Merge ~sespiros/ubuntu-cve-tracker/+git/ubuntu-cve-tracker:source-map-fix into ubuntu-cve-tracker:master

Something went wrong with the diff despite my rebase. This is an one line change in scripts/source_map.py

LGTM - although to future proof this, I wonder if we could implement some logic like rel < kinetic rather than not rel in [jammy, kinetic] ?

Thanks for taking a look. Maybe by using an enum for release information but that would require a larger change I think.

What about a new function in cve_lib that will check a release against cve_lib's subprojects dictionary for a partner component? (just pushed a change for that)

Re-requesting a review as I added some changes and couldn't re-request only from Alex who has already approved the previous versions of the patch.

LGTM - that is much nicer than my suggestion.

The only problem is I think python's assignment expression syntax was only introduced in 3.8 - but we still have to support python 3.6 on people.canonical.com:

ssh people.canonical.com python3 -c "if a := 1: print(a)"
bash: -c: line 0: syntax error near unexpected token `('
bash: -c: line 0: `python3 -c if a := 1: print(a)'

So this will need a slight refactoring unfortunately.

Nice catch, refactored (and made it much simpler actually).

I renamed its argument to series as it's still confusing to me what's the correct naming of things and different functions use it differently in cve_lib.

Thanks - but now I hate the fact this function is named `release_has_parter()` but takes an argument called `series` - and then always adds a `ubuntu/` prefix which seems too presumptuous - sorry for the run-around - could we instead do something like:

def release_has_partner(rel):
    try:
      _, _, _, details = get_subproject_details(rel)
      return "partner" in details["components"]
    except (ValueError, KeyError):
      return False

Thanks Alex, I hadn't noticed the get_subproject_details() API. I still find confusing the fact that I am passing something that is not technically a release and I call it release (and it's handled by that function by searching for an alias if it failed to find a key) but I just implemented your exact suggestion as it is seems more in-line with how code in cve_lib already works.

Thanks Spyros - this old code is such a mess, it would be great to refactor it all but for now keeping consistent is more important - cheers.

Can we just get rid of all the partner code completely? It's not actually used anymore...

+1 Alex. Marc: I thought about that but don't we need it around for older releases which still have partner?

There's nothing in the partner archive for focal+, for bionic and older, whatever is left in that archive is unmaintained and no longer updated as the commercial contracts have long expired. I don't believe ESM is committing to maintaining any of it.

(sorry, didn't mean to hijack this MP with my comment, ack on the MP)

Rebased, autosquashed and merged.