Re: Version Numbers in DSAs

To: Alex Page <alex.page@uk.ibm.com>
Cc: debian-security@lists.debian.org
Subject: Re: Version Numbers in DSAs
From: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 14 Aug 2009 21:56:42 +0200
Message-id: <[🔎] 874osa6uf9.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] OFC129819D.84BFD566-ON80257612.003CF171-80257612.0044A3A6@uk.ibm.com> (Alex Page's message of "Fri, 14 Aug 2009 13:29:42 +0100")
References: <[🔎] OFC129819D.84BFD566-ON80257612.003CF171-80257612.0044A3A6@uk.ibm.com>

* Alex Page:

> I'm having a bit of trouble with version numbers reported in DSAs. We keep 
> our stable systems patched by updating against security.debian.org but 
> have an external audit process, which compares the versions of installed 
> packages with the versions reported as fixed in each DSA.

You should download the .dsc files and use the version number
contained therein.  This is what dsa2list does (a helper tool for the
security tracker).  This only gives you the source version, but you
can get that for an installed package from the dpkg status file.

The data generated for debsecan also includes epochs.  debsecan also
implements the comparison based on source versions.

(We use source versions for tracking because binary package versions
and names are architecture-specific.)

Reply to:

References:
- Version Numbers in DSAs
  - From: Alex Page <alex.page@uk.ibm.com>

Prev by Date: Re: Version Numbers in DSAs
Next by Date: Re: Fuera de la oficina
Previous by thread: Re: Version Numbers in DSAs
Next by thread: Re: Fuera de la oficina
Index(es):
- Date
- Thread