if and how to extend dpkg to match installed packages against security-tracker

To: debian-dpkg@lists.debian.org
Subject: if and how to extend dpkg to match installed packages against security-tracker
From: "Christopher J. Ruwe" <cjr@cruwe.de>
Date: Fri, 15 Jan 2016 08:11:52 +0100
Message-id: <[🔎] 1452841912.11937.8.camel@cruwe.de>

Hi,

from FreeBSD I am used to a command named 'pkg audit' from the pkgng
suite, which checks installed ports against a database of security
advisories and returns a list of vulnerable ports.
(https://www.freebsd.org/cgi/man.cgi?query=pkg-audit)

I did not find a semantically "matching" tool in the dpkg-suite and
'audit' seems to be used with different semantics in dpkg.

Using the security-tracker DB
https://security-tracker.debian.org/tracker/data/json, it has not been
particularly hard to prototype something up which checks installed
packages as given in /var/lib/dpkg/status against this DB.

Assuming that such a tool does not already exist and I just did not
find it, I would offer to contribute to dkpg scripts something like
dpkg-vulnerabilities.pl. Does the dpkg-team have an "official"
position on the requirement and the feature-set for such a script, and
what would be required for contribution?

Thanks
-- 
Christopher

Reply to:

Follow-Ups:
- Re: if and how to extend dpkg to match installed packages against security-tracker
  - From: Guillem Jover <guillem@debian.org>

Prev by Date: Re: Bug#810762: debuild: shouldn't call dpkg-architecture for source-only builds
Next by Date: Re: if and how to extend dpkg to match installed packages against security-tracker
Previous by thread: Re: Bug#810762: debuild: shouldn't call dpkg-architecture for source-only builds
Next by thread: Re: if and how to extend dpkg to match installed packages against security-tracker
Index(es):
- Date
- Thread