[Secure-testing-team] debsecan 0.2
Florian Weimer
fw at deneb.enyo.de
Mon Dec 19 19:48:42 UTC 2005
I have uploaded debsecan 0.2. Major changes are:
* debsecan 0.1 did not report vulnerability status correctly when a
binary package did not match the name of a source package (a
rather embarrassing bug, which prompted me to create a proper test
suite).
* Thanks to Andreas Barth's kind support, the vulnerability data is
now stored on the secure-testing.debian.net infrastructure.
* A script to create a randomized cron entry is included
("debsecan-create-cron").
I have discovered how to deal with pinning etc., but this requires
quite a bit of additional code on the server side. Implementation
will need to wait after christmas, I guess.
Another problem has come up: If a binary package is removed (say,
libfoo7 is replaced by libfoo8), and the foo source package is fixed,
it's not clear how to deduce that the "fix" is to remove libfoo7 (and
not to upgrade it, which is not possible because the archive contains
a newer source package, but no binary package).
Test reports welcome. If everything goes well, I'm going to announce
0.2 to a wider audience.
More information about the Secure-testing-team
mailing list