Debian Bug report logs - #859122
1 DLA missing from the website (or not)

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: about 500 DLAs missing from the website

Date: Thu, 30 Mar 2017 10:22:05 -0400

Package: www.debian.org
Severity: normal

Hi!

First, thanks for doing the work of importing DLAs and DSAs in the
website, it is greatly appreciated.

However, during a discussion on the debian-lts@ mailing list, we have
noticed that DLAs since squeeze LTS support was terminated have not
been imported:

https://lists.debian.org/debian-lts/2017/03/msg00205.html

An excerpt from the discussion:

> Here's the bits that are missing:
> 
>  * the last DLA on the website is DLA-445-2, which is basically the last
>    DLA before squeeze support ended and wheezy was handed over
> 
>  * among those 445 DLAs, there are actually 31 missing:
> 
>    webwml$ cd english/security/; find -name 'dla-*.wml' | wc -l
>    424
> 
>  * even worse, it seems there are at least 20 advisories missing from
>    the website because regression uploads hide advisories, because our
>    naming convention differs from DSA ("DLA-XXX-N", where XXX is the
>    original advisory and N are regression updates)
> 
>    $ grep DLA- data/DLA/list | sed 's/.* DLA-//;s/ .*//' | sort -n | sed '/445-2/,$d' | wc -l
>    465
> 
>  * the canonical list has 928 advisories:
> 
>    secure-testing$ grep DLA- data/DLA/list | wc -l 
>    928

Is there any reason why new DLAs have not been imported?

Is there anything we can do to help in completing that import?

I will open a separate ticket regarding possible automation shortly.

Thanks!

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Message #10 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: 859122@bugs.debian.org

Subject: Re: Bug#859122: Acknowledgement (about 500 DLAs missing from the website)

Date: Thu, 30 Mar 2017 10:36:04 -0400

For the record, I opened the following related bug report:

 * #859123: automate import of DLAs and DSAs in www.debian.org

Which may help in avoiding that issue in the future.

-- 
The greatest crimes in the world are not committed by people breaking
the rules but by people following the rules. It's people who follow
orders that drop bombs and massacre villages.
                        - Bansky

Message #20 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: 859122@bugs.debian.org

Subject: Re: about 500 DLAs missing from the website

Date: Mon, 19 Nov 2018 19:01:48 -0500

On 2017-03-30 11:22:05, Antoine Beaupre wrote:
> Is there any reason why new DLAs have not been imported?
>
> Is there anything we can do to help in completing that import?

So after further research, I can answer my own questions.

It's unclear why the process has broken down, but it's clear that the
current webmaster team is not in a position to do that work. For DLAs,
they do not have the templates they normally use for DSA.

I looked at the parse-dsa.pl script and it looks like it might just be
possible to batch-import the missing advisories. I started looking into
that into the following MRs:

https://salsa.debian.org/webmaster-team/webwml/merge_requests/41
https://salsa.debian.org/webmaster-team/webwml/merge_requests/42
https://salsa.debian.org/webmaster-team/webwml/merge_requests/43

And will eventually batch-import everything in one monstrous merge
request.

Then we need to figure out workflow, which I'll do in that other bug
report.

A.

-- 
Blind respect for authority is the greatest enemy of truth.
                       - Albert Einstein

Message #27 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@orangeseeds.org>

To: Holger Levsen <holger@layer-acht.org>

Cc: 859123@bugs.debian.org, debian-lts@lists.debian.org, 859122@bugs.debian.org

Subject: Re: automating process for publishing DLAs on the website

Date: Wed, 19 Dec 2018 18:05:36 -0500

On 2018-12-19 11:09:10, Antoine Beaupré wrote:
> On 2018-12-19 14:58:29, Holger Levsen wrote:
>> On Wed, Dec 19, 2018 at 09:52:19AM -0500, Antoine Beaupré wrote:
>>> > I also note #859122 is not marked 'patch'.
>>> fixed.
>>  
>> :)
>>
>>> >> I've requested access as an individual, for what that's worth.
>>> > you were given access a week ago, too. \o/
>>> yup. I guess I could just merge my own patches now... or do you want to
>>> review them and do that instead, so we can get at least a second pair of
>>> eyes on them?
>>  
>> I just briefly reviewed them (not being a debian-www expert) and they
>> a.) looked good and b.) only affect our areas, so I do think you should
>> merge them.
>
> i merged both patches, but it doesn't look like the change showed up on
> the main website yet:
>
> https://www.debian.org/security/2018/
>
> ... doesn't list any DLA, and those are both 404s:
>
> https://www.debian.org/security/2018/dla-1580
> https://www.debian.org/security/2018/dla-1561

This is actually processed every few hours, not directly after the CI
runs.

The DLAs are visible here:

https://www-staging.debian.org/security/2018/dla-1580

One thing that's unclear is how the entries get added to the main list
in:

https://www-staging.debian.org/security/2018/

That still needs to be cleared up. In the meantime, I did do a mass
import here:

https://salsa.debian.org/webmaster-team/webwml/merge_requests/47

A.

-- 
Le péché est né avant la vertu, comme le moteur avant le frein.
                         - Jean-Paul Sartre

Message #32 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@orangeseeds.org>

To: debian-lts@lists.debian.org, debian-www@lists.debian.org

Cc: 859122@bugs.debian.org

Subject: Re: about 500 DLAs missing from the website

Date: Fri, 01 Feb 2019 13:44:10 -0500

On 2018-12-19 18:05:36, Antoine Beaupré wrote:
> The DLAs are visible here:
>
> https://www-staging.debian.org/security/2018/dla-1580
>
> One thing that's unclear is how the entries get added to the main list
> in:
>
> https://www-staging.debian.org/security/2018/
>
> That still needs to be cleared up.

That's actually in the webwml code, I opened a MR to add those:

https://salsa.debian.org/webmaster-team/webwml/merge_requests/50

> In the meantime, I did do a mass
> import here:
>
> https://salsa.debian.org/webmaster-team/webwml/merge_requests/47

... and I just updated that with the latest, up until DLA-1657-1.

A.

-- 
It will be a great day when our schools get all the money they need
and the air force has to hold a bake sale to buy a bomber.
                        - Unknown

Message #37 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Antoine Beaupré <anarcat@orangeseeds.org>

Cc: debian-lts@lists.debian.org, debian-www@lists.debian.org, 859122@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: about 500 DLAs missing from the website

Date: Sun, 3 Feb 2019 14:08:06 +0100

Hi Antoinie,

[adding team@s.d.o to CC]

Thanks for working on this.

On Fri, Feb 01, 2019 at 01:44:10PM -0500, Antoine Beaupré wrote:
> On 2018-12-19 18:05:36, Antoine Beaupré wrote:
> > The DLAs are visible here:
> >
> > https://www-staging.debian.org/security/2018/dla-1580
> >
> > One thing that's unclear is how the entries get added to the main list
> > in:
> >
> > https://www-staging.debian.org/security/2018/
> >
> > That still needs to be cleared up.
> 
> That's actually in the webwml code, I opened a MR to add those:
> 
> https://salsa.debian.org/webmaster-team/webwml/merge_requests/50

IMHO they should not be mixed into the same namespace as the DSAs.
https://www.debian.org/security/ is very specific to the
debian-security-announce list and contains items for e.g. contacting
the Debian security team or referecing the respective FAQ.

I think having a dedicated https://www.debian.org/lts/ where those can
be collected and having further information on LTS would be somehow
better.

This will need an adjustment to the tracker side as well so that
sources filed for Debian LTS DLA's will not link to
https://www.debian.org/security/$year/dla-$nr .

If a dedicated subpage is not needed and the only purpose is to link
to a webversion, and the DLA's do not show up in the overall view then
possibly the status quo is still okay.

What do you think?

Regards,
Salvatore

Message #42 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Laura Arjona Reina <larjona@debian.org>

To: Antoine Beaupré <anarcat@orangeseeds.org>, debian-lts@lists.debian.org, debian-www@lists.debian.org, 859122@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: about 500 DLAs missing from the website

Date: Sun, 3 Feb 2019 14:38:02 +0100

Hello

El 3/2/19 a las 14:08, Salvatore Bonaccorso escribió:
> Hi Antoinie,
> 
> [adding team@s.d.o to CC]
> 
> Thanks for working on this.
> 
> On Fri, Feb 01, 2019 at 01:44:10PM -0500, Antoine Beaupré wrote:
>> On 2018-12-19 18:05:36, Antoine Beaupré wrote:
>>> The DLAs are visible here:
>>>
>>> https://www-staging.debian.org/security/2018/dla-1580
>>>
>>> One thing that's unclear is how the entries get added to the main list
>>> in:
>>>
>>> https://www-staging.debian.org/security/2018/
>>>
>>> That still needs to be cleared up.
>>
>> That's actually in the webwml code, I opened a MR to add those:
>>
>> https://salsa.debian.org/webmaster-team/webwml/merge_requests/50
> 
> IMHO they should not be mixed into the same namespace as the DSAs.
> https://www.debian.org/security/ is very specific to the
> debian-security-announce list and contains items for e.g. contacting
> the Debian security team or referecing the respective FAQ.
> 

Note that we already have some DLAs published in
www.debian.org/security/YYYY, for the years 2014, 2015 and 2016. See for
example:

https://www.debian.org/security/2014/index

I don't mind to move the already published DLAs to other place if people
decides it's better, but I frankly don't know if/where these URLs are
used/publicised (in Debian and maybe other places too), and we may need
to setup redirectors from the current URLs to the new ones (no problem
with that, I say it only to not forget, in case we decide to move all
the DLAs to a different place).

Kind regards,
-- 
Laura Arjona Reina
https://wiki.debian.org/LauraArjona

> I think having a dedicated https://www.debian.org/lts/ where those can
> be collected and having further information on LTS would be somehow
> better.
> 
> This will need an adjustment to the tracker side as well so that
> sources filed for Debian LTS DLA's will not link to
> https://www.debian.org/security/$year/dla-$nr .
> 
> If a dedicated subpage is not needed and the only purpose is to link
> to a webversion, and the DLA's do not show up in the overall view then
> possibly the status quo is still okay.
> 
> What do you think?
> 

Message #47 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Antoine Beaupré <anarcat@orangeseeds.org>, debian-lts@lists.debian.org, debian-www@lists.debian.org, 859122@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: about 500 DLAs missing from the website

Date: Sun, 3 Feb 2019 16:59:16 +0100

On Sun, Feb 03, 2019 at 02:08:06PM +0100, Salvatore Bonaccorso wrote:
> IMHO they should not be mixed into the same namespace as the DSAs.
> https://www.debian.org/security/ is very specific to the
> debian-security-announce list and contains items for e.g. contacting
> the Debian security team or referecing the respective FAQ.

+1

Cheers,
        Moritz

Message #52 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Antoine Beaupré <anarcat@orangeseeds.org>, debian-lts@lists.debian.org, debian-www@lists.debian.org, 859122@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: about 500 DLAs missing from the website

Date: Fri, 8 Feb 2019 14:52:04 +0000

[Message part 1 (text/plain, inline)]

Hi Antoine,

On Sun, Feb 03, 2019 at 02:08:06PM +0100, Salvatore Bonaccorso wrote:
> Thanks for working on this.

indeed!

> On Fri, Feb 01, 2019 at 01:44:10PM -0500, Antoine Beaupré wrote:
> > On 2018-12-19 18:05:36, Antoine Beaupré wrote:
> > > The DLAs are visible here:
> > > https://www-staging.debian.org/security/2018/dla-1580

that one is also visible on
https://www.debian.org/security/2018/dla-1580 now \o/

> > > One thing that's unclear is how the entries get added to the main list
> > > in:
> > > https://www-staging.debian.org/security/2018/
> IMHO they should not be mixed into the same namespace as the DSAs.
> https://www.debian.org/security/ is very specific to the
> debian-security-announce list and contains items for e.g. contacting
> the Debian security team or referecing the respective FAQ.
 
I agree.

(Thus I think
https://salsa.debian.org/webmaster-team/webwml/merge_requests/50 should
be cloded and not merged.)

OTOH I plan to review
https://salsa.debian.org/webmaster-team/webwml/merge_requests/53 once
more and then merge it.)

> I think having a dedicated https://www.debian.org/lts/ where those can
> be collected and having further information on LTS would be somehow
> better.

Yup.

> This will need an adjustment to the tracker side as well so that
> sources filed for Debian LTS DLA's will not link to
> https://www.debian.org/security/$year/dla-$nr .

*nods*

> If a dedicated subpage is not needed and the only purpose is to link
> to a webversion, and the DLA's do not show up in the overall view then
> possibly the status quo is still okay.

I think it's ok for now / the current situation is an improvement over
what we had before, but we really want/need one a dedicated page like
https://www.debian.org/lts/ too.


On Sun, Feb 03, 2019 at 02:38:02PM +0100, Laura Arjona Reina wrote:
> Note that we already have some DLAs published in
> www.debian.org/security/YYYY, for the years 2014, 2015 and 2016. See
> for
> example:
> 
> https://www.debian.org/security/2014/index
> 
> I don't mind to move the already published DLAs to other place if
> people
> decides it's better, but I frankly don't know if/where these URLs are
> used/publicised (in Debian and maybe other places too), and we may
> need
> to setup redirectors from the current URLs to the new ones (no problem
> with that, I say it only to not forget, in case we decide to move all
> the DLAs to a different place).

right. we should do that and probably track this with a bug...


-- 
tschau,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Message #57 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Laura Arjona Reina <larjona@debian.org>

To: Holger Levsen <holger@layer-acht.org>, 859122@bugs.debian.org, Antoine Beaupré <anarcat@orangeseeds.org>, debian-lts@lists.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#859122: about 500 DLAs missing from the website

Date: Sat, 9 Feb 2019 03:55:44 +0100

Hello all

Holger Levsen merged the generated DLAs and I've worked to create the
/lts tree to show them separated from the DSA. I have moved to this new
/lts folder the DLAs from years 2014, 2015 and 2016 that we had already,
and remove them from the /security tree and removed references to DLAs
in the Makefiles/indexes in /security.

I think it's mostly done, I've closed all the related MR except one, but
there are some small tasks left, that I hope we can solve together:

* I have initially copied the content of /security/ to /lts/security,
removed subfolders that I think are not needed (audit, key-rollover,
oval, undated) and some other files that I think they were not needed
too. Then I did a search and replace DSA -> DLA, dsa- -> dla- in the
scripts, makefiles and indexes, and fixed the paths, and built locally
(with "make) and I couldn't spot errors, but I don't trust every file
that is currently in /lts/security is needed or has been used with my
"make" command, so a review of the folder (comparing it with /security)
done by an LTS or security team member, is welcome.

* The README needs to be reviewed and adapted (I just did the search and
replace dsa -> dla and DSA -> DLA).

* I guess that parse-advisory.pl (and maybe others) can be removed, but
I was not confident to do it without advice.

* I didn't check the results of the generated RSS feeds. If anybody uses
RSS readers, a review is welcome too.

* The /lts/security/YYYY/index.*.html files show the last advisory for
the cases where there are several files with the same beginning (e.g.
for DSA-nnnn and DSA-nnnn-2, both html files are generated, but the
index only points to the -2 file). If this is not the intended
behaviour, changes in index.wml and Makefiles are needed.

* Please review the content (text, links) of these files:

/lts/index.wml
/lts/security/index.wml

I've tried to be short (for the case translators are fast and then you
decide to heavy rewrite, to not to loose much work).

* Translations have been handled, but I've left the *title* of these
files unchanged:

french/lts/security/*/dla*.wml
russian/lts/security/*/dla*.wml
danish/lts/security/*/dla*.wml
japanese/lts/security/*/dla*.wml

All those files have title "LTS Security Advisories from YYYY" (being
YYYY the year: 2014, or 2015, or 2016). I guess translators can do a
quick search and replace with the correct sentence and they don't need
to update the commit hash, that's already done. I'll contact translators
and point them to this message.

* This new /lts section of the website is not referenced yet in other
places of the Debian website. I'm not sure if it should be referenced in
/security, in /releases/XXXX, or in both. There is also the temptation
of creating a link in the homepage but there is also the suggestion of
reducing the links in the homepage, so... For now, I'll try to add it to
the sitemap and see how many references to the LTS wiki page we have
currently, to see if any of them can be replaced with link to this
section in the website. But I'll wait some days to do it because it's
not clear for me if you want to populate the section to cover all the
aspects of LTS, or keep it only/mainly for security stuff.

* We still need the Apache redirects, so the people that try the old
URLs (wether directly because they knew, or via the security tracker),
find the files they need. What we need to do is send a patch to

https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/templates/apache-www.debian.org.erb

that sets the redirect from
https://www.debian.org/security/any_year/dla-whatever to
https://www.debian.org/security/lts/any_year/dla-whatever

* Adaptation in the security tracker so the new URL paths are used from
now on is also needed.

Thanks for reading so long!

Kind regards

El 8/2/19 a las 15:52, Holger Levsen escribió:
> Hi Antoine,
> 
> On Sun, Feb 03, 2019 at 02:08:06PM +0100, Salvatore Bonaccorso wrote:
>> Thanks for working on this.
> 
> indeed!
> 
>> On Fri, Feb 01, 2019 at 01:44:10PM -0500, Antoine Beaupré wrote:
>>> On 2018-12-19 18:05:36, Antoine Beaupré wrote:
>>>> The DLAs are visible here:
>>>> https://www-staging.debian.org/security/2018/dla-1580
> 
> that one is also visible on
> https://www.debian.org/security/2018/dla-1580 now \o/
> 
>>>> One thing that's unclear is how the entries get added to the main list
>>>> in:
>>>> https://www-staging.debian.org/security/2018/
>> IMHO they should not be mixed into the same namespace as the DSAs.
>> https://www.debian.org/security/ is very specific to the
>> debian-security-announce list and contains items for e.g. contacting
>> the Debian security team or referecing the respective FAQ.
>  
> I agree.
> 
> (Thus I think
> https://salsa.debian.org/webmaster-team/webwml/merge_requests/50 should
> be cloded and not merged.)
> 
> OTOH I plan to review
> https://salsa.debian.org/webmaster-team/webwml/merge_requests/53 once
> more and then merge it.)
> 
>> I think having a dedicated https://www.debian.org/lts/ where those can
>> be collected and having further information on LTS would be somehow
>> better.
> 
> Yup.
> 
>> This will need an adjustment to the tracker side as well so that
>> sources filed for Debian LTS DLA's will not link to
>> https://www.debian.org/security/$year/dla-$nr .
> 
> *nods*
> 
>> If a dedicated subpage is not needed and the only purpose is to link
>> to a webversion, and the DLA's do not show up in the overall view then
>> possibly the status quo is still okay.
> 
> I think it's ok for now / the current situation is an improvement over
> what we had before, but we really want/need one a dedicated page like
> https://www.debian.org/lts/ too.
> 
> 
> On Sun, Feb 03, 2019 at 02:38:02PM +0100, Laura Arjona Reina wrote:
>> Note that we already have some DLAs published in
>> www.debian.org/security/YYYY, for the years 2014, 2015 and 2016. See
>> for
>> example:
>>
>> https://www.debian.org/security/2014/index
>>
>> I don't mind to move the already published DLAs to other place if
>> people
>> decides it's better, but I frankly don't know if/where these URLs are
>> used/publicised (in Debian and maybe other places too), and we may
>> need
>> to setup redirectors from the current URLs to the new ones (no problem
>> with that, I say it only to not forget, in case we decide to move all
>> the DLAs to a different place).
> 
> right. we should do that and probably track this with a bug...
> 
> 

-- 
Laura Arjona Reina
https://wiki.debian.org/LauraArjona

Message #62 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Laura Arjona Reina <larjona@debian.org>

Cc: 859122@bugs.debian.org, Antoine Beaupré <anarcat@orangeseeds.org>, debian-lts@lists.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#859122: about 500 DLAs missing from the website

Date: Sat, 9 Feb 2019 14:39:50 +0000

[Message part 1 (text/plain, inline)]

Hi Laura,

many many thanks for your work on this, including and especially this
writeup!

some comments below, where I dont say anything I mean 'yay"! :)

On Sat, Feb 09, 2019 at 03:55:44AM +0100, Laura Arjona Reina wrote:
> * The /lts/security/YYYY/index.*.html files show the last advisory for
> the cases where there are several files with the same beginning (e.g.
> for DSA-nnnn and DSA-nnnn-2, both html files are generated, but the
> index only points to the -2 file). If this is not the intended
> behaviour, changes in index.wml and Makefiles are needed.

I think we want the other DLAs linked from the indexes as well.

shall we file a bug to not forget this?

> * Please review the content (text, links) of these files:
> /lts/index.wml
> /lts/security/index.wml

the former seems a bit bare to me. Also, isnt the 2nd enough, so that we
can just drop/not have the former?

> * This new /lts section of the website is not referenced yet in other
> places of the Debian website. I'm not sure if it should be referenced in
> /security, in /releases/XXXX, or in both.

I think there is no hurry for this, rather I would suggest to not
reference for now and then look again in 2-4 weeks, so that we get a
better idea where we want it.
 
> * We still need the Apache redirects, so the people that try the old
> URLs (wether directly because they knew, or via the security tracker),
> find the files they need. What we need to do is send a patch to
> 
> https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/templates/apache-www.debian.org.erb
> 
> that sets the redirect from
> https://www.debian.org/security/any_year/dla-whatever to
> https://www.debian.org/security/lts/any_year/dla-whatever

right. shall we file a bug to not forget this?

> * Adaptation in the security tracker so the new URL paths are used from
> now on is also needed.

right. shall we file a bug to not forget this?

> Thanks for reading so long!

Thank you for getting us here!


-- 
tschau,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Message #67 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@orangeseeds.org>

To: Laura Arjona Reina <larjona@debian.org>, Holger Levsen <holger@layer-acht.org>, 859122@bugs.debian.org, debian-lts@lists.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#859122: about 500 DLAs missing from the website

Date: Mon, 11 Feb 2019 15:56:41 -0500

On 2019-02-09 03:55:44, Laura Arjona Reina wrote:
> Hello all
>
> Holger Levsen merged the generated DLAs and I've worked to create the
> /lts tree to show them separated from the DSA. I have moved to this new
> /lts folder the DLAs from years 2014, 2015 and 2016 that we had already,
> and remove them from the /security tree and removed references to DLAs
> in the Makefiles/indexes in /security.
>
> I think it's mostly done, I've closed all the related MR except one, but
> there are some small tasks left, that I hope we can solve together:
>
> * I have initially copied the content of /security/ to /lts/security,
> removed subfolders that I think are not needed (audit, key-rollover,
> oval, undated) and some other files that I think they were not needed
> too. Then I did a search and replace DSA -> DLA, dsa- -> dla- in the
> scripts, makefiles and indexes, and fixed the paths, and built locally
> (with "make) and I couldn't spot errors, but I don't trust every file
> that is currently in /lts/security is needed or has been used with my
> "make" command, so a review of the folder (comparing it with /security)
> done by an LTS or security team member, is welcome.

It's true there's a lot of junk in there... I suspect most of the `.pl`
scripts in there could actually be symlink to the main secteam scripts,
because they are basically the same.

I also suspect most of the stuff is unused, even from the secteam's
point of view. For example, `check-cve-refs.pl` assumes there's a
`security/data` directory in the website, which is not the case
(anymore?). I would suggest removing those from at least the LTS
section and have done so in the following MR:

https://salsa.debian.org/webmaster-team/webwml/merge_requests/55

> * The README needs to be reviewed and adapted (I just did the search and
> replace dsa -> dla and DSA -> DLA).

Done as well in the same MR.

> * I guess that parse-advisory.pl (and maybe others) can be removed, but
> I was not confident to do it without advice.

Done as well in the same MR.

> * I didn't check the results of the generated RSS feeds. If anybody uses
> RSS readers, a review is welcome too.

It looks good to me here.

> * The /lts/security/YYYY/index.*.html files show the last advisory for
> the cases where there are several files with the same beginning (e.g.
> for DSA-nnnn and DSA-nnnn-2, both html files are generated, but the
> index only points to the -2 file). If this is not the intended
> behaviour, changes in index.wml and Makefiles are needed.

Ideally, we'd show both, is that possible?

> * Please review the content (text, links) of these files:
>
> /lts/index.wml
> /lts/security/index.wml
>
> I've tried to be short (for the case translators are fast and then you
> decide to heavy rewrite, to not to loose much work).

That makes sense to me. I wonder if we should link to the
crossreferences.wml content, which is also relevant here.

> * Translations have been handled, but I've left the *title* of these
> files unchanged:
>
> french/lts/security/*/dla*.wml
> russian/lts/security/*/dla*.wml
> danish/lts/security/*/dla*.wml
> japanese/lts/security/*/dla*.wml
>
> All those files have title "LTS Security Advisories from YYYY" (being
> YYYY the year: 2014, or 2015, or 2016). I guess translators can do a
> quick search and replace with the correct sentence and they don't need
> to update the commit hash, that's already done. I'll contact translators
> and point them to this message.

Fair enough.

> * This new /lts section of the website is not referenced yet in other
> places of the Debian website. I'm not sure if it should be referenced in
> /security, in /releases/XXXX, or in both. There is also the temptation
> of creating a link in the homepage but there is also the suggestion of
> reducing the links in the homepage, so... For now, I'll try to add it to
> the sitemap and see how many references to the LTS wiki page we have
> currently, to see if any of them can be replaced with link to this
> section in the website. But I'll wait some days to do it because it's
> not clear for me if you want to populate the section to cover all the
> aspects of LTS, or keep it only/mainly for security stuff.

I would avoid putting the LTS work too proeminently on the website at
this point, to be honest. The goal of publishing those advisories there,
for me, is coherence: they were already partly present and I wanted to
have them *all* available *somewhere* with a predictable URL and RSS
feeds (as opposed to, say the mailing list).

We shouldn't get into the slippery debate of how much we want LTS
content on the website, in my opinion.

> * We still need the Apache redirects, so the people that try the old
> URLs (wether directly because they knew, or via the security tracker),
> find the files they need. What we need to do is send a patch to
>
> https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/templates/apache-www.debian.org.erb
>
> that sets the redirect from
> https://www.debian.org/security/any_year/dla-whatever to
> https://www.debian.org/security/lts/any_year/dla-whatever

I'll work on this.

> * Adaptation in the security tracker so the new URL paths are used from
> now on is also needed.

Ironically, I don't believe the URLs are linked from the security
tracker right now. This was originally what I wanted to fix but stopped
when I realized it wouldn't actually work for LTS...

A.

-- 
The most prudent course for any society is to start from the
assumption that the Internet should be fundamentally outside the
domain of capital.
                        - The Internet's Unholy Marriage to Capitalism

Message #72 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@orangeseeds.org>

To: Holger Levsen <holger@layer-acht.org>, Laura Arjona Reina <larjona@debian.org>

Cc: 859122@bugs.debian.org, debian-lts@lists.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#859122: about 500 DLAs missing from the website

Date: Mon, 11 Feb 2019 16:26:38 -0500

On 2019-02-09 14:39:50, Holger Levsen wrote:
> Hi Laura,
>
> many many thanks for your work on this, including and especially this
> writeup!
>
> some comments below, where I dont say anything I mean 'yay"! :)
>
> On Sat, Feb 09, 2019 at 03:55:44AM +0100, Laura Arjona Reina wrote:
>> * The /lts/security/YYYY/index.*.html files show the last advisory for
>> the cases where there are several files with the same beginning (e.g.
>> for DSA-nnnn and DSA-nnnn-2, both html files are generated, but the
>> index only points to the -2 file). If this is not the intended
>> behaviour, changes in index.wml and Makefiles are needed.
>
> I think we want the other DLAs linked from the indexes as well.
>
> shall we file a bug to not forget this?

I looked into this, and couldn't figure it out.

Please do file a bug for now, I have no idea how to fix this...

[...]

>> * We still need the Apache redirects, so the people that try the old
>> URLs (wether directly because they knew, or via the security tracker),
>> find the files they need. What we need to do is send a patch to
>> 
>> https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/templates/apache-www.debian.org.erb
>> 
>> that sets the redirect from
>> https://www.debian.org/security/any_year/dla-whatever to
>> https://www.debian.org/security/lts/any_year/dla-whatever
>
> right. shall we file a bug to not forget this?

Filed the patch here:

https://salsa.debian.org/anarcat/dsa-puppet/merge_requests/1

Reviews welcome. I'm particularly doubtful of the dla-map thing - it's
not in the source repo, but can I assume it's present on the website
deployment?

>> * Adaptation in the security tracker so the new URL paths are used from
>> now on is also needed.
>
> right. shall we file a bug to not forget this?

Sure, please do.

A.

-- 
People arbitrarily, or as a matter of taste, assigning numerical values
to non-numerical things. And then they pretend that they haven't just
made the numbers up, which they have. Economics is like astrology in
that sense, except that economics serves to justify the current power
structure, and so it has a lot of fervent believers among the powerful.
                        - Kim Stanley Robinson, Red Mars

Message #77 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Laura Arjona Reina <larjona@debian.org>

Cc: Holger Levsen <holger@layer-acht.org>, 859122@bugs.debian.org, Antoine Beaupré <anarcat@orangeseeds.org>, debian-lts@lists.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#859122: about 500 DLAs missing from the website

Date: Tue, 12 Feb 2019 08:13:18 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Sat, Feb 09, 2019 at 03:55:44AM +0100, Laura Arjona Reina wrote:
> * We still need the Apache redirects, so the people that try the old
> URLs (wether directly because they knew, or via the security tracker),
> find the files they need. What we need to do is send a patch to
> 
> https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/templates/apache-www.debian.org.erb
> 
> that sets the redirect from
> https://www.debian.org/security/any_year/dla-whatever to
> https://www.debian.org/security/lts/any_year/dla-whatever
> 
> * Adaptation in the security tracker so the new URL paths are used from
> now on is also needed.

I have the attached patch commited in a local branch, but want first
to confirm is this the final intended URL to reach the DLAs?

Regards,
Salvatore

[0001-Adapt-URL-to-DLA-advisories-in-a-https-www.debian.or.patch (text/x-diff, attachment)]

Message #82 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@orangeseeds.org>

To: Salvatore Bonaccorso <carnil@debian.org>, Laura Arjona Reina <larjona@debian.org>

Cc: Holger Levsen <holger@layer-acht.org>, 859122@bugs.debian.org, debian-lts@lists.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#859122: about 500 DLAs missing from the website

Date: Tue, 12 Feb 2019 10:40:23 -0500

On 2019-02-12 08:13:18, Salvatore Bonaccorso wrote:
> Hi,
>
> On Sat, Feb 09, 2019 at 03:55:44AM +0100, Laura Arjona Reina wrote:
>> * We still need the Apache redirects, so the people that try the old
>> URLs (wether directly because they knew, or via the security tracker),
>> find the files they need. What we need to do is send a patch to
>> 
>> https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/templates/apache-www.debian.org.erb
>> 
>> that sets the redirect from
>> https://www.debian.org/security/any_year/dla-whatever to
>> https://www.debian.org/security/lts/any_year/dla-whatever
>> 
>> * Adaptation in the security tracker so the new URL paths are used from
>> now on is also needed.
>
> I have the attached patch commited in a local branch, but want first
> to confirm is this the final intended URL to reach the DLAs?
>
> Regards,
> Salvatore
> From ceda9e3d1fc38f505462bce8c0aa4cdd2b165d87 Mon Sep 17 00:00:00 2001
> From: Salvatore Bonaccorso <carnil@debian.org>
> Date: Tue, 12 Feb 2019 08:10:16 +0100
> Subject: [PATCH] Adapt URL to DLA advisories in a
>  https://www.debian.org/security/lts/
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> As discussed in https://bugs.debian.org/859122 DLAs and DSAs will be
> separated in different supages. This needs adaption for the URL
> referenced in the source fields of the security-tracker for DLAs.
>
> Thanks: Laura Arjona Reina, Holger Levsen and Antoine Beaupré
> ---
>  bin/tracker_service.py | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/bin/tracker_service.py b/bin/tracker_service.py
> index 971f4b4e38eb..a2ea755d8f39 100755
> --- a/bin/tracker_service.py
> +++ b/bin/tracker_service.py
> @@ -1574,7 +1574,7 @@ Debian bug number.'''),
>              for (date,) in self.db.cursor().execute(
>                  "SELECT release_date FROM bugs WHERE name = ?", (dla,)):
>                  (y, m, d) = date.split('-')
> -                return url.absolute("https://www.debian.org/security/%d/dla-%d"
> +                return url.absolute("https://www.debian.org/security/lts/%d/dla-%d"
>                                      % (int(y), int(number)))
>          return None

I believe this is backwards, you want /lts/security, not /security/lts.

For example:

https://www.debian.org/lts/security/2019/dla-1659

I was also hoping to see the "errata number" in there, but it seems I
was mistaken.

-- 
L'ennui avec la grande famille humaine, c'est que tout le monde veut
en être le père.
                        - Mafalda

Message #87 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Antoine Beaupré <anarcat@orangeseeds.org>

Cc: Laura Arjona Reina <larjona@debian.org>, 859122@bugs.debian.org, debian-lts@lists.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#859122: about 500 DLAs missing from the website

Date: Wed, 13 Feb 2019 18:00:38 +0000

[Message part 1 (text/plain, inline)]

Hi,

On Mon, Feb 11, 2019 at 04:26:38PM -0500, Antoine Beaupré wrote:
> > I think we want the other DLAs linked from the indexes as well.
> > shall we file a bug to not forget this?
> I looked into this, and couldn't figure it out.
> Please do file a bug for now, I have no idea how to fix this...

ok, will do.

> >> that sets the redirect from
> >> https://www.debian.org/security/any_year/dla-whatever to
> >> https://www.debian.org/security/lts/any_year/dla-whatever
> > right. shall we file a bug to not forget this?
> Filed the patch here:
> https://salsa.debian.org/anarcat/dsa-puppet/merge_requests/1

cool, thank you.

> Reviews welcome. I'm particularly doubtful of the dla-map thing - it's
> not in the source repo, but can I assume it's present on the website
> deployment?

I cannot comment on that dla-map, the rest looks good to me. (And
simpler than I expected.)

> >> * Adaptation in the security tracker so the new URL paths are used from
> >> now on is also needed.
> > right. shall we file a bug to not forget this?

ok, will do.


-- 
tschau,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Message #92 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Antoine Beaupré <anarcat@orangeseeds.org>

Cc: Laura Arjona Reina <larjona@debian.org>, 859122@bugs.debian.org, debian-lts@lists.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#859122: about 500 DLAs missing from the website

Date: Wed, 13 Feb 2019 18:31:09 +0000

[Message part 1 (text/plain, inline)]

On Mon, Feb 11, 2019 at 03:56:41PM -0500, Antoine Beaupré wrote:
> It's true there's a lot of junk in there... I suspect most of the `.pl`
> scripts in there could actually be symlink to the main secteam scripts,
> because they are basically the same.
> 
> I also suspect most of the stuff is unused, even from the secteam's
> point of view. For example, `check-cve-refs.pl` assumes there's a
> `security/data` directory in the website, which is not the case
> (anymore?). 

I'll also leave that to the security/www teams considerations ;)

> I would suggest removing those from at least the LTS
> section and have done so in the following MR:
> https://salsa.debian.org/webmaster-team/webwml/merge_requests/55

I've reviewed, merged and pushed this now. Thank you!

 
> > * This new /lts section of the website is not referenced yet in other
> > places of the Debian website. I'm not sure if it should be referenced in
> > /security, in /releases/XXXX, or in both. There is also the temptation
> > of creating a link in the homepage but there is also the suggestion of
> > reducing the links in the homepage, so... For now, I'll try to add it to
> > the sitemap and see how many references to the LTS wiki page we have
> > currently, to see if any of them can be replaced with link to this
> > section in the website. But I'll wait some days to do it because it's
> > not clear for me if you want to populate the section to cover all the
> > aspects of LTS, or keep it only/mainly for security stuff.
> I would avoid putting the LTS work too proeminently on the website at
> this point, to be honest. The goal of publishing those advisories there,
> for me, is coherence: they were already partly present and I wanted to
> have them *all* available *somewhere* with a predictable URL and RSS
> feeds (as opposed to, say the mailing list).
 
agreed.

> We shouldn't get into the slippery debate of how much we want LTS
> content on the website, in my opinion.

at least for here and now! :)


-- 
tschau,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Message #97 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 859122@bugs.debian.org, debian-lts@lists.debian.org

Subject: 31 DLAs missing from the website

Date: Fri, 22 Feb 2019 16:55:04 +0000

[Message part 1 (text/plain, inline)]

control: tags -1 - patch
control: retitle -1 31 DLAs missing from the website
thanks

Hi,

due to the work of mostly Antoine and Laura, over 1600 DLAs are now
visible on www.debian.org/lts - this is pretty awesome IMO!

A few are still missing however:

~/Projects/debian-www/webwml$ ../cron/parts/10-check-advisories --mode DLA  
ERROR: .data or .wml file missing for DLA 1685-1
ERROR: .data or .wml file missing for DLA 1684-1
ERROR: .data or .wml file missing for DLA 1683-1
ERROR: .data or .wml file missing for DLA 1682-1
ERROR: .data or .wml file missing for DLA 1130-1
ERROR: .data or .wml file missing for DLA 772-1
ERROR: .data or .wml file missing for DLA 719-1
ERROR: .data or .wml file missing for DLA 706-1
ERROR: .data or .wml file missing for DLA 659-1
ERROR: .data or .wml file missing for DLA 607-1
ERROR: .data or .wml file missing for DLA 580-1
ERROR: .data or .wml file missing for DLA 567-1
ERROR: .data or .wml file missing for DLA 377-1
ERROR: .data or .wml file missing for DLA 267-1
ERROR: .data or .wml file missing for DLA 115-2
ERROR: .data or .wml file missing for DLA 145-2
ERROR: .data or .wml file missing for DLA 0015-1
ERROR: .data or .wml file missing for DLA 0014-1
ERROR: .data or .wml file missing for DLA 0013-1
ERROR: .data or .wml file missing for DLA 0012-1
ERROR: .data or .wml file missing for DLA 0011-1
ERROR: .data or .wml file missing for DLA 0010-1
ERROR: .data or .wml file missing for DLA 0009-1
ERROR: .data or .wml file missing for DLA 0008-1
ERROR: .data or .wml file missing for DLA 0007-1
ERROR: .data or .wml file missing for DLA 0006-1
ERROR: .data or .wml file missing for DLA 0005-1
ERROR: .data or .wml file missing for DLA 0004-1
ERROR: .data or .wml file missing for DLA 0003-1
ERROR: .data or .wml file missing for DLA 0002-1
ERROR: .data or .wml file missing for DLA 0001-1

I suppose we should be able to fix those as well ;)


-- 
tschau,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

In Europe there are people prosecuted by courts because they saved other people
from drowning in the  Mediterranean Sea.  That is almost as absurd  as if there
were people being prosecuted because they save humans from drowning in the sea.

[signature.asc (application/pgp-signature, inline)]

Message #108 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Brian May <bam@debian.org>

To: Holger Levsen <holger@layer-acht.org>, 859122@bugs.debian.org, debian-lts@lists.debian.org

Subject: Re: 31 DLAs missing from the website

Date: Fri, 12 Apr 2019 16:03:25 +1000

Holger Levsen <holger@layer-acht.org> writes:

> ~/Projects/debian-www/webwml$ ../cron/parts/10-check-advisories --mode DLA  
> ERROR: .data or .wml file missing for DLA 1685-1
> ERROR: .data or .wml file missing for DLA 1684-1
> ERROR: .data or .wml file missing for DLA 1683-1
> ERROR: .data or .wml file missing for DLA 1682-1

I haven't look at these.

> ERROR: .data or .wml file missing for DLA 1130-1
> ERROR: .data or .wml file missing for DLA 719-1
> ERROR: .data or .wml file missing for DLA 706-1
> ERROR: .data or .wml file missing for DLA 659-1

Looks like these are all mine, I have copies of the outgoing emails, but
from my private mail archives, not in the public web archive. So I guess
that means I am the only one who can fix these :-)

> ERROR: .data or .wml file missing for DLA 772-1
> ERROR: .data or .wml file missing for DLA 607-1
> ERROR: .data or .wml file missing for DLA 567-1
> ERROR: .data or .wml file missing for DLA 377-1
> ERROR: .data or .wml file missing for DLA 267-1
> ERROR: .data or .wml file missing for DLA 115-2
> ERROR: .data or .wml file missing for DLA 145-2

I can't actually find these - or anything like them - in the mailing
list archives or on my computer.

* I can find DLA-567-2 but not a DLA-567-1; I suspect DLA-567-2 was sent
  instead of DLA-567-1.

> ERROR: .data or .wml file missing for DLA 580-1

I suspect that might be this email:

Date: Mon, 1 Aug 2016 12:05:55 +0200
From: Balint Reczey <balint@balintreczey.hu>
Subject: [SECURITY] [REGRESSION] [DLA -] graphite2 regression update
To: debian-lts-announce@lists.debian.org
Mail-Followup-To: debian-lts@lists.debian.org

Source: https://lists.debian.org/debian-lts-announce/2016/08/msg00000.html

Impossible to mark a positive identication, however the email was sent
after DLA-578-1, before DLA-582-1, and the package name matches, and the
security tracker has similar title.

I can't find the original DLA that caused the breakage however.

I also noticed this other email without a DLA:
https://lists.debian.org/debian-lts-announce/2016/08/msg00010.html

As far as I can tell, this one may not actually have a DLA.

> ERROR: .data or .wml file missing for DLA 0015-1
> ERROR: .data or .wml file missing for DLA 0014-1
> ERROR: .data or .wml file missing for DLA 0013-1
> ERROR: .data or .wml file missing for DLA 0012-1
> ERROR: .data or .wml file missing for DLA 0011-1
> ERROR: .data or .wml file missing for DLA 0010-1
> ERROR: .data or .wml file missing for DLA 0009-1
> ERROR: .data or .wml file missing for DLA 0008-1
> ERROR: .data or .wml file missing for DLA 0007-1
> ERROR: .data or .wml file missing for DLA 0006-1
> ERROR: .data or .wml file missing for DLA 0005-1
> ERROR: .data or .wml file missing for DLA 0004-1
> ERROR: .data or .wml file missing for DLA 0003-1
> ERROR: .data or .wml file missing for DLA 0002-1
> ERROR: .data or .wml file missing for DLA 0001-1

These are fixed.
-- 
Brian May <bam@debian.org>

Message #113 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 859122@bugs.debian.org, debian-lts@lists.debian.org

Subject: Re: 31 DLAs missing from the website

Date: Mon, 15 Apr 2019 12:06:35 +0000

[Message part 1 (text/plain, inline)]

control: retitle -1 7 DLAs missing from the website (or not)
thanks

Hi Brian,

many thanks for all your fixes on this bug!

On Fri, Apr 12, 2019 at 04:03:25PM +1000, Brian May wrote:
> > ERROR: .data or .wml file missing for DLA 1130-1
> > ERROR: .data or .wml file missing for DLA 719-1
> > ERROR: .data or .wml file missing for DLA 706-1
> > ERROR: .data or .wml file missing for DLA 659-1
> Looks like these are all mine, I have copies of the outgoing emails, but
> from my private mail archives, not in the public web archive. So I guess
> that means I am the only one who can fix these :-)

and you did. Many thanks for that!

> > ERROR: .data or .wml file missing for DLA 772-1

this one has been dealt with

> > ERROR: .data or .wml file missing for DLA 607-1
> > ERROR: .data or .wml file missing for DLA 567-1
> > ERROR: .data or .wml file missing for DLA 377-1
> > ERROR: .data or .wml file missing for DLA 267-1
> > ERROR: .data or .wml file missing for DLA 115-2
> > ERROR: .data or .wml file missing for DLA 145-2
> I can't actually find these - or anything like them - in the mailing
> list archives or on my computer.

I believe those DLAs were allocated but never used. We will need to double
check and then probably provide dummy/empty DLAs documenting this.

> * I can find DLA-567-2 but not a DLA-567-1; I suspect DLA-567-2 was sent
>   instead of DLA-567-1.

fun ;)

> > ERROR: .data or .wml file missing for DLA 580-1
> 
> I suspect that might be this email:
> 
> Date: Mon, 1 Aug 2016 12:05:55 +0200
> From: Balint Reczey <balint@balintreczey.hu>
> Subject: [SECURITY] [REGRESSION] [DLA -] graphite2 regression update
> To: debian-lts-announce@lists.debian.org
> Mail-Followup-To: debian-lts@lists.debian.org
> 
> Source: https://lists.debian.org/debian-lts-announce/2016/08/msg00000.html
> 
> Impossible to mark a positive identication, however the email was sent
> after DLA-578-1, before DLA-582-1, and the package name matches, and the
> security tracker has similar title.

seems like DLA 580 indeed.


-- 
tschau,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Message #120 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Brian May <bam@debian.org>

To: Holger Levsen <holger@layer-acht.org>, 859122@bugs.debian.org

Subject: Re: Bug#859122: 31 DLAs missing from the website

Date: Wed, 14 Aug 2019 17:16:46 +1000

On Mon, Apr 15, 2019 at 12:06:35PM +0000, Holger Levsen wrote:
> many thanks for all your fixes on this bug!

Can you please rerun the command:

~/Projects/debian-www/webwml$ ../cron/parts/10-check-advisories --mode DLA

I am loosing track of which DLAs are still missing, and it looks like
I can't run that command myself.

Thanks
-- 
Brian May <bam@debian.org>

Message #125 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Brian May <bam@debian.org>

Cc: 859122@bugs.debian.org

Subject: Re: Bug#859122: 31 DLAs missing from the website

Date: Wed, 14 Aug 2019 11:16:50 +0000

[Message part 1 (text/plain, inline)]

Hi Brian,

On Wed, Aug 14, 2019 at 05:16:46PM +1000, Brian May wrote:
> On Mon, Apr 15, 2019 at 12:06:35PM +0000, Holger Levsen wrote:
> > many thanks for all your fixes on this bug!
> Can you please rerun the command:
> ~/Projects/debian-www/webwml$ ../cron/parts/10-check-advisories --mode DLA

~/Projects/debian-www/webwml$ ../cron/parts/10-check-advisories --mode DLA  2>&1
ERROR: .data or .wml file missing for DLA 1885-1
ERROR: .data or .wml file missing for DLA 1884-1
ERROR: .data or .wml file missing for DLA 1879-1
ERROR: .data or .wml file missing for DLA 1877-1
ERROR: .data or .wml file missing for DLA 1871-1
ERROR: .data or .wml file missing for DLA 1846-2
ERROR: .data or .wml file missing for DLA 1833-2
ERROR: .data or .wml file missing for DLA 1784-1
ERROR: .data or .wml file missing for DLA 607-1
ERROR: .data or .wml file missing for DLA 567-1
ERROR: .data or .wml file missing for DLA 377-1
ERROR: .data or .wml file missing for DLA 267-1
ERROR: .data or .wml file missing for DLA 115-2
ERROR: .data or .wml file missing for DLA 145-2

> I am loosing track of which DLAs are still missing, and it looks like
> I can't run that command myself.

it's not merged into master but it's only in MR#1 for the cron.git repo
of debian-www...

Thanks for looking into this again!


-- 
cheers,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Message #130 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Brian May <bam@debian.org>

To: Holger Levsen <holger@layer-acht.org>

Cc: 859122@bugs.debian.org

Subject: Re: Bug#859122: 31 DLAs missing from the website

Date: Thu, 15 Aug 2019 17:31:51 +1000

Holger Levsen <holger@layer-acht.org> writes:

> ERROR: .data or .wml file missing for DLA 145-2

Hmm. Looks like that really should exist, and point to next version
5.3.3-7+squeeze25

(DLA-145-1 points to 5.3.3-7+squeeze24)


Here is the relevant information I can find:


commit f225a141ff91e4790ef74f00893cf29c2521eff6
Author: Thorsten Alteholz <alteholz@debian.org>
Date:   Mon Feb 2 16:30:14 2015 +0000

    DLA-145-1 php5 regression update
    
    git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@31913 e39458fd-73e7-0310-bf30-c45bca0a0e42

diff --git a/data/DLA/list b/data/DLA/list
index efe2117968..abf5a895cd 100644
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,3 +1,5 @@
+[02 Feb 2015] DLA-145-2 php5 - regression update
+       [squeeze] - php5 5.3.3-7+squeeze25
 [31 Jan 2015] DLA-145-1 php5 - security update
        {CVE-2014-0237 CVE-2014-0238 CVE-2014-2270 CVE-2014-8117}
        [squeeze] - php5 5.3.3-7+squeeze24



php5 (5.3.3-7+squeeze25) squeeze-lts; urgency=high

  * Non-maintainer upload by the Squeeze LTS Team.
  * as the patch for PHP bug 68739 seems to break cURL cookie handling
    it is removed again in this version, CVE-2015-TEMP-1.patch is affected
    (bug report can be found in: 
     https://lists.debian.org/debian-lts/2015/02/msg00007.html)

 -- Thorsten Alteholz <debian@alteholz.de>  Mon, 02 Feb 2015 14:17:00 +0100


* https://bugs.php.net/bug.php?id=68739: upstream bug.

* https://lists.debian.org/debian-lts/2015/02/msg00007.html contains
technical information on the regression.


So it looks like the fix was reverted, which means in turn means that
CVE-2015-TEMP-1 was not fixed despite DLA 145-1 declaring otherwise,
however no point worrying about that now.... :-)


Where to from here? Should I invent an appropriate DLA-145-2 based on
the information above?
-- 
Brian May <bam@debian.org>

Message #135 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Brian May <bam@debian.org>

Cc: 859122@bugs.debian.org

Subject: Re: Bug#859122: 31 DLAs missing from the website

Date: Thu, 15 Aug 2019 14:08:45 +0000

[Message part 1 (text/plain, inline)]

Hi Brian,

thanks for caring about this old information!

On Thu, Aug 15, 2019 at 05:31:51PM +1000, Brian May wrote:
> Where to from here? Should I invent an appropriate DLA-145-2 based on
> the information above?

yes, that seems very reasonable.


-- 
tschau,
cheers,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Message #140 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Brian May <bam@debian.org>

To: Holger Levsen <holger@layer-acht.org>, 859122@bugs.debian.org

Subject: Re: Bug#859122: 31 DLAs missing from the website

Date: Thu, 22 Aug 2019 17:38:18 +1000

On Wed, Aug 14, 2019 at 11:16:50AM +0000, Holger Levsen wrote:
> ~/Projects/debian-www/webwml$ ../cron/parts/10-check-advisories --mode DLA  2>&1
> ERROR: .data or .wml file missing for DLA 1885-1
> ERROR: .data or .wml file missing for DLA 1884-1
> ERROR: .data or .wml file missing for DLA 1879-1
> ERROR: .data or .wml file missing for DLA 1877-1
> ERROR: .data or .wml file missing for DLA 1871-1
> ERROR: .data or .wml file missing for DLA 1846-2
> ERROR: .data or .wml file missing for DLA 1833-2
> ERROR: .data or .wml file missing for DLA 1784-1
> ERROR: .data or .wml file missing for DLA 607-1
> ERROR: .data or .wml file missing for DLA 567-1
> ERROR: .data or .wml file missing for DLA 377-1
> ERROR: .data or .wml file missing for DLA 267-1
> ERROR: .data or .wml file missing for DLA 115-2
> ERROR: .data or .wml file missing for DLA 145-2

I believe all of these have now been resolved.
-- 
Brian May <bam@debian.org>

Message #145 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Brian May <bam@debian.org>

Cc: 859122@bugs.debian.org

Subject: Re: Bug#859122: 31 DLAs missing from the website

Date: Thu, 29 Aug 2019 11:18:11 +0000

[Message part 1 (text/plain, inline)]

control: retitle -1 1 DLA missing from the website (or not)
thanks

Hi Brian,

On Thu, Aug 22, 2019 at 05:38:18PM +1000, Brian May wrote:
> On Wed, Aug 14, 2019 at 11:16:50AM +0000, Holger Levsen wrote:
> > ~/Projects/debian-www/webwml$ ../cron/parts/10-check-advisories --mode DLA  2>&1
> > ERROR: .data or .wml file missing for DLA 1885-1
> > ERROR: .data or .wml file missing for DLA 1884-1
> > ERROR: .data or .wml file missing for DLA 1879-1
> > ERROR: .data or .wml file missing for DLA 1877-1
> > ERROR: .data or .wml file missing for DLA 1871-1
> > ERROR: .data or .wml file missing for DLA 1846-2
> > ERROR: .data or .wml file missing for DLA 1833-2
> > ERROR: .data or .wml file missing for DLA 1784-1
> > ERROR: .data or .wml file missing for DLA 607-1
> > ERROR: .data or .wml file missing for DLA 567-1
> > ERROR: .data or .wml file missing for DLA 377-1
> > ERROR: .data or .wml file missing for DLA 267-1
> > ERROR: .data or .wml file missing for DLA 115-2
> > ERROR: .data or .wml file missing for DLA 145-2
> 
> I believe all of these have now been resolved.

the script disagrees on DLA 607-1 and 377-1 and indeed
https://www.debian.org/lts/security/2016/dla-607 does not exist.
while https://www.debian.org/lts/security/2016/dla-377 does (which
matches debian-www.git)

do you know what's up with DLA-607?


-- 
cheers,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Message #152 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Brian May <bam@debian.org>

Cc: 859122@bugs.debian.org

Subject: Re: Bug#859122: 31 DLAs missing from the website

Date: Thu, 29 Aug 2019 11:18:45 +0000

[Message part 1 (text/plain, inline)]

On Thu, Aug 22, 2019 at 05:38:18PM +1000, Brian May wrote:
> I believe all of these have now been resolved.

and YAY! (& sorry I forgot that in my previous mail!)

[signature.asc (application/pgp-signature, inline)]

Message #157 received at 859122@bugs.debian.org (full text, mbox, reply):

From: Brian May <bam@debian.org>

To: Holger Levsen <holger@layer-acht.org>

Cc: 859122@bugs.debian.org

Subject: Re: Bug#859122: 31 DLAs missing from the website

Date: Mon, 09 Sep 2019 17:34:49 +1000

Holger Levsen <holger@layer-acht.org> writes:

> the script disagrees on DLA 607-1 and 377-1 and indeed
> https://www.debian.org/lts/security/2016/dla-607 does not exist.
> while https://www.debian.org/lts/security/2016/dla-377 does (which
> matches debian-www.git)
>
> do you know what's up with DLA-607?

Oops. I looked at it, then forgot to finish.

See https://salsa.debian.org/webmaster-team/webwml/merge_requests/222

Not sure why you referenced dla-377 - is there something wrong with this
one?
-- 
Brian May <bam@debian.org>

Message #162 received at 859122-done@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Brian May <bam@debian.org>

Cc: 859122-done@bugs.debian.org, debian-lts@lists.debian.org

Subject: Re: Bug#859122: 31 DLAs missing from the website

Date: Fri, 27 Sep 2019 17:36:49 +0000

[Message part 1 (text/plain, inline)]

Hi Brian and *,

On Mon, Sep 09, 2019 at 05:34:49PM +1000, Brian May wrote:
> Not sure why you referenced dla-377 - is there something wrong with this
> one?

yes but this commit in webwml.git fixed it:

[master 2c291090ef1] dla-377 was released on 2015-12-31

Which means: now all old DLAs are available on www.debian.org, yay!

Thanks to everyone involved making this happen!


-- 
cheers,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.