Package: debsecan Version: 0.4.10 Severity: wishlist Tags: patch Hi !
Suppose that xxxx 3.0.1-5 fixes a vulnerability. Therefore, 3.0.1-4 is vulnerable. Assume that I backport 3.0.1-5 to etch. I will name this version 3.0.1-5~bpo.1. Because of "~", this version will be considered as inferior to 3.0.1-5 and will be marked as vulnerable. I think that this "inferiority" should be changed to equality in term of security. I suppose that __cmp__() in Version class could return 0 when all the following conditions are met: - upstream versions are equal - debian versions of the package without r'~.*$' pattern are equal Otherwise, we just use return VersionCompare() result. I attach a proposed (ugly) patch. If you think this behaviour is too dangerous, you could add a flag '--enable-backports-support'. Thanks. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (990, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.24.2-zoro.18 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages debsecan depends on: ii debconf [debconf-2.0] 1.5.19 Debian configuration management sy ii python 2.4.4-6 An interactive high-level object-o ii python-apt 0.7.5 Python interface to libapt-pkg Versions of packages debsecan recommends: ii cron 3.0pl1-103 management of regular background p ii postfix [mail-transport-agent 2.5.1-1 High-performance mail transport ag -- debconf information: debsecan/source: debsecan/mailto: root * debsecan/suite: sid * debsecan/report: true
--- debsecan~ 2007-09-02 17:57:39.000000000 +0200 +++ debsecan 2008-03-08 23:34:21.000000000 +0100 @@ -85,6 +85,15 @@ return 'Version(%s)' % `self.__asString` def __cmp__(self, other): + (d1, d2) = (self.__asString.split("-",1), other.__asString.split("-",1)) + if len(d1) == 1 and len(d2) == 1: + # This is a native package + if d1[0].split("~",1)[0] == d2[0].split("~",1)[0]: + return 0 + if len(d1) == len(d2) and d1[0] == d2[0]: + # Not a native package and same upstream version + if d1[1].split("~",1)[0] == d2[1].split("~",1)[0]: + return 0 return apt_pkg.VersionCompare(self.__asString, other.__asString) class PackageFile: