Control: tag -1 +patch On 2017-04-13 13:14:37, Paul Wise wrote: > On Sat, 28 Nov 2015 10:47:54 +0800 Paul Wise wrote: > >> There were a couple of bugs, now I am using this: > > I've now integrated it into apt, fixed dbgsym and > moved it out of /etc into /var.
I've reviewed pabs' script and improved it a bit. Here's a "commitlog" of changes: * silence a shellcheck warning * linting: fix indentation and add description * simplify main loop * add explanatory header for generated file * add warning at beginning of debsecan script to explain delay Commitlog also available here, somewhat: https://gitlab.com/anarcat/puppet/-/commits/b6bc3e3dc982abcc4100143abb6594404b1241ac The code is attached and also available here: https://gitlab.com/anarcat/puppet/-/raw/b6bc3e3dc982abcc4100143abb6594404b1241ac/site-modules/profile/files/debsecan-apt-priority I also wrote this Puppet manifest (also attached) to deploy it on machines running testing: https://gitlab.com/anarcat/puppet/-/raw/a7a7b75e0f3a0d2795449e7159ec6c3d023ad508/site-modules/profile/manifests/debsecan.pp I understand that it would be better if this was merged inside debsecan itself (and therefore rewritten in Python), but I think just having this at all would be great. Maybe just shipping the script in the Debian package would be a start? Let us not make perfect the ennemy of good here, this has been sitting in the BTS for 8 years now, can we at least get this to land in bookworm and see where we go from here? :) a. -- Si Dieu est, l'homme est esclave ; or l'homme peut, doit être libre, donc Dieu n'existe pas. Et si Dieu existait, il faudrait s'en débarrasser! - Michel Bakounine
#!/bin/sh # this program will add APT pinning for packages that are fixed in # unstable and not testing # # see https://bugs.debian.org/725934 set -e echo "running debsecan check for issues fixed in unstable..." >&2 rm -f /var/lib/debsecan/apt_preferences.disabled cat > /var/lib/debsecan/apt_preferences.disabled <<EOF # pin packages with security issues fixed in unstable # generated automatically on $(date) by $0 EOF for pkg in $(debsecan | grep -E '\(fixed(\)|, )' | cut -d\ -f2 | sort -u) ; do suite=unstable case "$pkg" in *-dbgsym) suite=unstable-debug ;; esac cat <<EOF >> /var/lib/debsecan/apt_preferences.disabled Package: $pkg Pin: release a=$suite Pin-Priority: 900 EOF done chmod 644 /var/lib/debsecan/apt_preferences.disabled mv --force /var/lib/debsecan/apt_preferences.disabled /var/lib/debsecan/apt_preferences
# setup debsecan on machines # # this is mostly to follow security upgrades from unstable in testing class profile::debsecan { package { 'debsecan': ensure => present, } file_line { 'disable_debsecan_mails': path => '/etc/default/debsecan', line => 'REPORT=false', match => '^REPORT=.*', } file { '/usr/sbin/debsecan-apt-priority': source => 'puppet:///modules/profile/debsecan-apt-priority', mode => '0555', } file { '/etc/apt/apt.conf.d/99debsecan': content => @(EOF), APT::Update::Pre-Invoke { "/usr/sbin/debsecan-apt-priority"; }; EOF } }