Bug#725934: debsecan: automatically add apt pinning for packages with security issues
Control: tag -1 +patch
On 2017-04-13 13:14:37, Paul Wise wrote:
> On Sat, 28 Nov 2015 10:47:54 +0800 Paul Wise wrote:
>
>> There were a couple of bugs, now I am using this:
>
> I've now integrated it into apt, fixed dbgsym and
> moved it out of /etc into /var.
I've reviewed pabs' script and improved it a bit. Here's a "commitlog"
of changes:
* silence a shellcheck warning
* linting: fix indentation and add description
* simplify main loop
* add explanatory header for generated file
* add warning at beginning of debsecan script to explain delay
Commitlog also available here, somewhat:
https://gitlab.com/anarcat/puppet/-/commits/b6bc3e3dc982abcc4100143abb6594404b1241ac
The code is attached and also available here:
https://gitlab.com/anarcat/puppet/-/raw/b6bc3e3dc982abcc4100143abb6594404b1241ac/site-modules/profile/files/debsecan-apt-priority
I also wrote this Puppet manifest (also attached) to deploy it on
machines running testing:
https://gitlab.com/anarcat/puppet/-/raw/a7a7b75e0f3a0d2795449e7159ec6c3d023ad508/site-modules/profile/manifests/debsecan.pp
I understand that it would be better if this was merged inside debsecan
itself (and therefore rewritten in Python), but I think just having this
at all would be great. Maybe just shipping the script in the Debian
package would be a start?
Let us not make perfect the ennemy of good here, this has been sitting
in the BTS for 8 years now, can we at least get this to land in bookworm
and see where we go from here? :)
a.
--
Si Dieu est, l'homme est esclave ;
or l'homme peut, doit être libre, donc Dieu n'existe pas.
Et si Dieu existait, il faudrait s'en débarrasser!
- Michel Bakounine
#!/bin/sh
# this program will add APT pinning for packages that are fixed in
# unstable and not testing
#
# see https://bugs.debian.org/725934
set -e
echo "running debsecan check for issues fixed in unstable..." >&2
rm -f /var/lib/debsecan/apt_preferences.disabled
cat > /var/lib/debsecan/apt_preferences.disabled <> /var/lib/debsecan/apt_preferences.disabled
Package: $pkg
Pin: release a=$suite
Pin-Priority: 900
EOF
done
chmod 644 /var/lib/debsecan/apt_preferences.disabled
mv --force /var/lib/debsecan/apt_preferences.disabled /var/lib/debsecan/apt_preferences
# setup debsecan on machines
#
# this is mostly to follow security upgrades from unstable in testing
class profile::debsecan {
package { 'debsecan':
ensure => present,
}
file_line { 'disable_debsecan_mails':
path => '/etc/default/debsecan',
line => 'REPORT=false',
match => '^REPORT=.*',
}
file { '/usr/sbin/debsecan-apt-priority':
source => 'puppet:///modules/profile/debsecan-apt-priority',
mode => '0555',
}
file { '/etc/apt/apt.conf.d/99debsecan':
content => @(EOF),
APT::Update::Pre-Invoke { "/usr/sbin/debsecan-apt-priority"; };
EOF
}
}
Bug#725934: debsecan: automatically add apt pinning for packages with security issues
On Sat, 28 Nov 2015 10:47:54 +0800 Paul Wise wrote:
> There were a couple of bugs, now I am using this:
I've now integrated it into apt, fixed dbgsym and
moved it out of /etc into /var.
/etc/apt/apt.conf.d/99debsecan:
APT::Update::Pre-Invoke { "/usr/sbin/debsecan-apt-priority"; };
/usr/sbin/debsecan-apt-priority:
#!/bin/sh
set -e
# https://bugs.debian.org/725934
rm -f /var/lib/debsecan/apt_preferences.disabled
> /var/lib/debsecan/apt_preferences.disabled
for pkg in $(debsecan | grep -E '\(fixed(\)|, )' | cut -d\ -f2 | sort -u) ; do
case "$pkg" in
*-dbgsym)
cat <> /var/lib/debsecan/apt_preferences.disabled
Package: $pkg
Pin: release a=unstable-debug
Pin-Priority: 900
EOF
;;
*)
cat <> /var/lib/debsecan/apt_preferences.disabled
Package: $pkg
Pin: release a=unstable
Pin-Priority: 900
EOF
;;
esac
done
chmod 644 /var/lib/debsecan/apt_preferences.disabled
mv --force /var/lib/debsecan/apt_preferences.disabled
/var/lib/debsecan/apt_preferences
--
bye,
pabs
https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
Bug#725934: debsecan: automatically add apt pinning for packages with security issues
On Sat, 21 Nov 2015 13:02:28 +0800 Paul Wise wrote: > I've made a simple proof-of-concept for this: There were a couple of bugs, now I am using this: #!/bin/sh # https://bugs.debian.org/725934 for pkg in $(debsecan | grep -E '\(fixed(\)|, )' | cut -d\ -f2 | sort -u) ; do cat <> /etc/apt/preferences.d/debsecan.disabled Package: $pkg Pin: release a=unstable Pin-Priority: 900 EOF done chmod 644 /etc/apt/preferences.d/debsecan.disabled mv --force /etc/apt/preferences.d/debsecan.disabled /etc/apt/preferences.d/debsecan -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#725934: debsecan: automatically add apt pinning for packages with security issues
On Thu, 10 Oct 2013 11:28:10 +0800 Paul Wise wrote: > It would be nice if debsecan could write out an apt preferences file > for packages that have a security issue fixed in unstable such that > when I do apt-get upgrade I will get the security issues fixed before > the packages migrate to testing. I've made a simple proof-of-concept for this: #!/bin/sh for pkg in $(debsecan | grep fixed | cut -d\ -f2 | sort -u) ; do cat < /etc/apt/preferences.d/debsecan Package: $pkg Pin: release a=unstable Pin-Priority: 900 EOF done -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#725934: debsecan: automatically add apt pinning for packages with security issues
Package: debsecan Version: 0.4.16+nmu1 Severity: wishlist I am running a mixed testing/unstable system and I manually upgrade packages to unstable when a CVE has been fixed in unstable but the fix hasn't yet migrated to testing. I am using pinning to keep most packages at the testing version and have apt preferences set to upgrade packages from unstable within unstable. It would be nice if debsecan could write out an apt preferences file for packages that have a security issue fixed in unstable such that when I do apt-get upgrade I will get the security issues fixed before the packages migrate to testing. This would require some configuration since different folks will be using different pinning but once it is setup it could be very useful. pabs@chianamo ~ $ cat /etc/apt/preferences.d/system Package: * Pin: release a=testing Pin-Priority: 800 Package: * Pin: release a=unstable Pin-Priority: 700 Package: * Pin: release a=experimental Pin-Priority: 600 -- bye, pabs http://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
