Track security issues for the translation platform
Originally created by @drebs on #17378 (Redmine)
The translation platform currently runs software that doesn’t come from Debian (Weblate + dependencies), and we currently have no way to track security issues for them.
Some ideas to deal with this are:
- Develop a way to automatically get notified and maintain and enforce a workflow to manually upgrade when needed.
- Invest time into packaging more Weblate dependencies and trust package maintainers to do a good job.
- Create a script that fetches versions from Github and checks for patches for the current running version (i.e. filter for major.minor and check if there are bigger versions available).
- Use an online API to check for CVEs for Weblate (example: https://www.circl.lu/services/cve-search).
- Other possibilities?
Constraints
- Notifications should be sent to the Translation Platform admins list.
- No special per-admin steps should be needed. (eg. setting up local e-mail filters)
Sources of important security info
-
django-announce
mailing list (RSS). - Weblate releases RSS feed.
Proposed steps
-
Setup a way to get RSS notifications in administrative e-mail. -
Subscribe the above sources to send e-mail to Translation Platform admins list. -
Implement case insensitive post-process security
filter for rss2email subscriptions. -
Subscribe to get release updates for all Python dependencies installed from upstream repositories.
Edited by Zen Fu