Bug#470065: debsecan: Better report for backports

Sat, 08 Mar 2008 14:42:38 -0800 

Package: debsecan
Version: 0.4.10
Severity: wishlist
Tags: patch

Hi !

Suppose that xxxx 3.0.1-5 fixes a vulnerability. Therefore, 3.0.1-4 is
vulnerable. Assume that I backport 3.0.1-5 to etch. I will name this
version 3.0.1-5~bpo.1. Because of "~", this version will be considered
as inferior to 3.0.1-5 and will be marked as vulnerable.

I think that this "inferiority" should be changed to equality in term
of security. I suppose that __cmp__() in Version class could return 0
when all the following conditions are met:
 - upstream versions are equal
 - debian versions of the package without r'~.*$' pattern are equal
Otherwise, we just use return VersionCompare() result.

I attach a proposed (ugly) patch. If you think this behaviour is too
dangerous, you could add a flag '--enable-backports-support'.

Thanks.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24.2-zoro.18
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages debsecan depends on:
ii  debconf [debconf-2.0]         1.5.19     Debian configuration management sy
ii  python                        2.4.4-6    An interactive high-level object-o
ii  python-apt                    0.7.5      Python interface to libapt-pkg

Versions of packages debsecan recommends:
ii  cron                          3.0pl1-103 management of regular background p
ii  postfix [mail-transport-agent 2.5.1-1    High-performance mail transport ag

-- debconf information:
  debsecan/source:
  debsecan/mailto: root
* debsecan/suite: sid
* debsecan/report: true

--- debsecan~	2007-09-02 17:57:39.000000000 +0200
+++ debsecan	2008-03-08 23:34:21.000000000 +0100
@@ -85,6 +85,15 @@
         return 'Version(%s)' % `self.__asString`
 
     def __cmp__(self, other):
+        (d1, d2) = (self.__asString.split("-",1), other.__asString.split("-",1))
+        if len(d1) == 1 and len(d2) == 1:
+            # This is a native package
+            if d1[0].split("~",1)[0] == d2[0].split("~",1)[0]:
+                return 0
+        if len(d1) == len(d2) and d1[0] == d2[0]:
+            # Not a native package and same upstream version
+            if d1[1].split("~",1)[0] == d2[1].split("~",1)[0]:
+                return 0
         return apt_pkg.VersionCompare(self.__asString, other.__asString)
 
 class PackageFile:

Reply via email to