During UDS Karmic I was listening to the security remote audio stream where a concept of automatically identifying security fixes in Debian and identifying exact version matches in Ubuntu was discussed. I decided to give it a try and managed to hack something together.
The result is that we managed to sync approx 45 source security packages from Debian into Ubuntu (all releases) and have identified many 'easy' security merges.
You can currently view the outstanding list here (although the location may be moving in the future)
LP API
The python LP API is great for working with launchpad. If you need to do something with data in launchpad, i would recommend you check it out. I had some issues with it though - staging was often down or unavailable for some reason or other (may have been transient). The getPublishedSources method returns all the versions. I was unable to get the latest version only. At the end i ended up reading the sources into a sqlite database to find the latest version.
Other nifty stuff
- pyparser to parse the DSA (Debian Security Announcement) list. I had never used it before and its pretty funky!
- lxml.html to screenscrape the Ubuntu CVE status. (ok, so maybe i still don't know how this works)
- jquery to do table sorting on the web page.
- jdstrand wrote a script for archive admins to do this fake security sync in a sane way (naming, testing etc)
Some issues
Whenever the program runs, it needs to get all the information from launchpad again, screen scrape and then compare. I plan on modifying this (hopefully on the weekend) to keep the complete state in the sqlite database and then only compare new dsa entries.
How you can help
There are many easy security fixes that require a merge from Debian to Ubuntu. One of the most challenging parts to fixing a security bug is identifying the relevant fix. The good part is, this is already done! Its in Debian and we just need to merge it into our Ubuntu version. Drop by #ubuntu-motu for some assistance and check out the security team wiki for preparation info and some detailed instructions.
Code
Currently the code is located here - bzr branch lp:~stefanlsd/+junk/d2u
Please do excuse my basic python skills, this project was more about learning and I realise there must be so many ways to make it better.
Thanks
Thanks go to jdstrand & kees (concept ideas, debugging help), dash (#python helping with lxml), jamesw & wgrant (lots of launchpad help).
Comments
The Debian security team
The Debian security team needs new members, please join them!
I should mention that this
I should mention that this whole concept is in an effort to help Ubuntu's community-maintained packages (ie Universe and Multiverse) where a member of the Ubuntu community has not created a patch for the Ubuntu package. The Ubuntu Security team coordinates with Debian and other vendors for officially supported packages. When applicable, we also feed security patches back to Debian when Ubuntu has a fix and Debian doesn't yet, and try to encourage community members to do the same. We also are planning to discuss more and better ways to contribute to Debian's security team at our developer summit next month.
I've heard Ubuntu is quite
I've heard Ubuntu is quite revolutionary. This post is a bit specific for me to understand the whole picture. Could you refer me to a more general post?