From 9e79a716be7576fe7f08881f0a66677b553ed29a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= Date: Wed, 18 Feb 2015 17:04:21 +0000 Subject: Add a new helper script to contact package maintainers For now I have only provided sample templates for the LTS team, but everything is ready if the security team wants to use it too. git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@32318 e39458fd-73e7-0310-bf30-c45bca0a0e42 --- bin/contact-maintainers | 83 ++++++++++++++++++++++++++++++++++++++++ templates/lts-no-dsa.txt | 41 ++++++++++++++++++++ templates/lts-update-planned.txt | 45 ++++++++++++++++++++++ 3 files changed, 169 insertions(+) create mode 100755 bin/contact-maintainers create mode 100644 templates/lts-no-dsa.txt create mode 100644 templates/lts-update-planned.txt diff --git a/bin/contact-maintainers b/bin/contact-maintainers new file mode 100755 index 0000000000..ca010901c9 --- /dev/null +++ b/bin/contact-maintainers @@ -0,0 +1,83 @@ +#!/usr/bin/python + +import argparse +import os +import pwd +import subprocess +import tempfile + +from jinja2 import Template + + +def get_full_name(): + full_name = os.getenv('DEBFULLNAME') + if full_name: + return full_name.decode('utf-8') + return pwd.getpwuid(os.getuid()).pw_gecos.split(',')[0].decode('utf-8') + + +def get_source_field(pkg, name): + # XXX: retrieve data in a more reliable way + cmd = 'apt-cache showsrc {}|grep ^{}:|tail -n 1'.format( + pkg, name.capitalize()) + output = subprocess.check_output(cmd, shell=True).strip() + if output: + return output.decode('utf-8').split(': ')[1] + return '' + + +def get_maintainer(pkg): + return get_source_field(pkg, 'Maintainer') + + +def get_uploaders(pkg): + return get_source_field(pkg, 'Uploaders') + + +# Parse command line +parser = argparse.ArgumentParser( + description='Get in touch with package maintainers') +parser.add_argument('--lts', action='store_true', + help='Act as a member of the LTS team') +parser.add_argument('--no-dsa', dest='no_dsa', action='store_true', + help='Act as a member of the LTS team') +parser.add_argument('--mailer', action='store', default='mutt -H {}', + help='Command executed. Must contain {} to be replaced ' + 'by the filename of the draft contact mail') +parser.add_argument('package') +parser.add_argument('cve', nargs='*') +args = parser.parse_args() + +cc = 'debian-lts@lists.debian.org' if args.lts else 'team@security.debian.org' +team = 'lts' if args.lts else 'sec' +model = 'no-dsa' if args.no_dsa else 'update-planned' +template_file = 'templates/{}-{}.txt'.format(team, model) + +# Generate the context + +# XXX: Once that 761859 is fixed, improve the logic here to: +# - retrieve the current list of CVE dynamically +# - check whether we should use the no-dsa variant of the template +# - check whether we have an open bug report, in which case we should +# include it in the recipients of the mail + +context = { + 'package': args.package, + 'sender': get_full_name(), + 'cve': args.cve, + 'to': get_maintainer(args.package), + 'cc': cc, + 'uploaders': get_uploaders(args.package), +} + +# Generate the mail +with open(template_file) as f: + template = Template(f.read().decode('utf-8')) + +fd, filename = tempfile.mkstemp(prefix='contact-maintainers', suffix='.txt') +draft = os.fdopen(fd, 'w') +draft.write(template.render(context).encode('utf-8')) +draft.close() + +os.system(args.mailer.format(filename)) +os.unlink(filename) diff --git a/templates/lts-no-dsa.txt b/templates/lts-no-dsa.txt new file mode 100644 index 0000000000..4ca8ebfd9e --- /dev/null +++ b/templates/lts-no-dsa.txt @@ -0,0 +1,41 @@ +To: {{ to }} +Cc: {{ cc }} +Subject: About the security issues affecting {{ package }} in Squeeze + +# XXX: Decide whether you want to put some of those persons in copy and +# then drop this comment +# Uploaders: {{ uploaders}} + +Hello dear maintainer(s), + +the Debian LTS team recently reviewed the security issue(s) affecting your +package in Squeeze: +{%- if cve -%} +{% for entry in cve %} +https://security-tracker.debian.org/tracker/{{ entry }} +{%- endfor -%} +{%- else %} +https://security-tracker.debian.org/tracker/source-package/{{ package }} +{%- endif %} + +We decided that we would not prepare a squeeze security update (usually +because the security impact is low and that we concentrate our limited +resources on higher severity issues and on the most widely used packages). +That said the squeeze users would most certainly benefit from a fixed +package. + +If you want to work on such an update, you're welcome to do so. Please +try to follow the workflow we have defined here: +http://wiki.debian.org/LTS/Development + +If that workflow is a burden to you, feel free to just prepare an +updated source package and send it to debian-lts@lists.debian.org +(via a debdiff, or with an URL pointing to the the source package, +or even with a pointer to your packaging repository), and the members +of the LTS team will take care of the rest. However please make sure to +submit a tested package. + +Thank you very much. + +{{ sender }}, + on behalf of the Debian LTS team. diff --git a/templates/lts-update-planned.txt b/templates/lts-update-planned.txt new file mode 100644 index 0000000000..fb9ddce7c5 --- /dev/null +++ b/templates/lts-update-planned.txt @@ -0,0 +1,45 @@ +To: {{ to }} +Cc: {{ cc }} +Subject: squeeze update of {{ package }}? + +# XXX: Decide whether you want to put some of those persons in copy and +# then drop this comment +# Uploaders: {{ uploaders}} + +Hello dear maintainer(s), + +the Debian LTS team would like to fix the security issues which are +currently open in the Squeeze version of your package: +{%- if cve -%} +{% for entry in cve %} +https://security-tracker.debian.org/tracker/{{ entry }} +{%- endfor -%} +{%- else %} +https://security-tracker.debian.org/tracker/source-package/{{ package }} +{%- endif %} + +Would you like to take care of this yourself? + +If yes, please follow the workflow we have defined here: +http://wiki.debian.org/LTS/Development + +If that workflow is a burden to you, feel free to just prepare an +updated source package and send it to debian-lts@lists.debian.org +(via a debdiff, or with an URL pointing to the the source package, +or even with a pointer to your packaging repository), and the members +of the LTS team will take care of the rest. Indicate clearly whether you +have tested the updated package or not. + +If you don't want to take care of this update, it's not a problem, we +will do our best with your package. Just let us know whether you would +like to review and/or test the updated package before it gets released. + +Thank you very much. + +{{ sender }}, + on behalf of the Debian LTS team. + +PS: A member of the LTS team might start working on this update at +any point in time. You can verify whether someone is registered +on this update in this file: +https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- cgit v1.2.3