Tracking related source packages
Hi,
During today's meeting we discussed how to track CVEs in related
source packages. For instance unbound vs. unbound-1.9, or golang
(ELTS) vs. golang-1.7/golang-1.8 (LTS) vs. golang-1.11.
We may miss/delay affected packages due to this, unless the front-desk
is already aware of all related packages. All the more when Security
Team stops tracking a package (ELTS).
Summary:
- This problem is similar/related to tracking embedded code copies.
See https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/2
With one difference: there's no reference source package.
- This is hard / doesn't make sense to fully automate.
Security Team expressed opposition to such automation in the past.
- Approaches:
- As an aid to front-desk triaging: display packages related to
other packages in the triage scripts, for consideration
- Add a multi-package view on the security tracker, so it's clear
which CVEs are not tracked in each related source package,
(similar to the standard single-source-package view, with one
column per package but 1-2 Debian versions max per package anyway)
- Restructure the embedded copies (Markus suggestion)
https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/embedded-code-copies
- Security Team handles this issue manually, and with package
maintainers input, as far as we can tell, but they should have the
same issue overall so there's possible synergy.
Feel free to follow-up on the discussion here.
Cheers!
Sylvain
Reply to: