search

juhp / fbrnch

Tool to update fedora packages branches
https://hackage.haskell.org/package/fbrnch
GNU General Public License v2.0
23 stars 3 forks source link

Allow setting Bodhi update severity #32

Closed gotmax23 closed 2 years ago

gotmax23 commented 2 years ago

Description

Currently, fbrnch build -u security does not work properly, as it is impossible to set the Bodhi update severity.

Version

I rebuilt the fbrnch rpm with the current git HEAD (https://github.com/juhp/fbrnch/commit/11edd24d10335c4366da8e60543df90f80204f03).

Steps to reproduce

  1. fbrnch clone golang-github-containerd-imgcrypt
  2. fbrnch build -o 10 -u security f36 golang-github-containerd-imgcrypt

    Actual Results

    
[...]
[koji build output]
[...]

``` Update to 1.1.4 (rhbz#2068719). Mitigates CVE-2022-24778 (rhbz#2069368, ``` Press Enter to use above or input update summary now: Update to 1.1.4 (rhbz#2068719). Mitigates CVE-2022-24778 (rhbz#2069368, rhbz#2069369)

Creating Bodhi Update for golang-github-containerd-imgcrypt-1.1.4-1.fc36: Usage: bodhi updates new [OPTIONS] BUILDS_OR_TAG Try 'bodhi updates new --help' for help.

Error: Invalid value for severity: must specify severity for a security update fbrnch: bodhi updates new --type security --request testing --notes 'Update to 1.1.4 (rhbz#2068719). Mitigates CVE-2022-24778 (rhbz#2069368, rhbz#2069369)' --autokarma --autotime --close-bugs --bugs 2068719 golang-github-containerd-imgcrypt-1.1.4-1.fc36 failed with exit code 2



## Expected Results
`fbrnch build` should provide the ability to set the update severity and implement a check to ensure that it's set when `-u security` is passed. For some reason, fbrnch didn't detect the last two referenced in the update summary, but that's a separate issue.

---

Sorry for all the issues! Thanks for creating a great tool 😀.
juhp commented 2 years ago

Thanks for the report - appreciate it

(You are right - I think currently fbrnch wrongly assumes only one bz mention per changelog line: that shouldn't be so hard to fix)

I guess ideally we should read the severity from the CVE bug... but that is a little stretch, though the CVE reference might help there. Also CVEs usually include a bodhi template, which the next release will support: see 8ad28ff. Probably easiest and useful to add an option for this anyway.

juhp commented 2 years ago

(You are right - I think currently fbrnch wrongly assumes only one bz mention per changelog line: that shouldn't be so hard to fix)

That is done in 3b5ba90