Bug#986581: debian-security-support: logic behind version-based filters
On Mon, Apr 26, 2021 at 07:16:31PM +0200, Sylvain Beucler wrote: > I think we are all OK with this particular change. Can you review the MR? yes, I will, ASAP, pinging the the issue every 4 days is too much and will not speed up things. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ signature.asc Description: PGP signature
Bug#986581: debian-security-support: logic behind version-based filters
Hi, On 16/04/2021 10:41, Sylvain Beucler wrote: I dropped the version-based check and adapted the test suite: https://salsa.debian.org/debian/debian-security-support/-/merge_requests/9 pending review with secteam. I think we are all OK with this particular change. Can you review the MR? Cheers! Sylvain
Bug#986581: debian-security-support: logic behind version-based filters
Hi Christoph,
Thanks a lot for your precisions,
On 13/04/2021 10:02, Christoph Biedl wrote:
Sylvain Beucler wrote...
We could not find a valid use case for this feature, while it is causing
some missing reports as with 'nodejs', as explained in the above BTS entry.
Did we miss something?
Well, I cannot remember the idea behind the logic, so feel free to do
what you (as a group) consider appropriate.
From guessing, I'd say: The case of "Installed package has a version
number higher than the last supported one" - then the security status of
that package is mostly undefined. Possibly I had backports in mind here:
So if a backport is installed *and* that one has proper security
support, I consider it correct to stay silent about that situation; in
fact, alerting is even wrong because it creates unnecessary noise - that
will educate users to ignore such alerts. But it's indeed hard to tell
whether this situation applies (checking apt-cache policy, checking the
security tracker [please don't], yada yade).
Moreover, I see that:
- backports have no official security support so are never supported
https://backports.debian.org/FAQ/
- the code incorrectly skips packages with no ("0") version
I dropped the version-based check and adapted the test suite:
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/9
pending review with secteam.
The other feature, being able to end support in advance - well I'd call
that a nice hack and I'd certainly keep it. Although I'd agree it will
rarely be used.
Yes, date-based should be enough for this case.
Cheers!
Sylvain
Bug#986581: debian-security-support: logic behind version-based filters
Sylvain Beucler wrote... > I'm investigating an issue in 'debian-security-support' related to how it > includes/excludes packages by comparing the installed version and the > supported version, see: > https://bugs.debian.org/986581 Oy, you brought back a lot of old memories. Not necessarily good ones but that's not your fault. Also, I haven't checked the old mails I'd exchanged with the security team when designing that code. But quite frankly, if a feature is neither obvious nor documented, it's possibly not worth it. > We could not find a valid use case for this feature, while it is causing > some missing reports as with 'nodejs', as explained in the above BTS entry. > > Did we miss something? Well, I cannot remember the idea behind the logic, so feel free to do what you (as a group) consider appropriate. From guessing, I'd say: The case of "Installed package has a version number higher than the last supported one" - then the security status of that package is mostly undefined. Possibly I had backports in mind here: So if a backport is installed *and* that one has proper security support, I consider it correct to stay silent about that situation; in fact, alerting is even wrong because it creates unnecessary noise - that will educate users to ignore such alerts. But it's indeed hard to tell whether this situation applies (checking apt-cache policy, checking the security tracker [please don't], yada yade). The other feature, being able to end support in advance - well I'd call that a nice hack and I'd certainly keep it. Although I'd agree it will rarely be used. Christoph signature.asc Description: PGP signature
Bug#986581: debian-security-support: logic behind version-based filters
Hello Christoph, I'm investigating an issue in 'debian-security-support' related to how it includes/excludes packages by comparing the installed version and the supported version, see: https://bugs.debian.org/986581 At this point I'm inclined to drop all the version-based logic, because when a package is added in security-support-ended.debX, that means there is immediate concern about this package, and we already can distinguish upcoming and effective end-of-support through dates. We could not find a valid use case for this feature, while it is causing some missing reports as with 'nodejs', as explained in the above BTS entry. Did we miss something? Cheers! Sylvain
