Package: debian-security-support
Severity: normal
Hi,
In security-support-ended.debX, the 2nd field (version) is described as:
"last version with support".
If the currently installed version is higher, then it is not reported.
For instance, nodejs/4.8.2~dfsg-1 (stretch) is not reported against:
nodejs 0.10.29~dfsg-2 2020-02-20 ...
which is wrong, because nodejs isn't supported and should be reported.
The check is done with 'dpkg --compare-versions' and has been there
since the initial commit:
https://salsa.debian.org/debian/debian-security-support/-/blob/master/check-support-status.in#L262
Reversing the test triggers 29 test failures, explicitly excluding
debconf-i18n/1.5.36.1 from the report against:
debconf 1.5.36.0 2014-05-02
Thinking about it, I don't really understand the rationale behind
version-based filtering.
- If the installed version is higher, it can be a local version, or a
backport, or in the nodejs case a lack of support across multiple Debian
releases, so that's still unsupported and probably needs to be displayed.
- If it's lower, then in what case would we document that a future
version will be unsupported? Most probably the user's system is
partially upgraded, and the package is likely unsupported already.
What is the concrete use case for excluding packages based on version?
Do we need to fix the code or security-support-ended.deb9?
Cheers!
Sylvain