Match ecosystems with limited support in debian-security-support
Hi Security Team,
I'm proposing a couple changes in debian-security-support and I'd
welcome your review :)
1) Match ecosystems
Sometimes, entire ecosystems are affected by Debian support decisions.
These source package sets comes to mind:
Currently 'check-support-status' fails to detect individual packages
affected by these decisions, it only notifies about explicitly
referenced packages such as 'nodejs'.
To address this, I'm proposing regex matching, resulting in:
node-.* 0 2020-02-20 ...
golang.* See https://...
2) Dependent change: fix missing version-based package reports
While experimenting with 1), it appeared that check-security-support
does not actually report these:
nasm-mozilla 0 2019-01-01
nodejs-mozilla 0 2019-01-01
nodejs 0.10.29~dfsg-2 2020-02-20
The first two have no supported version, the second one is the last
supported version in jessie, but the same version is used for e.g.
stretch (while stretch has a higher version 4.8.2~dfsg-1).
The current code considers higher versions as supported, but as
discussed in the BTS there doesn't seem to be a valid use case for this,
so I just dropped the version-based check (and adapted the test suite).
If you agree with these changes I can merge them, and backport them to
the various suites.
What do you think?