricozini.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #30 received at 436161@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@enricozini.org>
To: 436161@bugs.debian.org, debtags-devel@lists.alioth.debian.org, debian-devel@lists.debian.org
Subject: New 'maint' facet for Debtags
Date: Mon, 17 Sep 2007 13:50:46 +0200
[Message part 1 (text/plain, inline)]
Hello,

in #436161 I proposed to have some external tag sources automatically
merged into the override files.  An example is a tag source provided by
the security team: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=20;att=0;bug=436161

In the same way we can have an autogenerated 'maint' facet with tags
documenting the status of the package maintenance.

Below is an example vocabulary for it, with annotations on how to
autogenerate the tag information.  I'd like to run some discussion on it
for a week or so, then proceed to implementation.


Facet: maint
Description: Maintenance status

Tag: maint::orphaned
Description: Orphaned
 There is no maintainer for this package.  Maintenance is done by the Debian QA
 Team.
(it can be autogenerated by looking if debian-qa is in the Maintainer field)

Tag: maint::rfa
Description: Adoption requested
 The maintainer is still maintaning the package, but has requestes for someone
 else to take over its maintenance.
(it can be autogenerated by scanning open WNPP bugs)

Tag: maint::mia
Description: Maintainer unreachable
 The maintainer for this package is currently unreachable.
(mia-query on merkel shows all sorts of data, but I need to see how it
can be turned in a tag.  It has been suggested that if a maintainer is
MIA, the package should just be orphaned, so this tag would be of no
use, and I tend to agree)

Tag: maint::old-rc-bugs
Description: Old unfixed RC bugs
 The package has unfixed RC bugs older than 3 months.
(it can be autogenerated by scanning the BTS)

Tag: maint::fringe
Description: Fringe package (FIXME)
 The maintainer declared this to be a fringe package.
 .
 (TODO: define what this practically means)
 .
 (from IRC) more users == greater level of peer review and peer support?
(maintainers can enter this information in debian/control and I can scan it using Mole)

Tag: maint::unmaintained-upstream
Description: Unmaintained upstream
 The package is not maintained anymore by its upstream developers.
 .
 Debian still carries on basic maintenance, but no new upstream versions of the
 package are to be expected.
(maintainers can enter this information in debian/control and I can scan it using Mole)


Ciao,

Enrico

-- 
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Andreas Tille <tillea@rki.de>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #35 received at 436161@bugs.debian.org (full text, mbox):

From: Andreas Tille <tillea@rki.de>
To: Debian Developers <debian-devel@lists.debian.org>
Cc: 436161@bugs.debian.org, debtags-devel@lists.alioth.debian.org
Subject: Re: New 'maint' facet for Debtags
Date: Mon, 17 Sep 2007 14:07:47 +0200 (CEST)
On Mon, 17 Sep 2007, Enrico Zini wrote:

> Tag: maint::fringe
> Description: Fringe package (FIXME)
> The maintainer declared this to be a fringe package.
> .
> (TODO: define what this practically means)
> .
> (from IRC) more users == greater level of peer review and peer support?
> (maintainers can enter this information in debian/control and I can scan it using Mole)
>
> Tag: maint::unmaintained-upstream
> Description: Unmaintained upstream
> The package is not maintained anymore by its upstream developers.
> .
> Debian still carries on basic maintenance, but no new upstream versions of the
> package are to be expected.
> (maintainers can enter this information in debian/control and I can scan it using Mole)

I'd regard this as very reasonable information.  Is there any syntax how
maintainers can add this to debian/control?

Kind regards

       Andreas.

-- 
http://fam-tille.de




Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #40 received at 436161@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 436161@bugs.debian.org
Cc: debtags-devel@lists.alioth.debian.org, debian-devel@lists.debian.org
Subject: Re: New 'maint' facet for Debtags
Date: Mon, 17 Sep 2007 15:20:30 +0200
* Enrico Zini:

> Below is an example vocabulary for it, with annotations on how to
> autogenerate the tag information.  I'd like to run some discussion on it
> for a week or so, then proceed to implementation.

Something that indicates security support by upstream, the maintainer
and the security team would be helpful, but it could pretty complex
(we'd need to differentiate between stable and unstable/testing, too,
I guess).




Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@enricozini.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #45 received at 436161@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@enricozini.org>
To: Nico Golde <nion@debian.org>
Cc: 436161@bugs.debian.org
Subject: Re: Bug#436161: debtags: New tags for security support
Date: Mon, 17 Sep 2007 15:54:52 +0200
[Message part 1 (text/plain, inline)]
On Mon, Sep 17, 2007 at 01:35:17PM +0200, Nico Golde wrote:

> What you described really sounds very cool but you forgot 
> the tarball.

Doh!  Sorry, here it is.


Ciao,

Enrico

-- 
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
[security.tar.gz (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #50 received at 436161@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: 436161@bugs.debian.org, debtags-devel@lists.alioth.debian.org, debian-devel@lists.debian.org
Subject: Re: New 'maint' facet for Debtags
Date: Mon, 17 Sep 2007 18:55:42 +0200
On Mon, Sep 17, 2007 at 01:50:46PM +0200, Enrico Zini wrote:
> In the same way we can have an autogenerated 'maint' facet with tags
> documenting the status of the package maintenance.
> 
> Below is an example vocabulary for it, with annotations on how to
> autogenerate the tag information.  I'd like to run some discussion on it
> for a week or so, then proceed to implementation.
> 
> Tag: maint::orphaned
> Description: Orphaned
>  There is no maintainer for this package.  Maintenance is done by the Debian QA
>  Team.
> (it can be autogenerated by looking if debian-qa is in the Maintainer field)
> 
> Tag: maint::rfa
> Description: Adoption requested
>  The maintainer is still maintaning the package, but has requestes for someone
>  else to take over its maintenance.
> (it can be autogenerated by scanning open WNPP bugs)

maint::rfh for RFH bugs should be a trivial extension of this concept.

The interesting question would be how to handle ITA bugs. These packages
can either be owned by debian-qa (in this case we already have
maint::orphaned) or they can be owned by the former maintainer (in case
of a fast O -> ITA or in case the ITA is a former RFA).

> Tag: maint::mia
> Description: Maintainer unreachable
>  The maintainer for this package is currently unreachable.
> (mia-query on merkel shows all sorts of data, but I need to see how it
> can be turned in a tag.  It has been suggested that if a maintainer is
> MIA, the package should just be orphaned, so this tag would be of no
> use, and I tend to agree)

I agree. This tag makes no sense.

> Tag: maint::old-rc-bugs
> Description: Old unfixed RC bugs
>  The package has unfixed RC bugs older than 3 months.
> (it can be autogenerated by scanning the BTS)

I'm a bit unsure about that one. Having old RC bugs does say nothing
about a package without actually reading at least the titles of the bugs
in question (think non-free documentation/RFCs vs. "should not go to
stable because of instable API/ABI/..." vs. "this is crap, should be
removed" vs. "FTBFS in unstable because <random other library> is
fucked up"). I see no real information value here.

What I would like to see would be a maint:obsolete tag. Can be added
to packages that are already removed from unstable and only supported
in stable or for packages that are only maintained in unstable for
external reasons (like dependencies). Think GNOME 1/GTK 1.2. This would
generally be the debtags equivalent to the oldlibs section.

For the "removed from unstable" case this would need to be filtered
manually probably, since it shouldn't be assigned to libraries in stable
just because they had a SONAME change in unstable...

For packages that aren't removed from unstable this could be a
maintainer field.

> Tag: maint::fringe
> Description: Fringe package (FIXME)
>  The maintainer declared this to be a fringe package.
>  .
>  (TODO: define what this practically means)
>  .
>  (from IRC) more users == greater level of peer review and peer support?
> (maintainers can enter this information in debian/control and I can scan it using Mole)
> 
> Tag: maint::unmaintained-upstream
> Description: Unmaintained upstream
>  The package is not maintained anymore by its upstream developers.
>  .
>  Debian still carries on basic maintenance, but no new upstream versions of the
>  package are to be expected.
> (maintainers can enter this information in debian/control and I can scan it using Mole)


Didn't someone mention in the Debconf session something along the lines
of maint::only-upstream? In the sense of "I'm the Debian maintainer and I
package new upstream versions and forward bugs, but I don't understand
the code [because it is too complex, because I don't speak the
programming language] and will/can not fix any bugs in it myself".

That should probably correlate to a open RFH/RFA bug but there might be
reasons it doesn't.

This would be a maintainer field.

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/




Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #55 received at 436161@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Enrico Zini <enrico@enricozini.org>
Cc: 436161@bugs.debian.org
Subject: Re: Bug#436161: debtags: New tags for security support
Date: Mon, 17 Sep 2007 19:57:32 +0200
Enrico Zini wrote:
> On Sun, Aug 05, 2007 at 11:59:31PM +0200, Moritz Muehlenhoff wrote:
> 
> > Please add support for the following tags, as discussed during
> > DebConf in Edinburgh:
> > * [etch|lenny]-security-unsupported to flag that a source package has no
> [...]
> > * security-local-use-only (or something similar, I'm unsure about the exact
> [...]
> 
> Hello Moritz,
> 
> I finally got time for this.  I really care about it.

Enrico,
Thanks a lot. I'll have an in-depth look at it when I'm back from vacation
next month.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #60 received at 436161@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 436161@bugs.debian.org
Cc: debtags-devel@lists.alioth.debian.org, debian-devel@lists.debian.org
Subject: Re: New 'maint' facet for Debtags
Date: Mon, 17 Sep 2007 18:46:17 -0700
Enrico Zini <enrico@enricozini.org> writes:

> Tag: maint::fringe
> Description: Fringe package (FIXME)
>  The maintainer declared this to be a fringe package.
>  .
>  (TODO: define what this practically means)
>  .
>  (from IRC) more users == greater level of peer review and peer support?
> (maintainers can enter this information in debian/control and I can scan it using Mole)

Isn't this what Priority: extra is for?

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #65 received at 436161@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 436161@bugs.debian.org
Cc: debtags-devel@lists.alioth.debian.org
Subject: Re: New 'maint' facet for Debtags
Date: Mon, 15 Oct 2007 23:54:56 +0200
Hi Enrico,
I'm currently in the process of setting up a test installation and I already
have an initial question:
Is there a mechanism which derives tags from other regular package meta
data automatically?

IOW, can the tags for "no security support" be automatically derived from every
package being non-free or contrib or would this require a script, which monitors
package changes?

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@enricozini.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #70 received at 436161@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@enricozini.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 436161@bugs.debian.org
Cc: debtags-devel@lists.alioth.debian.org
Subject: Re: Bug#436161: New 'maint' facet for Debtags
Date: Tue, 16 Oct 2007 01:44:43 +0100
[Message part 1 (text/plain, inline)]
On Mon, Oct 15, 2007 at 11:54:56PM +0200, Moritz Muehlenhoff wrote:

> Is there a mechanism which derives tags from other regular package meta
> data automatically?
> IOW, can the tags for "no security support" be automatically derived from every
> package being non-free or contrib or would this require a script, which monitors
> package changes?

It would require a script that monitors package changes.  Most of the
tags in the maint facet would, anyway.

The good part is, we've gotten very good at creating such scripts,
also working on merged packages files that span all architectures.


Ciao,

Enrico

-- 
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@enricozini.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #75 received at 436161@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@enricozini.org>
To: Moritz Muehlenhoff <jmm@debian.org>, Steffen Joeris <steffen.joeris@skolelinux.de>, Florian Weimer <fw@deneb.enyo.de>
Cc: 436161@bugs.debian.org, debtags-devel@lists.alioth.debian.org
Subject: Tags from the security team now acquired
Date: Mon, 30 Jun 2008 17:08:30 +0200
[Message part 1 (text/plain, inline)]
Hello,

I've implemented the acquisition of the security team tags from
svn://svn.debian.org/svn/secure-testing/data/package-tags

The script that generates the tag database is this one:
http://svn.debian.org/wsvn/debtags/tagdb/get-secteam-tags?op=file

The vocabulary with the tag descriptions is here:
http://svn.debian.org/wsvn/debtags/vocabulary/trunk/security-team?op=file
I am happy to give you commit access to it, just give me a list of
alioth user names.

The tags generated by get-secteam-tags are merged with the other tags
only when preparing the tag override files.

This is done so that they cannot be seen in the web tag editor, which is
a bug as well as a feature: a bug because it would be nice to see them
anywhere, but a feature because the web editor has currently no concept
of read-only tags, so whatever is seen can also be edited, and we don't
want these tags to be editable by anyone except the security team.

The vocabulary is merged with the normal debtags vocabulary when
building the debtags source package, then it gets installed as part of
the debtags package.  I've just uploaded a new version of debtags that
includes the current security team tags.


Ciao,

Enrico

-- 
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #80 received at 436161@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Moritz Muehlenhoff <jmm@debian.org>, Steffen Joeris <steffen.joeris@skolelinux.de>, Florian Weimer <fw@deneb.enyo.de>, 436161@bugs.debian.org, debtags-devel@lists.alioth.debian.org
Subject: Re: Tags from the security team now acquired
Date: Sun, 20 Jul 2008 00:16:34 +0200
Hi Enrico,

Enrico Zini wrote:
> Hello,

First of all, thanks a lot for implementing this! I hadn't had much
time lately, so this reply comes a bit belated.
 
> I've implemented the acquisition of the security team tags from
> svn://svn.debian.org/svn/secure-testing/data/package-tags
> 
> The script that generates the tag database is this one:
> http://svn.debian.org/wsvn/debtags/tagdb/get-secteam-tags?op=file
> 
> The vocabulary with the tag descriptions is here:
> http://svn.debian.org/wsvn/debtags/vocabulary/trunk/security-team?op=file
> I am happy to give you commit access to it, just give me a list of
> alioth user names.

I'm only missing a tag like the ones below. The specific use case is
sql-ledger, which should only be run behind an authenticated HTTP
zone. 

   Tag: security::etch-limited-support
   Description: Limited scope of security support, see README.Debian
    Security support for this package is limited in covered functionality
    or to specific use cases. Please see README.Debian for details.

   Tag: security::lenny-limited-support
   Description: Limited scope of security support, see README.Debian
    Security support for this package is limited in covered functionality
    or to specific use cases. Please see README.Debian for details.

(Could you commit if it you're fine with it? That's likely less overhead
for all of us)
 
> This is done so that they cannot be seen in the web tag editor, which is
> a bug as well as a feature: a bug because it would be nice to see them
> anywhere, but a feature because the web editor has currently no concept
> of read-only tags, so whatever is seen can also be edited, and we don't
> want these tags to be editable by anyone except the security team.

Sounds good.

Cheers,
        Moritz











Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@enricozini.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #85 received at 436161@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@enricozini.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 436161@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>, Steffen Joeris <steffen.joeris@skolelinux.de>, Florian Weimer <fw@deneb.enyo.de>, debtags-devel@lists.alioth.debian.org
Subject: Re: Bug#436161: Tags from the security team now acquired
Date: Sun, 20 Jul 2008 07:53:20 +0100
[Message part 1 (text/plain, inline)]
On Sun, Jul 20, 2008 at 12:16:34AM +0200, Moritz Muehlenhoff wrote:

> I'm only missing a tag like the ones below. The specific use case is
> sql-ledger, which should only be run behind an authenticated HTTP
> zone. 
> 
>    Tag: security::etch-limited-support
>    Description: Limited scope of security support, see README.Debian
>     Security support for this package is limited in covered functionality
>     or to specific use cases. Please see README.Debian for details.
> 
>    Tag: security::lenny-limited-support
>    Description: Limited scope of security support, see README.Debian
>     Security support for this package is limited in covered functionality
>     or to specific use cases. Please see README.Debian for details.
> 
> (Could you commit if it you're fine with it? That's likely less overhead
> for all of us)

Committed, thanks.  You can go on adding them to
svn://svn.debian.org/svn/secure-testing/data/package-tags

In fact, you are free to experiment adding anything you want to your tag
database and write the vocabulary entries later on, if that's convenient
to you.


Ciao,

Enrico

-- 
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #90 received at 436161@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Enrico Zini <enrico@enricozini.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 436161@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>, debtags-devel@lists.alioth.debian.org
Subject: Re: Bug#436161: Tags from the security team now acquired
Date: Sun, 20 Jul 2008 18:28:03 +1000
[Message part 1 (text/plain, inline)]
On Sun, 20 Jul 2008 04:53:20 pm Enrico Zini wrote:
> On Sun, Jul 20, 2008 at 12:16:34AM +0200, Moritz Muehlenhoff wrote:
> > I'm only missing a tag like the ones below. The specific use case is
> > sql-ledger, which should only be run behind an authenticated HTTP
> > zone.
> >
> >    Tag: security::etch-limited-support
> >    Description: Limited scope of security support, see README.Debian
> >     Security support for this package is limited in covered functionality
> >     or to specific use cases. Please see README.Debian for details.
> >
> >    Tag: security::lenny-limited-support
> >    Description: Limited scope of security support, see README.Debian
> >     Security support for this package is limited in covered functionality
> >     or to specific use cases. Please see README.Debian for details.
> >
> > (Could you commit if it you're fine with it? That's likely less overhead
> > for all of us)
>
> Committed, thanks.  You can go on adding them to
> svn://svn.debian.org/svn/secure-testing/data/package-tags
For consistency now, can we use:
[etch] sql-ledger <limited-support> (Only supported behind an authenticated 
HTTP zone)
[lenny] sql-ledger <limited-support> (Only supported behind an authenticated 
HTTP zone)

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@enricozini.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #95 received at 436161@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@enricozini.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 436161@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>, debtags-devel@lists.alioth.debian.org
Subject: Re: Bug#436161: Tags from the security team now acquired
Date: Tue, 22 Jul 2008 17:35:58 +0100
[Message part 1 (text/plain, inline)]
On Sun, Jul 20, 2008 at 06:28:03PM +1000, Steffen Joeris wrote:

> > Committed, thanks.  You can go on adding them to
> > svn://svn.debian.org/svn/secure-testing/data/package-tags
> For consistency now, can we use:
> [etch] sql-ledger <limited-support> (Only supported behind an authenticated 
> HTTP zone)
> [lenny] sql-ledger <limited-support> (Only supported behind an authenticated 
> HTTP zone)

When is it going to land in svn://svn.debian.org/svn/secure-testing/data/package-tags ?


Ciao,

Enrico

-- 
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #100 received at 436161@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Moritz Muehlenhoff <jmm@inutil.org>, 436161@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>, debtags-devel@lists.alioth.debian.org
Subject: Re: Bug#436161: Tags from the security team now acquired
Date: Wed, 23 Jul 2008 02:47:55 +1000
[Message part 1 (text/plain, inline)]
On Wed, 23 Jul 2008 02:35:58 am Enrico Zini wrote:
> On Sun, Jul 20, 2008 at 06:28:03PM +1000, Steffen Joeris wrote:
> > > Committed, thanks.  You can go on adding them to
> > > svn://svn.debian.org/svn/secure-testing/data/package-tags
> >
> > For consistency now, can we use:
> > [etch] sql-ledger <limited-support> (Only supported behind an
> > authenticated HTTP zone)
> > [lenny] sql-ledger <limited-support> (Only supported behind an
> > authenticated HTTP zone)
>
> When is it going to land in
> svn://svn.debian.org/svn/secure-testing/data/package-tags ?
I've just commited it now. I waited for your ok :)

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@enricozini.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #105 received at 436161@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@enricozini.org>
To: debtags-devel@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@alioth.debian.org
Cc: 436161@bugs.debian.org
Subject: Tag index prototype
Date: Mon, 28 Jul 2008 20:28:06 +0100
[Message part 1 (text/plain, inline)]
Hello,

Steffen Joeris asked me to create some sort of tag index where the
security team tags can be viewed.

Here's a prototype: http://debtags.alioth.debian.org/tagindex/

The page for the tags of the security team is:
http://debtags.alioth.debian.org/tagindex/secteam.html

Frank Lichtenheld mentioned that he intends to create something similar
for packages.debian.org, but in the meantime we have a place to point
people to.

The code can be found at http://debtags.alioth.debian.org/git/tagindex.git
all pages are static HTML, generated from easy to edit genshi templates.

If anyone would like to edit the templates to make it prettier, and add
a css or integrate the debtags css, they're more than welcome to
clone the repository and play with it.


Ciao,

Enrico

-- 
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #110 received at 436161@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: debtags-devel@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@alioth.debian.org, 436161@bugs.debian.org
Subject: Re: Tag index prototype
Date: Wed, 30 Jul 2008 10:34:42 +0200 (CEST)
Hi!

On Mon, July 28, 2008 21:28, Enrico Zini wrote:
> Steffen Joeris asked me to create some sort of tag index where the
> security team tags can be viewed.

Thanks, but it's unclear to me where I can add such tags to packages. Anyone?

cheers,
Thijs





Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@enricozini.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #115 received at 436161@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@enricozini.org>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: debtags-devel@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@alioth.debian.org, 436161@bugs.debian.org
Subject: Re: Tag index prototype
Date: Wed, 30 Jul 2008 11:47:33 +0200
[Message part 1 (text/plain, inline)]
On Wed, Jul 30, 2008 at 10:34:42AM +0200, Thijs Kinkhorst wrote:

> On Mon, July 28, 2008 21:28, Enrico Zini wrote:
> > Steffen Joeris asked me to create some sort of tag index where the
> > security team tags can be viewed.
> Thanks, but it's unclear to me where I can add such tags to packages. Anyone?

You can click on "Tags:" in packages.debian.org when you see the
package, or you have a link to your debtags page in the DDPO, or you can
go to http://debtags.alioth.debian.org/edit.html?pkg=pkgname

But I already intended to link those pages directly to the tag editor,
which makes sense as they are inside the debtags website.  So I've just
done it.

If instead you refer to editing the tags related to the security team,
they are in svn://svn.debian.org/svn/secure-testing/data/package-tags


Ciao,

Enrico

-- 
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#436161; Package debtags. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #120 received at 436161@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: debtags-devel@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@alioth.debian.org, 436161@bugs.debian.org
Subject: Re: Tag index prototype
Date: Wed, 30 Jul 2008 12:05:17 +0200 (CEST)
On Wed, July 30, 2008 11:47, Enrico Zini wrote:
> If instead you refer to editing the tags related to the security team,
> they are in svn://svn.debian.org/svn/secure-testing/data/package-tags

Thanks, I was indeed referring to this and was not aware that this was
also the primary source of those tags.


ciao,
Thijs





Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 19:02:09 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.