Re: if and how to extend dpkg to match installed packages against security-tracker
Hi!
On Fri, 2016-01-15 at 08:11:52 +0100, Christopher J. Ruwe wrote:
> from FreeBSD I am used to a command named 'pkg audit' from the pkgng
> suite, which checks installed ports against a database of security
> advisories and returns a list of vulnerable ports.
> (https://www.freebsd.org/cgi/man.cgi?query=pkg-audit)
>
> I did not find a semantically "matching" tool in the dpkg-suite and
> 'audit' seems to be used with different semantics in dpkg.
Right.
> Using the security-tracker DB
> https://security-tracker.debian.org/tracker/data/json, it has not been
> particularly hard to prototype something up which checks installed
> packages as given in /var/lib/dpkg/status against this DB.
Ah nice!
> Assuming that such a tool does not already exist and I just did not
> find it, I would offer to contribute to dkpg scripts something like
> dpkg-vulnerabilities.pl. Does the dpkg-team have an "official"
> position on the requirement and the feature-set for such a script, and
> what would be required for contribution?
Such tool already exists for Debian, check debsecan. But it feels like
it might need some love.
But coming to think about it, having something like this supported
natively and out-of-the-box by dpkg (or apt) would be nice, but there
are some issues with it. The server-side data is not standardized at
all, so it would be Debian specific (while dpkg runs on many other
systems), or would imply having to deal with a myriad of formats and
fetchers. And most of the core dpkg toolset does not access the net,
nor deals with remote repositories, but that's not an unsourmountable
issue, just kind of a design decission, OTOH dselect handles remotes,
so…
I'd say check debsecan, and if it is not satisfactory, we might
perhaps explore other options?
Thanks,
Guillem
Reply to: