Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-security-support@packages.debian.org
Control: affects -1 + src:debian-security-support
Dear release team,
I'd like to propose a bookworm update for debian-security-support.
[ Reason ]
The are two changes: fixing #1106203, and a typo in a package name.
#1106203 makes that the purpose of check-security-support (the main
debian-security-support script) is null for packages that have been
NMU'ed or that have a different version between the source and binary
packages. See some examples at
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/44#note_615156
[ Impact ]
The user will continue to no be warned that the concerned installed
packages don't benefit from a full security support from debian.
[ Tests ]
A test has been added to the package, that is run during build time.
I've tested the test on my own bookworm machine, and now I get results
like:
* Source:golang-github-containers-buildah
Details: See https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
Affected binary package:
- buildah (installed version: 1.28.2+ds1-3+deb12u1+b1)
[ Risks ]
The code is trivial, and the tests have good coverage.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The main change is:
diff -Nru debian-security-support-12+2025.05.10/check-support-status.in debian-security-support-12+2025.06.20/check-support-status.in
--- debian-security-support-12+2025.05.10/check-support-status.in 2025-05-10 09:43:50.000000000 -0300
+++ debian-security-support-12+2025.06.20/check-support-status.in 2025-06-20 17:54:47.000000000 -0300
@@ -169,7 +169,7 @@
# Get list of installed packages
INSTALLED_LIST="$TEMPDIR/installed"
-LC_ALL=C [% DPKG_QUERY %] --show --showformat '${Status}\t${binary:Package}\t${Version}\t${Source}\n' |
+LC_ALL=C [% DPKG_QUERY %] --show --showformat '${Status}\t${binary:Package}\t${Version}\t${source:Package}\n' |
[% AWK %] '($1=="install"){print}' |
[% AWK %] -F'\t' '{if($4==""){print $2"\t"$3"\t"$2}else{print $2"\t"$3"\t"$4}}' >"$INSTALLED_LIST"
When the version of a binary package differs from the source package,
the old dpkg-query returns something like:
install ok installed buildah 1.28.2+ds1-3+deb12u1+b1 golang-github-containers-buildah (1.28.2+ds1-3+deb12u1)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
and the new one:
install ok installed buildah 1.28.2+ds1-3+deb12u1+b1 golang-github-containers-buildah
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The remaining code compares the name of the source package with the
underlined (^) string, with grep -x, so the name didn't match.
Changes in t/check-support-status.t include a test for the above.
And there is a typo fix in security-support-limited s/gobgpd/gobgp/
since check-security-support checks for the name of the source package,
not the binary. I've verified that this works.
[ Other info ]
N/A
Thanks!
-- Santiago
diff -Nru debian-security-support-12+2025.05.10/check-support-status.in debian-security-support-12+2025.06.20/check-support-status.in
--- debian-security-support-12+2025.05.10/check-support-status.in 2025-05-10 09:43:50.000000000 -0300
+++ debian-security-support-12+2025.06.20/check-support-status.in 2025-06-20 17:54:47.000000000 -0300
@@ -169,7 +169,7 @@
# Get list of installed packages
INSTALLED_LIST="$TEMPDIR/installed"
-LC_ALL=C [% DPKG_QUERY %] --show --showformat '${Status}\t${binary:Package}\t${Version}\t${Source}\n' |
+LC_ALL=C [% DPKG_QUERY %] --show --showformat '${Status}\t${binary:Package}\t${Version}\t${source:Package}\n' |
[% AWK %] '($1=="install"){print}' |
[% AWK %] -F'\t' '{if($4==""){print $2"\t"$3"\t"$2}else{print $2"\t"$3"\t"$4}}' >"$INSTALLED_LIST"
diff -Nru debian-security-support-12+2025.05.10/debian/changelog debian-security-support-12+2025.06.20/debian/changelog
--- debian-security-support-12+2025.05.10/debian/changelog 2025-05-10 10:05:50.000000000 -0300
+++ debian-security-support-12+2025.06.20/debian/changelog 2025-06-20 17:58:38.000000000 -0300
@@ -1,3 +1,11 @@
+debian-security-support (1:12+2025.06.20) bookworm; urgency=medium
+
+ * Query source:Package instead of Source to get the list of packages
+ (Closes: #1106203)
+ * Fix typo related to gobgp
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net> Fri, 20 Jun 2025 17:58:38 -0300
+
debian-security-support (1:12+2025.05.10) bookworm; urgency=medium
[ Salvatore Bonaccorso ]
diff -Nru debian-security-support-12+2025.05.10/security-support-limited debian-security-support-12+2025.06.20/security-support-limited
--- debian-security-support-12+2025.05.10/security-support-limited 2025-05-10 09:54:22.000000000 -0300
+++ debian-security-support-12+2025.06.20/security-support-limited 2025-06-20 17:54:47.000000000 -0300
@@ -12,7 +12,7 @@
ganglia See README.Debian.security, only supported behind an authenticated HTTP zone, #702775
ganglia-web See README.Debian.security, only supported behind an authenticated HTTP zone, #702776
golang.* See https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
-gobgpd See https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
+gobgp See https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
gnupg1 See #982258 and https://www.debian.org/releases/stretch/amd64/release-notes/ch-whats-new.en.html#modern-gnupg
jython Includes python2.7 stdlib, support limited until Py3 port, see #975058 and https://lists.debian.org/debian-lts/2024/08/msg00027.html
kde4libs khtml has no security support upstream, only for use on trusted content
diff -Nru debian-security-support-12+2025.05.10/t/check-support-status.t debian-security-support-12+2025.06.20/t/check-support-status.t
--- debian-security-support-12+2025.05.10/t/check-support-status.t 2025-05-10 09:43:50.000000000 -0300
+++ debian-security-support-12+2025.06.20/t/check-support-status.t 2025-06-20 17:54:47.000000000 -0300
@@ -213,6 +213,7 @@
__EOS__
write_file ($list_limited, <<__EOS__);
php5 See README.Debian.security for the PHP security policy
+gobgp binNMU'ed package from a statically linked ecosystem
__EOS__
mock_query_list (
$query_list,
@@ -225,6 +226,7 @@
[ 'ioi', 'supported-package', '1.0-1' ],
[ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
[ 'ioi', 'libjs-marked', '0.3.2+dfsg-1', 'node-marked' ],
+ [ 'ioi', 'gobgpd', '3.10.0-1+b4', 'gobgp' ],
],
);
@@ -253,6 +255,11 @@
- libjs-marked (installed version: 0.3.2+dfsg-1)
+* Source:gobgp
+ Details: binNMU'ed package from a statically linked ecosystem
+ Affected binary package:
+ - gobgpd (installed version: 3.10.0-1+b4)
+
* Source:php5
Details: See README.Debian.security for the PHP security policy
Affected binary package:
@@ -277,6 +284,7 @@
debconf/1.5.36.1
debconf-i18n/1.5.36.1
libjs-marked/0.3.2+dfsg-1
+gobgpd/3.10.0-1+b4
php5/5.3.3-7+squeeze19
openjdk-6-jre/6b35-1.13.7-1~deb7u1
__EOS__
Attachment:
signature.asc
Description: PGP signature