During UDS Karmic I was listening to the security remote audio stream where a concept of automatically identifying security fixes in Debian and identifying exact version matches in Ubuntu was discussed. I decided to give it a try and managed to hack something together.
The result is that we managed to sync approx 45 source security packages from Debian into Ubuntu (all releases) and have identified many 'easy' security merges.
You can currently view the outstanding list here (although the location may be moving in the future)
The python LP API is great for working with launchpad. If you need to do something with data in launchpad, i would recommend you check it out. I had some issues with it though - staging was often down or unavailable for some reason or other (may have been transient). The getPublishedSources method returns all the versions. I was unable to get the latest version only. At the end i ended up reading the sources into a sqlite database to find the latest version.
Other nifty stuff
- pyparser to parse the DSA (Debian Security Announcement) list. I had never used it before and its pretty funky!
- lxml.html to screenscrape the Ubuntu CVE status. (ok, so maybe i still don't know how this works)
- jquery to do table sorting on the web page.
- jdstrand wrote a script for archive admins to do this fake security sync in a sane way (naming, testing etc)
Whenever the program runs, it needs to get all the information from launchpad again, screen scrape and then compare. I plan on modifying this (hopefully on the weekend) to keep the complete state in the sqlite database and then only compare new dsa entries.
How you can help
There are many easy security fixes that require a merge from Debian to Ubuntu. One of the most challenging parts to fixing a security bug is identifying the relevant fix. The good part is, this is already done! Its in Debian and we just need to merge it into our Ubuntu version. Drop by #ubuntu-motu for some assistance and check out the security team wiki for preparation info and some detailed instructions.
Currently the code is located here - bzr branch lp:~stefanlsd/+junk/d2u
Please do excuse my basic python skills, this project was more about learning and I realise there must be so many ways to make it better.
Thanks go to jdstrand & kees (concept ideas, debugging help), dash (#python helping with lxml), jamesw & wgrant (lots of launchpad help).