Re: Using "conflicts" to deal with insecure packages in unstable
On Sun, 2004-10-17 at 22:50, Marco Paganini wrote:
> I've been looking for a solution for this dilemma on the net. The
> closest thing I found is Debian's "harden*" packages, that use the
> "Conflict:" feature to conflict with known insecure software. The
> question is: Is there a similar package that conflicts with known
> insecure package versions as posted in the debian-security
> mailing-list? Such package would need to be upgraded every time a new
> security announcement is made, but at least it would provide a quick
> way to know whether a server contains packages (from unstable) with
> known vulnerabilities or not.
That probably wont happen. Unstable packages change so much that keeping
tabs on security issues is nigh impossible. This would require knowing
what version the current package is, what changes have been made from
the previous version, and whether those changes fix the security issue -
and doing it for > 10000 packages. Its tough enough to do for stable, I
imagine. Unstable is called "unstable" for a reason.
You could perhaps use apt pinning in conjunction with the
APT::Default-Release apt config option. Though I've never done it, I
understand apt has the ability to pin individual packages to separate
branches. This could possibly be used to allow you to do an apt-get
upgrade without worrying that you are going to upgrade all packages to
their unstable versions.
-davidc
Reply to: