Control: tag -1 +patch
On 2017-04-13 13:14:37, Paul Wise wrote:
> On Sat, 28 Nov 2015 10:47:54 +0800 Paul Wise wrote:
>
>> There were a couple of bugs, now I am using this:
>
> I've now integrated it into apt, fixed dbgsym and
> moved it out of /etc into /var.
I've reviewed pabs' script and improved it a bit. Here's a "commitlog"
of changes:
* silence a shellcheck warning
* linting: fix indentation and add description
* simplify main loop
* add explanatory header for generated file
* add warning at beginning of debsecan script to explain delay
Commitlog also available here, somewhat:
https://gitlab.com/anarcat/puppet/-/commits/b6bc3e3dc982abcc4100143abb6594404b1241ac
The code is attached and also available here:
https://gitlab.com/anarcat/puppet/-/raw/b6bc3e3dc982abcc4100143abb6594404b1241ac/site-modules/profile/files/debsecan-apt-priority
I also wrote this Puppet manifest (also attached) to deploy it on
machines running testing:
https://gitlab.com/anarcat/puppet/-/raw/a7a7b75e0f3a0d2795449e7159ec6c3d023ad508/site-modules/profile/manifests/debsecan.pp
I understand that it would be better if this was merged inside debsecan
itself (and therefore rewritten in Python), but I think just having this
at all would be great. Maybe just shipping the script in the Debian
package would be a start?
Let us not make perfect the ennemy of good here, this has been sitting
in the BTS for 8 years now, can we at least get this to land in bookworm
and see where we go from here? :)
a.
--
Si Dieu est, l'homme est esclave ;
or l'homme peut, doit être libre, donc Dieu n'existe pas.
Et si Dieu existait, il faudrait s'en débarrasser!
- Michel Bakounine
#!/bin/sh
# this program will add APT pinning for packages that are fixed in
# unstable and not testing
#
# see https://bugs.debian.org/725934
set -e
echo "running debsecan check for issues fixed in unstable..." >&2
rm -f /var/lib/debsecan/apt_preferences.disabled
cat > /var/lib/debsecan/apt_preferences.disabled <<EOF
# pin packages with security issues fixed in unstable
# generated automatically on $(date) by $0
EOF
for pkg in $(debsecan | grep -E '\(fixed(\)|, )' | cut -d\ -f2 | sort -u) ; do
suite=unstable
case "$pkg" in
*-dbgsym)
suite=unstable-debug
;;
esac
cat <<EOF >> /var/lib/debsecan/apt_preferences.disabled
Package: $pkg
Pin: release a=$suite
Pin-Priority: 900
EOF
done
chmod 644 /var/lib/debsecan/apt_preferences.disabled
mv --force /var/lib/debsecan/apt_preferences.disabled /var/lib/debsecan/apt_preferences
# setup debsecan on machines
#
# this is mostly to follow security upgrades from unstable in testing
class profile::debsecan {
package { 'debsecan':
ensure => present,
}
file_line { 'disable_debsecan_mails':
path => '/etc/default/debsecan',
line => 'REPORT=false',
match => '^REPORT=.*',
}
file { '/usr/sbin/debsecan-apt-priority':
source => 'puppet:///modules/profile/debsecan-apt-priority',
mode => '0555',
}
file { '/etc/apt/apt.conf.d/99debsecan':
content => @(EOF),
APT::Update::Pre-Invoke { "/usr/sbin/debsecan-apt-priority"; };
EOF
}
}
