Bug #17378: Track security issues for the translation platform

Bug #17378

Track security issues for the translation platform

Added by drebs 2019-12-26 23:07:18 . Updated 2020-02-21 18:33:27 .

Status:

Confirmed

Priority:

Elevated

Assignee:

Category:

Infrastructure

Target version:

Start date:

Due date:

% Done:

Feature Branch:

Type of work:

Sysadmin

Blueprint:

Starter:

Affected tool:

Translation Platform

Deliverable for:

Description

The translation platform currently runs software that doesn’t come from Debian (Weblate + dependencies), and we currently have no way to track security issues for them.

Some ways to deal with this are:

* Develop a way to automatically get notified and maintain and enforce a workflow to manually upgrade when needed.
* Invest time into packaging more Weblate dependencies and trust package maintainers to do a good job.
* Other possibilities?

Subtasks

History

#1 Updated by zen 2020-02-21 18:24:59

More ideas:

Create a script that fetches versions from Github and checks for patches for the current running version (i.e. filter for major.minor and check if there are bigger versions available).
Use an online API to check for CVEs for Weblate (example: https://www.circl.lu/services/cve-search).

#2 Updated by zen 2020-02-21 18:26:28

Another idea: ask upstream if there is an easy way to get notified for security fixes.

#3 Updated by zen 2020-02-21 18:33:27

Examples of CIRCL API calls that will return CVE info for Django and Weblate:

curl http://cve.circl.lu/api/search/djangoproject/django
curl http://cve.circl.lu/api/search/weblate/weblate