Commit 8a2be9b7 authored by intrigeri's avatar intrigeri

Release process: generate security advisory boilerplate from a template

This way:

 - RMs won't mistakenly copy an old advisory that lacks recent improvements
   (at least I did this in the past).
 - Technical writers can modify the template.
parent e6f39470
#! /usr/bin/python3
import email.utils
import subprocess
from datetime import datetime, timedelta
import jinja2
def advisory_date() -> datetime:
changelog_entry_timestamp = subprocess.run(
["dpkg-parsechangelog", "--show-field", "Timestamp"],
stdout=subprocess.PIPE,
universal_newlines=True,
check=True).stdout.rstrip()
return datetime.fromtimestamp(
float(changelog_entry_timestamp)) - timedelta(days=2)
def security_advisory_contents(args) -> str:
jinja2_env = jinja2.Environment(
loader=jinja2.FileSystemLoader('config/release_management/templates'))
return (jinja2_env.get_template('security_advisory.mdwn').render(
date=email.utils.format_datetime(advisory_date()),
previous_version=args.previous_version,
version=args.version,
tag=args.tag))
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--previous-version', required=True)
parser.add_argument('--version', required=True)
parser.add_argument('--tag', required=True)
args = parser.parse_args()
print(security_advisory_contents(args))
[[!meta date="{{date}}"]]
[[!meta title="Numerous security holes in Tails {{previous_version}}"]]
[[!pagetemplate template="news.tmpl"]]
[[!tag security/fixed]]
[[Tails {{version}}|news/version_{{tag}}]] fixes many security issues that affect
Tails {{previous_version}}. You should [[upgrade to Tails {{version}}|news/version_{{tag}}]] as
soon as possible.
......@@ -17,7 +17,7 @@ Packages
To release Tails you'll need some packages installed:
* `docker.io gitlab-cli jq tidy mktorrent transmission-cli`
* `docker.io gitlab-cli jq tidy mktorrent python3-jinja2 transmission-cli`
* [[!debpts squashfs-tools]] 1:4.4-1+0.tails1
from our custom `iukbuilder-stretch` APT suite.
* `iuk` [[dependencies|contribute/release_process/tails-iuk#build-deps]]
......@@ -1470,27 +1470,37 @@ Ensure our [[contribute/working_together/roles/technical_writer]] has
[[written|contribute/how/documentation/release_notes]] the
announcement for the release in `wiki/src/news/version_${TAG:?}.mdwn`.
Write an announcement listing the security bugs affecting the previous
version in
`wiki/src/security/Numerous_security_holes_in_${PREVIOUS_VERSION:?}.mdwn`
(XXX: when preparing a final *major* release, point at the
previous *bugfix* release rather than at the release candidate)
in order to let the users of the old versions
know that they have to upgrade. Date it a few days before the
images to be released were *built*. Including:
Write an announcement listing the security bugs affecting the previous version
in `wiki/src/security/Numerous_security_holes_in_${PREVIOUS_VERSION:?}.mdwn`, in
order to let the users of the old versions know that they have to upgrade:
- if we are not shipping Linux from Debian stable, the list of
1. Generate the boilerplate contents from the template:
./bin/generate-security-advisory \
--previous-version "${PREVIOUS_VERSION:?}" \
--version "${VERSION:?}" \
--tag "${TAG:?}" \
> "wiki/src/security/Numerous_security_holes_in_${PREVIOUS_VERSION:?}.mdwn"
Note: when preparing a final *major* release, in this example command line,
replace occurrences of `${PREVIOUS_VERSION:?}` with the version number of the
previous *bugfix* release, rather than the release candidate.
2. Manually add to
`wiki/src/security/Numerous_security_holes_in_${PREVIOUS_VERSION:?}.mdwn`:
- if we are not shipping Linux from Debian stable, the list of
CVE fixed in Linux since the one shipped in the previous release of
Tails; you can find them in the relevant changelog e.g.:
* <http://metadata.ftp-master.debian.org/changelogs/main/l/linux/unstable_changelog>
* <http://metadata.ftp-master.debian.org/changelogs/main/l/linux/testing_changelog>
* <http://metadata.ftp-master.debian.org/changelogs/main/l/linux/stretch-backports_changelog>
- the list of DSA fixed in packages we ship since those that were in
- the list of DSA fixed in packages we ship since those that were in
the previous release of Tails: <https://www.debian.org/security/#DSAS>
- the list of BSA fixed in packages we ship since those that were in
- the list of BSA fixed in packages we ship since those that were in
the previous release of Tails:
<https://lists.debian.org/debian-backports-announce/>
- the list of MFSA fixed by the Tor Browser update:
- the list of MFSA fixed by the Tor Browser update:
<https://www.mozilla.org/security/announce/>
Remove obsolete bits from `wiki/src/home/testing.html`. For example,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment