Bug#725934: debsecan: automatically add apt pinning for packages with security issues
Control: tag -1 +patch On 2017-04-13 13:14:37, Paul Wise wrote: > On Sat, 28 Nov 2015 10:47:54 +0800 Paul Wise wrote: > >> There were a couple of bugs, now I am using this: > > I've now integrated it into apt, fixed dbgsym and > moved it out of /etc into /var. I've reviewed pabs' script and improved it a bit. Here's a "commitlog" of changes: * silence a shellcheck warning * linting: fix indentation and add description * simplify main loop * add explanatory header for generated file * add warning at beginning of debsecan script to explain delay Commitlog also available here, somewhat: https://gitlab.com/anarcat/puppet/-/commits/b6bc3e3dc982abcc4100143abb6594404b1241ac The code is attached and also available here: https://gitlab.com/anarcat/puppet/-/raw/b6bc3e3dc982abcc4100143abb6594404b1241ac/site-modules/profile/files/debsecan-apt-priority I also wrote this Puppet manifest (also attached) to deploy it on machines running testing: https://gitlab.com/anarcat/puppet/-/raw/a7a7b75e0f3a0d2795449e7159ec6c3d023ad508/site-modules/profile/manifests/debsecan.pp I understand that it would be better if this was merged inside debsecan itself (and therefore rewritten in Python), but I think just having this at all would be great. Maybe just shipping the script in the Debian package would be a start? Let us not make perfect the ennemy of good here, this has been sitting in the BTS for 8 years now, can we at least get this to land in bookworm and see where we go from here? :) a. -- Si Dieu est, l'homme est esclave ; or l'homme peut, doit être libre, donc Dieu n'existe pas. Et si Dieu existait, il faudrait s'en débarrasser! - Michel Bakounine #!/bin/sh # this program will add APT pinning for packages that are fixed in # unstable and not testing # # see https://bugs.debian.org/725934 set -e echo "running debsecan check for issues fixed in unstable..." >&2 rm -f /var/lib/debsecan/apt_preferences.disabled cat > /var/lib/debsecan/apt_preferences.disabled <> /var/lib/debsecan/apt_preferences.disabled Package: $pkg Pin: release a=$suite Pin-Priority: 900 EOF done chmod 644 /var/lib/debsecan/apt_preferences.disabled mv --force /var/lib/debsecan/apt_preferences.disabled /var/lib/debsecan/apt_preferences # setup debsecan on machines # # this is mostly to follow security upgrades from unstable in testing class profile::debsecan { package { 'debsecan': ensure => present, } file_line { 'disable_debsecan_mails': path => '/etc/default/debsecan', line => 'REPORT=false', match => '^REPORT=.*', } file { '/usr/sbin/debsecan-apt-priority': source => 'puppet:///modules/profile/debsecan-apt-priority', mode => '0555', } file { '/etc/apt/apt.conf.d/99debsecan': content => @(EOF), APT::Update::Pre-Invoke { "/usr/sbin/debsecan-apt-priority"; }; EOF } }
Bug#725934: debsecan: automatically add apt pinning for packages with security issues
On Sat, 28 Nov 2015 10:47:54 +0800 Paul Wise wrote: > There were a couple of bugs, now I am using this: I've now integrated it into apt, fixed dbgsym and moved it out of /etc into /var. /etc/apt/apt.conf.d/99debsecan: APT::Update::Pre-Invoke { "/usr/sbin/debsecan-apt-priority"; }; /usr/sbin/debsecan-apt-priority: #!/bin/sh set -e # https://bugs.debian.org/725934 rm -f /var/lib/debsecan/apt_preferences.disabled > /var/lib/debsecan/apt_preferences.disabled for pkg in $(debsecan | grep -E '\(fixed(\)|, )' | cut -d\ -f2 | sort -u) ; do case "$pkg" in *-dbgsym) cat <> /var/lib/debsecan/apt_preferences.disabled Package: $pkg Pin: release a=unstable-debug Pin-Priority: 900 EOF ;; *) cat <> /var/lib/debsecan/apt_preferences.disabled Package: $pkg Pin: release a=unstable Pin-Priority: 900 EOF ;; esac done chmod 644 /var/lib/debsecan/apt_preferences.disabled mv --force /var/lib/debsecan/apt_preferences.disabled /var/lib/debsecan/apt_preferences -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#725934: debsecan: automatically add apt pinning for packages with security issues
On Sat, 21 Nov 2015 13:02:28 +0800 Paul Wise wrote: > I've made a simple proof-of-concept for this: There were a couple of bugs, now I am using this: #!/bin/sh # https://bugs.debian.org/725934 for pkg in $(debsecan | grep -E '\(fixed(\)|, )' | cut -d\ -f2 | sort -u) ; do cat <> /etc/apt/preferences.d/debsecan.disabled Package: $pkg Pin: release a=unstable Pin-Priority: 900 EOF done chmod 644 /etc/apt/preferences.d/debsecan.disabled mv --force /etc/apt/preferences.d/debsecan.disabled /etc/apt/preferences.d/debsecan -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#725934: debsecan: automatically add apt pinning for packages with security issues
On Thu, 10 Oct 2013 11:28:10 +0800 Paul Wise wrote: > It would be nice if debsecan could write out an apt preferences file > for packages that have a security issue fixed in unstable such that > when I do apt-get upgrade I will get the security issues fixed before > the packages migrate to testing. I've made a simple proof-of-concept for this: #!/bin/sh for pkg in $(debsecan | grep fixed | cut -d\ -f2 | sort -u) ; do cat < /etc/apt/preferences.d/debsecan Package: $pkg Pin: release a=unstable Pin-Priority: 900 EOF done -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#725934: debsecan: automatically add apt pinning for packages with security issues
Package: debsecan Version: 0.4.16+nmu1 Severity: wishlist I am running a mixed testing/unstable system and I manually upgrade packages to unstable when a CVE has been fixed in unstable but the fix hasn't yet migrated to testing. I am using pinning to keep most packages at the testing version and have apt preferences set to upgrade packages from unstable within unstable. It would be nice if debsecan could write out an apt preferences file for packages that have a security issue fixed in unstable such that when I do apt-get upgrade I will get the security issues fixed before the packages migrate to testing. This would require some configuration since different folks will be using different pinning but once it is setup it could be very useful. pabs@chianamo ~ $ cat /etc/apt/preferences.d/system Package: * Pin: release a=testing Pin-Priority: 800 Package: * Pin: release a=unstable Pin-Priority: 700 Package: * Pin: release a=experimental Pin-Priority: 600 -- bye, pabs http://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part