source packages linux-latest, linux-signed-amd64 in security tracker

To: debian-security-tracker@lists.debian.org
Subject: source packages linux-latest, linux-signed-amd64 in security tracker
From: findmyname@tutanota.com
Date: Mon, 17 Jan 2022 12:49:55 +0100 (CET)
Message-id: <[🔎] Mtbrohb--3-2@tutanota.com>

Hello all,

I started to use https://security-tracker.debian.org/tracker/ and endpoint for JSON especially.

Recently I bumped into weird issue. I noticed that all new binary packages for linux-image-amd64 are either from linux-signed-amd64 or linux-latest source packages based on the OS release. The issue is that security tracker doesn't display any security vulnerability for those two, see linux-signed-amd64, linux-latest. It seems like all security issues are tracked for source package linux only.

My script uses:

1) JSON endpoint to detect new CVE vulnerabilities/updates.

2) If it detects new update it resolves source package to binary one. However CVEs/updates are tracked only for linux source package. Linux source package isn't referenced to new binary packages for linux kernel. For that reason I cannot link these ...

Please let me know if it is intentional that security issues aren't tracked for linux-signed-amd64 or linux-latest source packages. If so is there possibility how I can interconnect linux source package with these two or with binary package? for example with this one.

Thanks a lot for keeping CVE data up to date !

Reply to:

Follow-Ups:
- Re: source packages linux-latest, linux-signed-amd64 in security tracker
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: External check
Next by Date: External check
Previous by thread: Bug#1001453: security-tracker: extend support for bug reporting to update the CVE list with the bug number
Next by thread: Re: source packages linux-latest, linux-signed-amd64 in security tracker
Index(es):
- Date
- Thread