[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Match ecosystems with limited support in debian-security-support

Hi Security Team,

I'm proposing a couple changes in debian-security-support and I'd welcome your review :)

1) Match ecosystems

Sometimes, entire ecosystems are affected by Debian support decisions.

These source package sets comes to mind:
- node-*


- golang-*


Currently 'check-support-status' fails to detect individual packages
affected by these decisions, it only notifies about explicitly
referenced packages such as 'nodejs'.

To address this, I'm proposing regex matching, resulting in:
node-.*         0               2020-02-20  ...
golang.*        See https://...

2) Dependent change: fix missing version-based package reports

While experimenting with 1), it appeared that check-security-support does not actually report these:
nasm-mozilla             0                       2019-01-01
nodejs-mozilla           0                       2019-01-01
nodejs                   0.10.29~dfsg-2          2020-02-20

The first two have no supported version, the second one is the last supported version in jessie, but the same version is used for e.g. stretch (while stretch has a higher version 4.8.2~dfsg-1).

The current code considers higher versions as supported, but as discussed in the BTS there doesn't seem to be a valid use case for this, so I just dropped the version-based check (and adapted the test suite).

If you agree with these changes I can merge them, and backport them to the various suites.

What do you think?


Reply to: