Page MenuHomePhabricator

find packages without security support / consider installation of debian-security-support by default
Open, NormalPublic

Description

When the Debian security team ends security support for packages, and an affected package is already installed, those packages will by default not be reported. Therefore the user will likely continue to use those eventually vulnerable packages. This also applies to Debian stable.

The debian-security-support package helps to solve this issue. It provides a check-support-status command that can list those packages as well as automatically runs during apt-get dist-upgrade.

As of Debian wheezy, examples include kde4libs, pidgin, qtwebkit, webkit. (Check output of debian-security-support.)

Installing debian-security-support would cause more confusion than gain. Reporting something like kde4libs and a bunch of libs, tells the user nothing. showing reverse depends is a missing feature in debian-security-support.

debian-security-support is a a sh shell script.

TODO:

  • This is something, that needs to be documented in updating documentation.
  • Implement showing reverse depends into debian-security-support. (upstream feature request)
  • Think about whatever else is missing in debian-security-support to make it useful for the user.
  • Finally, after improving debian-security-support, install it by default.

Details

Impact
High

Event Timeline

Patrick created this task.Feb 6 2015, 5:13 AM
Patrick updated the task description. (Show Details)
Patrick raised the priority of this task from to Normal.
Patrick added subscribers: Patrick, HulaHoop, WhonixQubes.
Patrick updated the task description. (Show Details)Feb 7 2015, 4:50 PM
Patrick updated the task description. (Show Details)
Patrick added a project: bash.
Patrick updated the task description. (Show Details)
Patrick set Impact to High.May 23 2015, 3:14 PM
Patrick added a subscriber: nrgaway.
Patrick updated the task description. (Show Details)May 24 2015, 6:56 AM
g919v3r added a subscriber: g919v3r.Oct 8 2015, 5:22 AM