Package: debsecan
When running debsecan on a system it tries to map the installed binary
packages to source packages and then maps those source packages to
vulnerabilities. This method gained a shortcoming with the advent of
"signed" packages such as grub, linux and shim. Let me explain with
linux as an example.
If you have a system that happens to have linux-libc-dev, debsecan will
show the corresponding vulnerabilities, because linux-libc-dev is built
from the unsigned linux source package and vulnerabilities are tracked
with this source package. However, when you remove linux-libc-dev and
all you have left is a (signed) linux kernel image, debsecan sees the
source package e.g. linux-signed-amd64 and fails to map it to the real
linux source package that tracks the vulnerabilities. On the other hand,
an "-unsigned" kernel image is built from the real source package and
debsecan displays the associated vulnerabilities. This is suboptimal
from a user experience point of view.
In essence, debsecan needs to somehow figure that mapping from signed
template packages to underlying source packages and in doing so, it
likely needs to be changed in some way, which is why I'm filing this
here. Basically, the options seem to be:
* debsecan works around the issue by hard coding this mapping into its
source code or some data file in the debsecan package.
* The security tracker learns about this mapping and exposes it to
debsecan somehow.
+ In particular, data/CVE/list should not duplicate the tracking.
+ This mapping is distinct from data/embedded-code-copies.
* The relevant source packages gain a new source control field
expressing this forwarding.
I would like to thank Salvatore for initial irc discussions on this
matter and adding structure to it.
Helmut
