find packages without security support / consider installation of debian-security-support by default

Information

ID: 135
PHID: PHID-TASK-tdyojm657xusmg66py6f
Author: Patrick
Status at Migration Time: open
Priority at Migration Time: Normal

Description

When the Debian security team ends security support for packages, and an affected package is already installed, those packages will by default not be reported. Therefore the user will likely continue to use those eventually vulnerable packages. This also applies to Debian stable.

The debian-security-support package helps to solve this issue. It provides a check-support-status command that can list those packages as well as automatically runs during apt-get dist-upgrade.

As of Debian wheezy, examples include kde4libs, pidgin, qtwebkit, webkit. (Check output of debian-security-support.)

Installing debian-security-support would cause more confusion than gain. Reporting something like kde4libs and a bunch of libs, tells the user nothing. showing reverse depends is a missing feature in debian-security-support.

debian-security-support is a a sh shell script.

TODO:

  • This is something, that needs to be documented in updating documentation.
  • Implement showing reverse depends into debian-security-support. (upstream feature request)
  • Think about whatever else is missing in debian-security-support to make it useful for the user.
  • Finally, after improving debian-security-support, install it by default.

Comments