Detect missing package assignments for embedded code copies
Parse security-tracker:data/embedded-code-copies
and better report on packages that embed the code of vulnerable packages. For example, a CVE for the zlib
package likely also affects the rsync
package, which is listed in data/embedded-code-copies
as embedding zlib
. Other packages listed under zlib
also embed some of its code.
Caution: take the tags from data/embedded-code-copies
into account.
Any script or modification developed for this task should be coordinated with the security team, as they may have a more general use for it as well.
History:
- security-tracker-team:bin/inject-embedded-code-copies : 2009 script that does the job by adding TODO entries but with lots of false positives and no age limit
-
https://lists.debian.org/debian-security-tracker/2018/06/msg00005.html discussion about generalizing renamed packages and embedded copies, leading to security-tracker-team/security-tracker!4 (modifies
data/CVE/list
) and security-tracker-team/security-tracker!8 (outputs report) (stalled/rejected by secteam) -
@apo revamped
embedded-copies
in extended-lts:extra-packages-to-support (initialized by extended-lts:elts_embedded.py), seeextended-lts-team@freexian.com: d24076dc-33ad-56fd-fd3d-c58a6682f7ae@koschany.net
(2020-02-21) to easily identify embedded copies to patch in stretch-elts' supported packages (all private) - https://lists.debian.org/debian-lts/2021/02/msg00089.html : plan similar to elts (previous point) but for the main security-tracker repo, with more categorization hoping for less false positives (no feedback)
Do not confuse with #12 (tracking renamed/branched/forked packages) which targets a different workflow with more certainty. Previous attempts to generalize it with this issue were rejected (see history above).