Bug#951442: debian-security-support: Please allow to exclude specific packages from the check
Holger Levsen wrote on Fri, 21 Feb 2020 13:40 +00:00: > On Fri, Feb 21, 2020 at 11:04:48AM +, Daniel Shahaf wrote: > > Here you go: > [...] > > thanks, looks good to me now! Great, thanks for the quick turnaround! I'm building this now for buster and will update my local scripts to use this :) > > P.S. Separate issue: in cases such as — > > % check-support-status --type foo > > E: Unknown --type 'foo' > > % > > — it would be nice to have "check-support-status: " prefixed to the > > error message. (Shall I open a separate bug for this?) > > yes, please. Done: #951722 Cheers, Daniel
Bug#951442: debian-security-support: Please allow to exclude specific packages from the check
Hi Daniel, On Fri, Feb 21, 2020 at 11:04:48AM +, Daniel Shahaf wrote: > Here you go: [...] thanks, looks good to me now! > (Normally I'd add an interdiff alongside the new diff, but I'll skip > that since you said you only skimmed the original.) :) > P.S. Separate issue: in cases such as — > % check-support-status --type foo > E: Unknown --type 'foo' > % > — it would be nice to have "check-support-status: " prefixed to the > error message. (Shall I open a separate bug for this?) yes, please. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C we'll all die. make a difference while you can. disobey. smile. signature.asc Description: PGP signature
Bug#951442: debian-security-support: Please allow to exclude specific packages from the check
> > > > I'm not sure if the handling of the ":amd64" architecture suffixes is
> > > > ideal. Thoughts?
> > Okay, so what would you prefer? To have --except=foo match both
> > foo and foo:bar for any value of bar? (and 'foo' documented as
> > a bare package name without a ":arch" suffix)
>
> yes, that.
Here you go:
[[[
diff --git a/check-support-status.in b/check-support-status.in
index a5437c4..7296360 100755
--- a/check-support-status.in
+++ b/check-support-status.in
@@ -28,6 +28,7 @@ fi
LIST=
NOHEADING=
STATUSDB_FILE=
+EXCEPT=
TYPE=
NAME="$(basename "$0")"
@@ -37,7 +38,7 @@ TODAY="$(date +"%Y%m%d")"
TEMP=$( \
getopt \
--options h,V \
---long help,list:,no-heading,semaphore:,status-db:,type:,version,Version \
+--long
help,list:,no-heading,semaphore:,status-db:,except:,type:,version,Version \
-n "$NAME" \
-- "$@"
)
@@ -52,6 +53,7 @@ Options:
--list FILE database of packages under specific support
conditions
--no-heading skips printing headlines
--status-db FILE database about already reported packages
+ --except PACKAGES exempt given binary packages (comma-separated
list)
--type SECURITY_SUPPORT_TYPE earlyend, ended or limited
-V, --version display version and exit"; echo
}
@@ -86,6 +88,16 @@ while true ; do
STATUSDB_FILE="$2"
shift 2
;;
+--except)
+EXCEPT="$2"
+case "$EXCEPT" in
+*:*)
+gettext 'E: --except= does not allow :
suffixes'; echo
+exit 1
+;;
+esac
+shift 2
+;;
--type)
TYPE="$2"
shift 2
@@ -104,17 +116,17 @@ done
case "$TYPE" in
'')
if [ -z "$LIST" ] ; then
-REPORT="$($0 --type ended --list [% ENDED %] --status-db
"$STATUSDB_FILE" $NOHEADING)"
+REPORT="$($0 --type ended --list [% ENDED %] --status-db
"$STATUSDB_FILE" --except "$EXCEPT" $NOHEADING)"
if [ -n "$REPORT" ] ; then
echo "$REPORT"
echo
fi
-REPORT="$($0 --type limited --list [% LIMITED %] --status-db
"$STATUSDB_FILE" $NOHEADING)"
+REPORT="$($0 --type limited --list [% LIMITED %] --status-db
"$STATUSDB_FILE" --except "$EXCEPT" $NOHEADING)"
if [ -n "$REPORT" ] ; then
echo "$REPORT"
echo
fi
-$0 --type earlyend --list [% ENDED %] --status-db "$STATUSDB_FILE"
$NOHEADING
+$0 --type earlyend --list [% ENDED %] --status-db "$STATUSDB_FILE"
--except "$EXCEPT" $NOHEADING
exit 0
fi
gettext 'E: Need a --type if --list is given'; echo
@@ -240,6 +252,14 @@ cat "$INTERSECTION_LIST" | while read SRC_NAME ; do
[% AWK %] '($3=="'"$SRC_NAME"'"){print $1" "$2}' "$INSTALLED_LIST" | \
while read BIN_NAME BIN_VERSION ; do
+case ",$EXCEPT," in
+*,"$BIN_NAME",*) # plain match (e.g., "binutils")
+continue
+;;
+*,"${BIN_NAME%:*}",*) # match with arch suffix (e.g.,
"libbinutils:amd64")
+continue
+;;
+esac
# for earlyend and ended, check packages actually affected (if
TMP_WHEN not null)
if [ -n "$TMP_WHEN" ] || [ "$TYPE" = limited ] ; then
if \
diff --git a/man/check-support-status.txt b/man/check-support-status.txt
index a16ef9a..066e042 100644
--- a/man/check-support-status.txt
+++ b/man/check-support-status.txt
@@ -83,6 +83,12 @@ reported only once.
+
Default: No records, any affected package will be reported every time.
+*--except* 'PACKAGES'::
+
+Do not alert for the given binary packages (comma-separated list).
++
+Default: Alert for all packages (no exceptions).
+
*--type* 'TYPE'::
One of the following:
diff --git a/t/check-support-status.t b/t/check-support-status.t
index 784d947..af7c082 100644
--- a/t/check-support-status.t
+++ b/t/check-support-status.t
@@ -855,6 +855,76 @@ __EOS__
);
}
+diag ('exempt packages from listing');
+
+foreach my $awk (@AWKs) {
+diag ("exempt ($awk)");
+
+my $tb = Testbed->new ($dpkg_version);
+my ($list_ended, $list_limited, $query_list, $statusdb_file) = $tb->files;
+my $exe = $tb->exe (
+$awk,
+[
+'--type', 'limited',
+'--no-heading',
+'--list', $list_limited,
+'--status-db', $statusdb_file,
+'--except', 'hello,binutils-common',
+],
+);
+
+write_file ($list_limited, <<__EOS__);
+binutilslorem ipsum dolor sit amet
+php5See README.Debian.security for the PHP security policy
+__EOS__
+mock_query_list (
+$query_list,
+[
+[ 'ioi', 'binutils', '2.34-2' ],
+[ 'ioi', 'binutils-common:amd64', '2.34-2', 'binutils' ],
+[ 'ioi', 'php5', '5.3.3-7+squeeze19' ],
+],
+);
+
+# ru
Bug#951442: debian-security-support: Please allow to exclude specific packages from the check
Hi Daniel, On Fri, Feb 21, 2020 at 12:50:46AM +, Daniel Shahaf wrote: > Thanks for the review! well, I only glimpsed over it so far.. > > why is php5 mentioned here? > I based the new test on the existing "simple ($awk)" test. That test > uses php5 as the example, so that carried over to the new test. > > However, I suspect that doesn't answer your question. Could you clarify > it, please? I missed the fact that this is just a test ;) (see above) > > > I'm not sure if the handling of the ":amd64" architecture suffixes is > > > ideal. Thoughts? > Okay, so what would you prefer? To have --except=foo match both > foo and foo:bar for any value of bar? (and 'foo' documented as > a bare package name without a ":arch" suffix) yes, that. thanks! -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Bug#951442: debian-security-support: Please allow to exclude specific packages from the check
Holger Levsen wrote on Fri, 21 Feb 2020 00:26 +00:00: > On Sun, Feb 16, 2020 at 07:35:39PM +, Daniel Shahaf wrote: > > > & patches welcome. > > Here you go, against current git: > > wheeehoo, very nice. > Thanks for the review! > just two comments: > > > +write_file ($list_limited, <<__EOS__); > > +php5See README.Debian.security for the PHP security policy > > +__EOS__ > > why is php5 mentioned here? I'm not sure I understand the question. I based the new test on the existing "simple ($awk)" test. That test uses php5 as the example, so that carried over to the new test. However, I suspect that doesn't answer your question. Could you clarify it, please? > > % ./check-support-status > > --except=binutils,binutils-common:amd64,binutils-x86-64-linux-gnu,libbinutils:amd64,libctf0:amd64,libctf-nobfd0:amd64 > > I'm not sure if the handling of the ":amd64" architecture suffixes is > > ideal. Thoughts? > > I'd rather not have this there: > - it makes things complicated if I need to know if a package is > arch:all or the host binary arch > - it's also redudant, if the system is amd64, all packages will be > amd64. (well, modulo multi-arch i guess) Okay, so what would you prefer? To have --except=foo match both foo and foo:bar for any value of bar? (and 'foo' documented as a bare package name without a ":arch" suffix) Cheers, Daniel
Bug#951442: debian-security-support: Please allow to exclude specific packages from the check
Hi Daniel, On Sun, Feb 16, 2020 at 07:35:39PM +, Daniel Shahaf wrote: > > & patches welcome. > Here you go, against current git: wheeehoo, very nice. just two comments: > +write_file ($list_limited, <<__EOS__); > +php5See README.Debian.security for the PHP security policy > +__EOS__ why is php5 mentioned here? > % ./check-support-status > --except=binutils,binutils-common:amd64,binutils-x86-64-linux-gnu,libbinutils:amd64,libctf0:amd64,libctf-nobfd0:amd64 > I'm not sure if the handling of the ":amd64" architecture suffixes is > ideal. Thoughts? I'd rather not have this there: - it makes things complicated if I need to know if a package is arch:all or the host binary arch - it's also redudant, if the system is amd64, all packages will be amd64. (well, modulo multi-arch i guess) -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C In Europe there are people prosecuted by courts because they saved other people from drowning in the Mediterranean Sea. That is almost as absurd as if there were people being prosecuted because they save humans from drowning in the sea. signature.asc Description: PGP signature
Bug#951442: debian-security-support: Please allow to exclude specific packages from the check
Controls: tags -1 confirmed patch
Holger Levsen wrote on Sun, 16 Feb 2020 18:29 +:
> On Sun, Feb 16, 2020 at 04:12:46PM +, Daniel Shahaf wrote:
> > [...] Thus, in effect, it would let the admin "whitelist"
> > known issues, so only new ones would be printed.
> >
> > Would this make sense?
>
> yes.
Thanks for the quick answer.
> & patches welcome.
Here you go, against current git:
[[[
diff --git a/check-support-status.in b/check-support-status.in
index a5437c4..685e5ac 100755
--- a/check-support-status.in
+++ b/check-support-status.in
@@ -28,6 +28,7 @@ fi
LIST=
NOHEADING=
STATUSDB_FILE=
+EXCEPT=
TYPE=
NAME="$(basename "$0")"
@@ -37,7 +38,7 @@ TODAY="$(date +"%Y%m%d")"
TEMP=$( \
getopt \
--options h,V \
---long help,list:,no-heading,semaphore:,status-db:,type:,version,Version \
+--long
help,list:,no-heading,semaphore:,status-db:,except:,type:,version,Version \
-n "$NAME" \
-- "$@"
)
@@ -52,6 +53,7 @@ Options:
--list FILE database of packages under specific support
conditions
--no-heading skips printing headlines
--status-db FILE database about already reported packages
+ --except PACKAGES exempt given packages (comma-separated list)
--type SECURITY_SUPPORT_TYPE earlyend, ended or limited
-V, --version display version and exit"; echo
}
@@ -86,6 +88,10 @@ while true ; do
STATUSDB_FILE="$2"
shift 2
;;
+--except)
+EXCEPT="$2"
+shift 2
+;;
--type)
TYPE="$2"
shift 2
@@ -104,17 +110,17 @@ done
case "$TYPE" in
'')
if [ -z "$LIST" ] ; then
-REPORT="$($0 --type ended --list [% ENDED %] --status-db
"$STATUSDB_FILE" $NOHEADING)"
+REPORT="$($0 --type ended --list [% ENDED %] --status-db
"$STATUSDB_FILE" --except "$EXCEPT" $NOHEADING)"
if [ -n "$REPORT" ] ; then
echo "$REPORT"
echo
fi
-REPORT="$($0 --type limited --list [% LIMITED %] --status-db
"$STATUSDB_FILE" $NOHEADING)"
+REPORT="$($0 --type limited --list [% LIMITED %] --status-db
"$STATUSDB_FILE" --except "$EXCEPT" $NOHEADING)"
if [ -n "$REPORT" ] ; then
echo "$REPORT"
echo
fi
-$0 --type earlyend --list [% ENDED %] --status-db "$STATUSDB_FILE"
$NOHEADING
+$0 --type earlyend --list [% ENDED %] --status-db "$STATUSDB_FILE"
--except "$EXCEPT" $NOHEADING
exit 0
fi
gettext 'E: Need a --type if --list is given'; echo
@@ -240,6 +246,11 @@ cat "$INTERSECTION_LIST" | while read SRC_NAME ; do
[% AWK %] '($3=="'"$SRC_NAME"'"){print $1" "$2}' "$INSTALLED_LIST" | \
while read BIN_NAME BIN_VERSION ; do
+case ",$EXCEPT," in
+*,"$BIN_NAME",*)
+continue
+;;
+esac
# for earlyend and ended, check packages actually affected (if
TMP_WHEN not null)
if [ -n "$TMP_WHEN" ] || [ "$TYPE" = limited ] ; then
if \
diff --git a/man/check-support-status.txt b/man/check-support-status.txt
index a16ef9a..066e042 100644
--- a/man/check-support-status.txt
+++ b/man/check-support-status.txt
@@ -83,6 +83,12 @@ reported only once.
+
Default: No records, any affected package will be reported every time.
+*--except* 'PACKAGES'::
+
+Do not alert for the given binary packages (comma-separated list).
++
+Default: Alert for all packages (no exceptions).
+
*--type* 'TYPE'::
One of the following:
diff --git a/t/check-support-status.t b/t/check-support-status.t
index 784d947..dd9c54f 100644
--- a/t/check-support-status.t
+++ b/t/check-support-status.t
@@ -855,6 +855,50 @@ __EOS__
);
}
+diag ('exempt packages from listing');
+
+foreach my $awk (@AWKs) {
+diag ("exempt ($awk)");
+
+my $tb = Testbed->new ($dpkg_version);
+my ($list_ended, $list_limited, $query_list, $statusdb_file) = $tb->files;
+my $exe = $tb->exe (
+$awk,
+[
+'--type', 'limited',
+'--no-heading',
+'--list', $list_limited,
+'--status-db', $statusdb_file,
+'--except', 'hello,php5',
+],
+);
+
+write_file ($list_limited, <<__EOS__);
+php5See README.Debian.security for the PHP security policy
+__EOS__
+mock_query_list (
+$query_list,
+[
+[ 'ioi', 'php5', '5.3.3-7+squeeze19' ],
+],
+);
+
+# run a first time
+my $run = Test::Command->new ('cmd' => $exe);
+$run->run;
+$run->exit_is_num (0);
+
+my ($stdout, $stderr) = stdout_n_stderr ($run);
+$stderr and diag ("stderr:\n" . $stderr);
+my $expect_stdout = '';
+eq_or_diff (
+$stdout,
+$expect_stdout,
+'stdout'
+);
+
+ok (!-f $statusdb_file, 'status db file was not created');
+}
done_testing;
exit 0;
]]]
In a sid chroot it works as follows:
Bug#951442: debian-security-support: Please allow to exclude specific packages from the check
Hi Daniel, thanks for your bug report. On Sun, Feb 16, 2020 at 04:12:46PM +, Daniel Shahaf wrote: > [...] Thus, in effect, it would let the admin "whitelist" > known issues, so only new ones would be printed. > > Would this make sense? yes. & patches welcome. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Bug#951442: debian-security-support: Please allow to exclude specific packages from the check
Package: debian-security-support Version: 2019.12.12~deb10u1 Severity: wishlist Tags: upstream Dear Maintainer, * What led up to the situation? Two things: 1. I have installed binutils, which is Build-Essential and has limited security support (#948634). 2. I use «chronic -e sh -c 'check-support-status >&2'» to check whether any packages with limited security support are installed. * What was the outcome of this action? Every time I run the command from (2), it exits non-zero, because binutils is installed. * What outcome did you expect instead? I'd like to be to have a way to run, say, «check-support-status --dont-complain-about=binutils,binutils-common,libbinutils,binutils-x86-64-linux-gnu». This command would skip the binary packages given on the command line when looking for and listing installed binary packages with limited support status. Thus, in effect, it would let the admin "whitelist" known issues, so only new ones would be printed. Would this make sense? Cheers, Daniel -- System Information: Debian Release: 10.3 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages debian-security-support depends on: ii adduser3.118 ii debconf [debconf-2.0] 1.5.71 ii gettext-base 0.19.8.1-9 debian-security-support recommends no packages. debian-security-support suggests no packages. -- debconf-show failed
