[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Tracking related source packages

Am Thu, Feb 25, 2021 at 05:30:05PM +0100 schrieb Sylvain Beucler:
> - This problem is similar/related to tracking embedded code copies.
>   See https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/2
>   With one difference: there's no reference source package.

Not reallly, embedded code copies has a very poor s/n ratio and
would require manual assessment whether actually affected.

For renamed source packages this isn't the case (and if they turn out
to be not vulnerable, they should be marked not-affected anyway)

> - This is hard / doesn't make sense to fully automate.
>   Security Team expressed opposition to such automation in the past.

Quite the opposite, there's even a bug for it :-) This is #738172.

> - Approaches:

1. Add a new file to the tracker with active mappings, e.g.
- golang-1.15,golang-1.11,golang-1.8,golang-1.7

2. Write a script which parses the CVE/list and creates a diff which
adds "foo <unfixed>" (or "foo <removed>") records if a CVE entry lists
one of the source packages of an active mapping, but not the others.

3. Run the script manually for a while, to see if it all works well

4. If it works fine in practice, set up a hook/systemd timer to
run it automatically and commit the result to the tracker.


Reply to: