On Tue, Sep 01, 2009 at 11:14:04PM +0200, Julien Cristau wrote:
> On Tue, Sep 1, 2009 at 14:06:17 -0700, Steve Langasek wrote:
> > On Tue, Sep 01, 2009 at 11:39:40AM +0200, Julien Cristau wrote:
> > > On Sun, Aug 30, 2009 at 23:38:17 +0200, Lucas Nussbaum wrote:
> > > > That's unfortunate. Imagine the following scenario:
> > > > 1. Package P is released in sarge, with version 1.0-1.
> > > > 2. Package P is installed on a system S, running sarge.
> > > > 3. etch is released with P 1.0-1.
> > > > 4. A security bug is found in P.
> > > Does this actually happen? How often?
> > Often enough that it's been discussed repeatedly over the years; not often
> > enough that anyone has fixed it. :)
> Every time I've seen it discussed, it was by people who aren't part of
> the security team, and so far the security team seem to say it's not a
> concern for them, so for all I know it may just be theoretical…
Binary packages with the exact same version between etch and lenny:
$ zgrep -h Filename dists/{etch,lenny}/main/binary-i386/Packages.gz | sort | uniq -d | wc -l
1838
$
Source packages at the same version between etch and lenny (which may
include source packages that have been incremented only by a binNMU
version):
$ zgrep -h ' .*\.dsc' dists/{etch,lenny}/main/source/Sources.gz | sort | uniq -d | wc -l
1630
$
This represents roughly 10% of the binaries in main, and roughly 16% of the
sources.
$ for src in $(
zgrep -h ' .*\.dsc' ../../dists/{etch,lenny}/main/source/Sources.gz |
sort | uniq -d | sed -e's/.* //; s/_.*//'
); do
zcat dists/lenny/updates/main/source/Sources.gz |
grep-dctrl -FPackage -sPackage -X $src
done
$
So no actual source packages that have had this problem for etch and lenny,
interestingly enough.
I thought there had been one in the sarge timeframe; but I'm not going to go
digging any farther to confirm this. Yes, the problem is more or less
theoretical.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature