[Secure-testing-team] Debian Security Analyzer (debsecan)
Florian Weimer
fw at deneb.enyo.de
Wed Dec 14 20:02:48 UTC 2005
* Joey Hess:
> Very nice. You plan to upload the deb soon?
First I want to make sure that the data format is adequate. I'll know
a couple of days.
> It might be good to either move at least the files debsecan uses to a
> debian.org machine, or add a debian.net address for it, so that the url
> it downloads from is more under debian's control.
I'm fine with a delegation from debian.org or debian.net (or a CNAME,
if delegation is impossible), but a hard-coded A RR is not acceptable.
IIRC, the debian.org hostmaster is pretty unresponsive -- and pulling
the A record might be necessary if the service becomes too popular.
We could distribute the files over the secure-testing mirrors, though.
(Unfortunately, generating them requires 500+ MB for the package file
mirror, and quite a few CPU cycles. It's not a straight translation
of the data/*/list files, I'm afraid.)
> Could it also list unfixed vulnerabilities?
Ah, this was a typo on the server side. Should be back to normal
again.
I've implemented the opposite, so that you can say something like
this:
# apt-get install $(debsecan --suite sid --format packages --only-fixed)
And you'll download only new versions of those packages which have
security fixes.
This should also work for the other suites, but all this version
tracking is a bit scary. (BTW, --only-fixed is the main reason why
the package file mirror is needed.)
More information about the Secure-testing-team
mailing list