Debian Bug report logs - #660190
security-tracker: add per-maintainer page (with half-baked patch)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: security-tracker: add per-maintainer page (with half-baked patch)

Date: Fri, 17 Feb 2012 17:36:00 +0800

[Message part 1 (text/plain, inline)]

Package: security-tracker
Severity: wishlist

The attached patch implements a first pass at a per-maintainer page of
security issues. It involves some database schema changes to it will
require a full reimport of all the data.

My SQL knowledge isn't great, so there are some deficiencies:

I'm not sure if the adding another table is the right way to go, nor if
I used the right table name.

I'm not sure if the getBugsForMaintainer is correct, especially wrt
version numbers/releases/etc.

I am not sure how to implement a getDSAsForMaintainer function to add
DSAs related to the maintainer at the bottom of the page.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

[patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 660190@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>

To: 660190@bugs.debian.org

Subject: Re: security-tracker: add per-maintainer page (with half-baked patch)

Date: Mon, 12 Mar 2012 10:02:49 +0800

[Message part 1 (text/plain, inline)]

On Fri, 2012-02-17 at 17:36 +0800, Paul Wise wrote:

> The attached patch implements a first pass at a per-maintainer page of
> security issues. It involves some database schema changes to it will
> require a full reimport of all the data.

Does anyone have some time to review my patch?

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 660190@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 660190@bugs.debian.org, 660190-submitter@bugs.debian.org

Subject: Re: Bug#660190: security-tracker: add per-maintainer page (with half-baked patch)

Date: Mon, 12 Mar 2012 21:16:38 -0400

On Sun, Mar 11, 2012 at 10:02 PM, Paul Wise wrote:
> On Fri, 2012-02-17 at 17:36 +0800, Paul Wise wrote:
>
>> The attached patch implements a first pass at a per-maintainer page of
>> security issues. It involves some database schema changes to it will
>> require a full reimport of all the data.
>
> Does anyone have some time to review my patch?

At a cursory glance, this seems more complicated that it needs to be.
You're creating an "id" for each source package, but that is redundant
since the package name itself is a unique id.

All you should need is a table with only sourcepkg names and
maintainer fields.  Then  when you process a view on (for example) a
maintainer page you can step through all sourcepkg names listed as
associated with that maintainer via that table.

Also, why is "c.execute("PRAGMA foreign_keys=ON")" necessary?

There is also a debugging print statement.

Best wishes,
Mike

Message #25 received at 660190@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>

To: 660190@bugs.debian.org

Subject: Re: Bug#660190: security-tracker: add per-maintainer page (with half-baked patch)

Date: Tue, 13 Mar 2012 10:06:27 +0800

[Message part 1 (text/plain, inline)]

On Mon, 2012-03-12 at 21:16 -0400, Michael Gilbert wrote:

> Also, why is "c.execute("PRAGMA foreign_keys=ON")" necessary?

sqlite doesn't enforce foreign key constraints by default:

https://sqlite.org/foreignkeys.html#fk_enable

I'm using those to ensure maintainers are deleted when source packages
are deleted from the database.

> At a cursory glance, this seems more complicated that it needs to be.
> You're creating an "id" for each source package, but that is redundant
> since the package name itself is a unique id.
> 
> All you should need is a table with only sourcepkg names and
> maintainer fields.  Then  when you process a view on (for example) a
> maintainer page you can step through all sourcepkg names listed as
> associated with that maintainer via that table.

The source package name is definitely not unique since there are
multiple suites that could have a line in the source package table.

I'm not sure if the foreign key stuff would work with non-numeric keys.

If a package gets removed from sid, we still want the issues present in
stable to be listed on the maintainer's page. Going with your suggestion
would mean that we would not know which maintainers to remove when a
package is deleted from one particular suite.

> There is also a debugging print statement.
> 
Removed in my local checkout.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 660190@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 660190-submitter@bugs.debian.org, 660190@bugs.debian.org

Subject: Re: Bug#660190: security-tracker: add per-maintainer page (with half-baked patch)

Date: Mon, 12 Mar 2012 22:56:53 -0400

On Mon, Mar 12, 2012 at 10:06 PM, Paul Wise <pabs@debian.org> wrote:
> On Mon, 2012-03-12 at 21:16 -0400, Michael Gilbert wrote:
>
>> Also, why is "c.execute("PRAGMA foreign_keys=ON")" necessary?
>
> sqlite doesn't enforce foreign key constraints by default:
>
> https://sqlite.org/foreignkeys.html#fk_enable
>
> I'm using those to ensure maintainers are deleted when source packages
> are deleted from the database.

There is a removed_packages table that you can use to check whether
the package is currently in debian or not.

>> At a cursory glance, this seems more complicated that it needs to be.
>> You're creating an "id" for each source package, but that is redundant
>> since the package name itself is a unique id.
>>
>> All you should need is a table with only sourcepkg names and
>> maintainer fields.  Then  when you process a view on (for example) a
>> maintainer page you can step through all sourcepkg names listed as
>> associated with that maintainer via that table.
>
> The source package name is definitely not unique since there are
> multiple suites that could have a line in the source package table.

It's still the same source package.  You could step through each suite
separately on the maintainer pages since yes they will each have
different sets of issues.

> I'm not sure if the foreign key stuff would work with non-numeric keys.

Foreign keys should not be necessary at all.

> If a package gets removed from sid, we still want the issues present in
> stable to be listed on the maintainer's page. Going with your suggestion
> would mean that we would not know which maintainers to remove when a
> package is deleted from one particular suite.

You could limit results by checking that the release is in a supported
release (squeeze,wheezy,sid).  All packages are considered in the
archive until they're not in any release.

But I really think you want a listing of issues per suite per maintainer.

Best wishes,
Mike

Message #38 received at 660190@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>

To: 660190@bugs.debian.org

Subject: Re: Bug#660190: security-tracker: add per-maintainer page (with half-baked patch)

Date: Sun, 18 Mar 2012 13:32:16 +0800

[Message part 1 (text/plain, inline)]

On Mon, 2012-03-12 at 22:56 -0400, Michael Gilbert wrote:
> 
> There is a removed_packages table that you can use to check whether
> the package is currently in debian or not.

The foreign key stuff is not about whether or not the package is in
Debian, just about deleting maintainer information when packages are
removed from the database.

> It's still the same source package.  You could step through each suite
> separately on the maintainer pages since yes they will each have
> different sets of issues.

> You could limit results by checking that the release is in a supported
> release (squeeze,wheezy,sid).  All packages are considered in the
> archive until they're not in any release.
> 
> But I really think you want a listing of issues per suite per
> maintainer.

Feel free to update the patch to do that, I don't have any more time to
spend on this.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 507303-done@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Raphael Geissert <atomo64@gmail.com>, 507303@bugs.debian.org

Cc: 507303-done@bugs.debian.org

Subject: Re: Bug#507303: security-tracker: please provide a per-maintainer report

Date: Thu, 6 Jun 2019 21:56:55 +0200

Hi Raphael,

On Sat, Nov 29, 2008 at 03:10:21PM -0600, Raphael Geissert wrote:
> Package: security-tracker
> Severity: wishlist
> 
> It would be great to provide such report, as to have a link to it on
> the DDPO.

While looking at some open bugs for the security-tracker I encountered
this one. I think the Debian maintainer dashboard might be a better
option to include this overview (actually it does schon already open
security issues in one maintainers view).

Regards,
Salvatore

Send a report that this bug log contains spam.