Controls: tags -1 confirmed patch Holger Levsen wrote on Sun, 16 Feb 2020 18:29 +0000: > On Sun, Feb 16, 2020 at 04:12:46PM +0000, Daniel Shahaf wrote: > > [...] Thus, in effect, it would let the admin "whitelist" > > known issues, so only new ones would be printed. > > > > Would this make sense? > > yes.
Thanks for the quick answer. > & patches welcome. Here you go, against current git: [[[ diff --git a/check-support-status.in b/check-support-status.in index a5437c4..685e5ac 100755 --- a/check-support-status.in +++ b/check-support-status.in @@ -28,6 +28,7 @@ fi LIST= NOHEADING= STATUSDB_FILE= +EXCEPT= TYPE= NAME="$(basename "$0")" @@ -37,7 +38,7 @@ TODAY="$(date +"%Y%m%d")" TEMP=$( \ getopt \ --options h,V \ - --long help,list:,no-heading,semaphore:,status-db:,type:,version,Version \ + --long help,list:,no-heading,semaphore:,status-db:,except:,type:,version,Version \ -n "$NAME" \ -- "$@" ) @@ -52,6 +53,7 @@ Options: --list FILE database of packages under specific support conditions --no-heading skips printing headlines --status-db FILE database about already reported packages + --except PACKAGES exempt given packages (comma-separated list) --type SECURITY_SUPPORT_TYPE earlyend, ended or limited -V, --version display version and exit"; echo } @@ -86,6 +88,10 @@ while true ; do STATUSDB_FILE="$2" shift 2 ;; + --except) + EXCEPT="$2" + shift 2 + ;; --type) TYPE="$2" shift 2 @@ -104,17 +110,17 @@ done case "$TYPE" in '') if [ -z "$LIST" ] ; then - REPORT="$($0 --type ended --list [% ENDED %] --status-db "$STATUSDB_FILE" $NOHEADING)" + REPORT="$($0 --type ended --list [% ENDED %] --status-db "$STATUSDB_FILE" --except "$EXCEPT" $NOHEADING)" if [ -n "$REPORT" ] ; then echo "$REPORT" echo fi - REPORT="$($0 --type limited --list [% LIMITED %] --status-db "$STATUSDB_FILE" $NOHEADING)" + REPORT="$($0 --type limited --list [% LIMITED %] --status-db "$STATUSDB_FILE" --except "$EXCEPT" $NOHEADING)" if [ -n "$REPORT" ] ; then echo "$REPORT" echo fi - $0 --type earlyend --list [% ENDED %] --status-db "$STATUSDB_FILE" $NOHEADING + $0 --type earlyend --list [% ENDED %] --status-db "$STATUSDB_FILE" --except "$EXCEPT" $NOHEADING exit 0 fi gettext 'E: Need a --type if --list is given'; echo @@ -240,6 +246,11 @@ cat "$INTERSECTION_LIST" | while read SRC_NAME ; do [% AWK %] '($3=="'"$SRC_NAME"'"){print $1" "$2}' "$INSTALLED_LIST" | \ while read BIN_NAME BIN_VERSION ; do + case ",$EXCEPT," in + *,"$BIN_NAME",*) + continue + ;; + esac # for earlyend and ended, check packages actually affected (if TMP_WHEN not null) if [ -n "$TMP_WHEN" ] || [ "$TYPE" = limited ] ; then if \ diff --git a/man/check-support-status.txt b/man/check-support-status.txt index a16ef9a..066e042 100644 --- a/man/check-support-status.txt +++ b/man/check-support-status.txt @@ -83,6 +83,12 @@ reported only once. + Default: No records, any affected package will be reported every time. +*--except* 'PACKAGES':: + +Do not alert for the given binary packages (comma-separated list). ++ +Default: Alert for all packages (no exceptions). + *--type* 'TYPE':: One of the following: diff --git a/t/check-support-status.t b/t/check-support-status.t index 784d947..dd9c54f 100644 --- a/t/check-support-status.t +++ b/t/check-support-status.t @@ -855,6 +855,50 @@ __EOS__ ); } +diag ('exempt packages from listing'); + +foreach my $awk (@AWKs) { + diag ("exempt ($awk)"); + + my $tb = Testbed->new ($dpkg_version); + my ($list_ended, $list_limited, $query_list, $statusdb_file) = $tb->files; + my $exe = $tb->exe ( + $awk, + [ + '--type', 'limited', + '--no-heading', + '--list', $list_limited, + '--status-db', $statusdb_file, + '--except', 'hello,php5', + ], + ); + + write_file ($list_limited, <<__EOS__); +php5 See README.Debian.security for the PHP security policy +__EOS__ + mock_query_list ( + $query_list, + [ + [ 'ioi', 'php5', '5.3.3-7+squeeze19' ], + ], + ); + + # run a first time + my $run = Test::Command->new ('cmd' => $exe); + $run->run; + $run->exit_is_num (0); + + my ($stdout, $stderr) = stdout_n_stderr ($run); + $stderr and diag ("stderr:\n" . $stderr); + my $expect_stdout = ''; + eq_or_diff ( + $stdout, + $expect_stdout, + 'stdout' + ); + + ok (!-f $statusdb_file, 'status db file was not created'); +} done_testing; exit 0; ]]] In a sid chroot it works as follows: [[[ % ./check-support-status Limited security support for one or more packages Unfortunately, it has been necessary to limit security support for some packages. The following packages found on this system are affected by this: * Source:binutils Details: Only suitable for trusted content; see https://lists.debian.org/msgid-search/87lfqsomtg....@mid.deneb.enyo.de Affected binary packages: - binutils (installed version: 2.34-2) - binutils-common:amd64 (installed version: 2.34-2) - binutils-x86-64-linux-gnu (installed version: 2.34-2) - libbinutils:amd64 (installed version: 2.34-2) - libctf-nobfd0:amd64 (installed version: 2.34-2) - libctf0:amd64 (installed version: 2.34-2) % ./check-support-status --except=binutils,binutils-common:amd64,binutils-x86-64-linux-gnu,libbinutils:amd64,libctf0:amd64,libctf-nobfd0:amd64 % ]]] I'm not sure if the handling of the ":amd64" architecture suffixes is ideal. Thoughts? Cheers, Daniel