[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Match ecosystems with limited support in debian-security-support



Hi Security Team,

I'm proposing a couple changes in debian-security-support and I'd welcome your review :)

1) Match ecosystems
https://bugs.debian.org/986333
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/10

Sometimes, entire ecosystems are affected by Debian support decisions.

These source package sets comes to mind:
- node-*

https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#libv8

https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#libv8
- golang-*

https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking

Currently 'check-support-status' fails to detect individual packages
affected by these decisions, it only notifies about explicitly
referenced packages such as 'nodejs'.

To address this, I'm proposing regex matching, resulting in:
node-.*         0               2020-02-20  ...
golang.*        See https://...


2) Dependent change: fix missing version-based package reports
https://bugs.debian.org/986581
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/9

While experimenting with 1), it appeared that check-security-support does not actually report these:
nasm-mozilla             0                       2019-01-01
nodejs-mozilla           0                       2019-01-01
nodejs                   0.10.29~dfsg-2          2020-02-20

The first two have no supported version, the second one is the last supported version in jessie, but the same version is used for e.g. stretch (while stretch has a higher version 4.8.2~dfsg-1).

The current code considers higher versions as supported, but as discussed in the BTS there doesn't seem to be a valid use case for this, so I just dropped the version-based check (and adapted the test suite).


If you agree with these changes I can merge them, and backport them to the various suites.

What do you think?

Cheers!
Sylvain


Reply to: