Re: Upcoming changes in advisory format
The side-effect of that is that you are now listing only the source package name, and not anymore the binary package names. But to do the upgrade, the administrator of the machine has to select the binary packages for upgrade, or, to check if the testing/sid version the machine has is new enough, check the installed version of all binary packages built from that source package. FTR, the template currently in use is not the final version. Changes are still under discussion. For what they asked here: dak ls -s $suite -S $source and replace $suite with the target suite (stable/testing) and $source with the source name. That is, after install in the archive. But we could sure make something up within n-s-i or with an extra command before (or tell you the needed db magic for the security dak db) to come up with such a list. Gives you a set of binary package name | version | suite | architectures for all binaries that source has. For example, the last two DSAs get me dselect |1.14.31 | stable/updates/main | alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc dpkg-dev |1.14.31 | stable/updates/main | all dpkg |1.14.31 | stable/updates/main | source, alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc apache2-dbg | 2.2.9-10+lenny9 | stable/updates/main | alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc apache2-mpm-worker | 2.2.9-10+lenny9 | stable/updates/main | alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc apache2.2-common | 2.2.9-10+lenny9 | stable/updates/main | alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc apache2-threaded-dev | 2.2.9-10+lenny9 | stable/updates/main | alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc apache2-suexec | 2.2.9-10+lenny9 | stable/updates/main | alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc apache2 | 2.2.9-10+lenny9 | stable/updates/main | source, all apache2-prefork-dev | 2.2.9-10+lenny9 | stable/updates/main | alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc apache2-mpm-prefork | 2.2.9-10+lenny9 | stable/updates/main | alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc apache2-utils | 2.2.9-10+lenny9 | stable/updates/main | alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc apache2-suexec-custom | 2.2.9-10+lenny9 | stable/updates/main | alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc apache2-doc | 2.2.9-10+lenny9 | stable/updates/main | all apache2-src | 2.2.9-10+lenny9 | stable/updates/main | all apache2-mpm-event | 2.2.9-10+lenny9 | stable/updates/main | alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc (Might also want to look at -f heidi added to it) -- bye, Joerg Lisa, honey, if it’ll make you feel better I’ll destroy something Bart loves. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87hbdh15m7@gkar.ganneff.de
Re: Upcoming changes in advisory format
On Sat, Dec 18, 2010 at 01:08:07PM +0100, Moritz Muehlenhoff wrote: Traditionally Debian security advisories have included MD5 check sums of the updated packages. Since apt cryptographically enforces the integrity of the archive for quite some time now, we've decided to finally drop the hash values from our advisory mails. The side-effect of that is that you are now listing only the source package name, and not anymore the binary package names. But to do the upgrade, the administrator of the machine has to select the binary packages for upgrade, or, to check if the testing/sid version the machine has is new enough, check the installed version of all binary packages built from that source package. So I suggest you list the affected binary packages. Yes, that information is available from e.g. http://packages.debian.org/src:PACKAGE, but the admin might not know that, etc. -- Lionel -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110106085356.ga30...@capsaicin.mamane.lu
Re: Upcoming changes in advisory format
On Thu, Jan 06, 2011 at 09:53:56AM +0100, Lionel Elie Mamane wrote: The side-effect of that is that you are now listing only the source package name, and not anymore the binary package names. But to do the upgrade, the administrator of the machine has to select the binary packages for upgrade, or, to check if the testing/sid version the machine has is new enough, check the installed version of all binary packages built from that source package. I've often wished for an apt invocation which would select for upgrade all packages derived from a named source package, for selective security updates, but I've never really persued it. Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110106103713.gu4...@urchin.earth.li
Re: Upcoming changes in advisory format
Lionel Elie Mamane wrote: On Sat, Dec 18, 2010 at 01:08:07PM +0100, Moritz Muehlenhoff wrote: Traditionally Debian security advisories have included MD5 check sums of the updated packages. Since apt cryptographically enforces the integrity of the archive for quite some time now, we've decided to finally drop the hash values from our advisory mails. The side-effect of that is that you are now listing only the source package name, and not anymore the binary package names. But to do the upgrade, the administrator of the machine has to select the binary packages for upgrade, or, to check if the testing/sid version the machine has is new enough, check the installed version of all binary packages built from that source package. FTR, the template currently in use is not the final version. Changes are still under discussion. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ig53u3$np...@dough.gmane.org
Re: [SECURITY] [DSA 2134-1] Upcoming changes in advisory format
Hi, On Sat Dec 18, 2010 at 16:47:47 -0800, Vagrant Cascadian wrote: On Sat, Dec 18, 2010 at 01:08:07PM +0100, Moritz Muehlenhoff wrote: Traditionally Debian security advisories have included MD5 check sums of the updated packages. This was introduced at a time when apt didn't exist yet and BIND was at version 4. Since apt cryptographically enforces the integrity of the archive for quite some time now, we've decided to finally drop the hash values from our advisory mails. thanks for all your work on the security team! i'm glad to hear this! We'll also change some details of the advisory format in the upcoming months. i'm curious about some of the possible changes in the format. namely: will new advisories be in a machine parseable format? will it include a list of affected binary packages (in addition to source packages)? ACK. +1 YAML? -- Martin Zobel-Helas zo...@debian.org | Debian System Administrator Debian GNU/Linux Developer | Debian Listmaster Public key http://zobel.ftbfs.de/5d64f870.asc - KeyID: 5D64 F870 GPG Fingerprint: 5DB3 1301 375A A50F 07E7 302F 493E FB8E 5D64 F870 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101219102457.gn1...@ftbfs.de
Re: [SECURITY] [DSA 2134-1] Upcoming changes in advisory format
On Sat, 18 Dec 2010 16:47:47 -0800 Vagrant Cascadian wrote: will it include a list of affected binary packages (in addition to source packages)? Just as a point of reference, you can use the debsecan package (or the security-tracker site [0]) right now to determine whether various package versions are affected or not. A feature that I would like to see is a clear machine-parsable delineation between CVEs that affect stable vs oldstable vs testing vs unstable. Right now, manual text has to be written to convey this info, making it impossible automatically parse the advisory for this. Best wishes, Mike [0] http://security-tracker.debian.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101219124237.f23b4698.michael.s.gilb...@gmail.com
Re: [SECURITY] [DSA 2134-1] Upcoming changes in advisory format
On Sun, 19 Dec 2010 12:18:04 +0100 Moritz Muehlenhoff j...@inutil.org wrote: On 2010-12-19, Vagrant Cascadian vagr...@freegeek.org wrote: will new advisories be in a machine parseable format? [...] We're open for input here. Everyone is invited to send a list of needed features to t...@security.debian.org. FWIW, Debian's advisories are reasonably machine-parseable now - quite a bit better than certain other distributions. I hope mainly that things won't get worse. What would be nice is if the new format could be publicly posted a few days before you actually start using it. That would give us time to fix our scripts and point out anything that makes life harder. Thanks, jon Jonathan Corbet / LWN.net / cor...@lwn.net -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101219154648.1a7bf...@bike.lwn.net
Re: [SECURITY] [DSA 2134-1] Upcoming changes in advisory format
On Sat, Dec 18, 2010 at 01:08:07PM +0100, Moritz Muehlenhoff wrote: Traditionally Debian security advisories have included MD5 check sums of the updated packages. This was introduced at a time when apt didn't exist yet and BIND was at version 4. Since apt cryptographically enforces the integrity of the archive for quite some time now, we've decided to finally drop the hash values from our advisory mails. thanks for all your work on the security team! i'm glad to hear this! We'll also change some details of the advisory format in the upcoming months. i'm curious about some of the possible changes in the format. namely: will new advisories be in a machine parseable format? will it include a list of affected binary packages (in addition to source packages)? what other information will it include? some of this could make it much easier to script checks for security available or completed updates on medium to large networks. thanks again. live well, vagrant -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101219004747.gp17...@talon.fglan
