Hi Security Team,
I'm proposing a couple changes in debian-security-support and I'd
welcome your review :)
1) Match ecosystems
https://bugs.debian.org/986333
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/10
Sometimes, entire ecosystems are affected by Debian support decisions.
These source package sets comes to mind:
- node-*
https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#libv8
https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#libv8
- golang-*
https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking
Currently 'check-support-status' fails to detect individual packages
affected by these decisions, it only notifies about explicitly
referenced packages such as 'nodejs'.
To address this, I'm proposing regex matching, resulting in:
node-.* 0 2020-02-20 ...
golang.* See https://...
2) Dependent change: fix missing version-based package reports
https://bugs.debian.org/986581
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/9
While experimenting with 1), it appeared that check-security-support
does not actually report these:
nasm-mozilla 0 2019-01-01
nodejs-mozilla 0 2019-01-01
nodejs 0.10.29~dfsg-2 2020-02-20
The first two have no supported version, the second one is the last
supported version in jessie, but the same version is used for e.g.
stretch (while stretch has a higher version 4.8.2~dfsg-1).
The current code considers higher versions as supported, but as
discussed in the BTS there doesn't seem to be a valid use case for this,
so I just dropped the version-based check (and adapted the test suite).
If you agree with these changes I can merge them, and backport them to
the various suites.
What do you think?
Cheers!
Sylvain
