Add a new helper script to contact package maintainers

For now I have only provided sample templates for the LTS team, but
everything is ready if the security team wants to use it too.

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@32318 e39458fd-73e7-0310-bf30-c45bca0a0e42

3 files changed, 169 insertions, 0 deletions

diff --git a/bin/contact-maintainers b/bin/contact-maintainers
new file mode 100755
index 0000000000..ca010901c9
--- /dev/null
+++ b/bin/contact-maintainers
@@ -0,0 +1,83 @@
+#!/usr/bin/python
+
+import argparse
+import os
+import pwd
+import subprocess
+import tempfile
+
+from jinja2 import Template
+
+
+def get_full_name():
+    full_name = os.getenv('DEBFULLNAME')
+    if full_name:
+        return full_name.decode('utf-8')
+    return pwd.getpwuid(os.getuid()).pw_gecos.split(',')[0].decode('utf-8')
+
+
+def get_source_field(pkg, name):
+    # XXX: retrieve data in a more reliable way
+    cmd = 'apt-cache showsrc {}|grep ^{}:|tail -n 1'.format(
+        pkg, name.capitalize())
+    output = subprocess.check_output(cmd, shell=True).strip()
+    if output:
+        return output.decode('utf-8').split(': ')[1]
+    return ''
+
+
+def get_maintainer(pkg):
+    return get_source_field(pkg, 'Maintainer')
+
+
+def get_uploaders(pkg):
+    return get_source_field(pkg, 'Uploaders')
+
+
+# Parse command line
+parser = argparse.ArgumentParser(
+    description='Get in touch with package maintainers')
+parser.add_argument('--lts', action='store_true',
+                    help='Act as a member of the LTS team')
+parser.add_argument('--no-dsa', dest='no_dsa', action='store_true',
+                    help='Act as a member of the LTS team')
+parser.add_argument('--mailer', action='store', default='mutt -H {}',
+                    help='Command executed. Must contain {} to be replaced '
+                    'by the filename of the draft contact mail')
+parser.add_argument('package')
+parser.add_argument('cve', nargs='*')
+args = parser.parse_args()
+
+cc = 'debian-lts@lists.debian.org' if args.lts else 'team@security.debian.org'
+team = 'lts' if args.lts else 'sec'
+model = 'no-dsa' if args.no_dsa else 'update-planned'
+template_file = 'templates/{}-{}.txt'.format(team, model)
+
+# Generate the context
+
+# XXX: Once that 761859 is fixed, improve the logic here to:
+# - retrieve the current list of CVE dynamically
+# - check whether we should use the no-dsa variant of the template
+# - check whether we have an open bug report, in which case we should
+#   include it in the recipients of the mail
+
+context = {
+    'package': args.package,
+    'sender': get_full_name(),
+    'cve': args.cve,
+    'to': get_maintainer(args.package),
+    'cc': cc,
+    'uploaders': get_uploaders(args.package),
+}
+
+# Generate the mail
+with open(template_file) as f:
+    template = Template(f.read().decode('utf-8'))
+
+fd, filename = tempfile.mkstemp(prefix='contact-maintainers', suffix='.txt')
+draft = os.fdopen(fd, 'w')
+draft.write(template.render(context).encode('utf-8'))
+draft.close()
+
+os.system(args.mailer.format(filename))
+os.unlink(filename)
diff --git a/templates/lts-no-dsa.txt b/templates/lts-no-dsa.txt
new file mode 100644
index 0000000000..4ca8ebfd9e
--- /dev/null
+++ b/templates/lts-no-dsa.txt
@@ -0,0 +1,41 @@
+To: {{ to }}
+Cc: {{ cc }}
+Subject: About the security issues affecting {{ package }} in Squeeze
+
+# XXX: Decide whether you want to put some of those persons in copy and
+# then drop this comment
+# Uploaders: {{ uploaders}}
+
+Hello dear maintainer(s),
+
+the Debian LTS team recently reviewed the security issue(s) affecting your
+package in Squeeze:
+{%- if cve -%}
+{% for entry in cve %}
+https://security-tracker.debian.org/tracker/{{ entry }}
+{%- endfor -%}
+{%- else %}
+https://security-tracker.debian.org/tracker/source-package/{{ package }}
+{%- endif %}
+
+We decided that we would not prepare a squeeze security update (usually
+because the security impact is low and that we concentrate our limited
+resources on higher severity issues and on the most widely used packages).
+That said the squeeze users would most certainly benefit from a fixed
+package.
+
+If you want to work on such an update, you're welcome to do so. Please
+try to follow the workflow we have defined here:
+http://wiki.debian.org/LTS/Development
+
+If that workflow is a burden to you, feel free to just prepare an
+updated source package and send it to debian-lts@lists.debian.org
+(via a debdiff, or with an URL pointing to the the source package,
+or even with a pointer to your packaging repository), and the members
+of the LTS team will take care of the rest. However please make sure to
+submit a tested package.
+
+Thank you very much.
+
+{{ sender }},
+  on behalf of the Debian LTS team.
diff --git a/templates/lts-update-planned.txt b/templates/lts-update-planned.txt
new file mode 100644
index 0000000000..fb9ddce7c5
--- /dev/null
+++ b/templates/lts-update-planned.txt
@@ -0,0 +1,45 @@
+To: {{ to }}
+Cc: {{ cc }}
+Subject: squeeze update of {{ package }}?
+
+# XXX: Decide whether you want to put some of those persons in copy and
+# then drop this comment
+# Uploaders: {{ uploaders}}
+
+Hello dear maintainer(s),
+
+the Debian LTS team would like to fix the security issues which are
+currently open in the Squeeze version of your package:
+{%- if cve -%}
+{% for entry in cve %}
+https://security-tracker.debian.org/tracker/{{ entry }}
+{%- endfor -%}
+{%- else %}
+https://security-tracker.debian.org/tracker/source-package/{{ package }}
+{%- endif %}
+
+Would you like to take care of this yourself?
+
+If yes, please follow the workflow we have defined here:
+http://wiki.debian.org/LTS/Development
+
+If that workflow is a burden to you, feel free to just prepare an
+updated source package and send it to debian-lts@lists.debian.org
+(via a debdiff, or with an URL pointing to the the source package,
+or even with a pointer to your packaging repository), and the members
+of the LTS team will take care of the rest. Indicate clearly whether you
+have tested the updated package or not.
+
+If you don't want to take care of this update, it's not a problem, we
+will do our best with your package. Just let us know whether you would
+like to review and/or test the updated package before it gets released.
+
+Thank you very much.
+
+{{ sender }},
+  on behalf of the Debian LTS team.
+
+PS: A member of the LTS team might start working on this update at
+any point in time. You can verify whether someone is registered
+on this update in this file:
+https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup