Ubuntu

debsecan should be either adjusted (for ubuntu) or removed

Reported by Daniël van Eeden on 2007-03-25
52
This bug affects 8 people
Affects Status Importance Assigned to Milestone
debsecan (Ubuntu)
Medium
Unassigned
Nominated for Lucid by Paul Tagliamonte 
Nominated for Raring by Paul Tagliamonte 

Bug Description

Binary package hint: debsecan

$ debsecan --suite=edgy
usage: debsecan OPTIONS...

debsecan: error: option --suite: invalid choice: 'edgy' (choose from 'woody', 'sarge', 'etch', 'sid')

It should have options for edgy, etc.

Daniel T Chen (crimsun) on 2008-09-30
Changed in debsecan:
importance: Undecided → Wishlist
status: New → Confirmed

this description is a small symptom of the large-scale problem with debsecan on ubuntu. the core issue is that ubuntu's debsecan conveys information that is just plain wrong. this is because ubuntu's debescan gets reference data from debian's security tracker [1], which does not track ubuntu issues. hence any issues in *-ubuntu1 packages, etc that do not exist in debian's database are not tracked at all. in fact no fixed ubuntu package has ever been tracked.

a robust solution for this problem would be a major undertaking. ubuntu would need to replicate debian's security tracker system and commit to populating the database with up to date information. although that may not be necessary if one was to get permission from debian to add and maintain ubuntu-specific security data in their tracker.

anyway, as it stands now, debsecan is lying to its users, which is just plain wrong. in its current state, the package should be removed from ubuntu.

[1] http://security-tracker.debian.net/tracker/

Changed in debsecan:
assignee: nobody → michael-s-gilbert

the severity of this bug should really be set to high.

Changed in debsecan:
assignee: michael-s-gilbert → nobody
Paul Tagliamonte  (paultag) wrote :

This bug should be targeted for Lucid. Lucid is an LTS, and it would be a big mistake to ship an app that reports false data about something as serious as security information.

Still no update. debsecan is considering being removed from the Ubuntu repositories, since it is currently useless otherwise adapted. Info in bug #498058.

summary: - debsecan should be adjusted for ubuntu
+ debsecan should be either adjusted for ubuntu or removed
tags: added: precise quantal raring
summary: - debsecan should be either adjusted for ubuntu or removed
+ debsecan should be either adjusted (for ubuntu) or removed
Paul Tagliamonte  (paultag) wrote :

Someone: Just please RM this :)

Changed in debsecan (Ubuntu):
importance: Wishlist → Medium
Norbert (nrbrtx) wrote :

Guys, I think that it is very important to make debsecan compatible with Ubuntu-ecosystem.

Sometimes I use Gentoo Linux, they have great tool - glsa-check (http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=14, http://wiki.gentoo.org/wiki/GLSA) - it tests installed packages against known vulnerabilities and recommends to update affected packages.

You already have CVE-tracking page (http://people.canonical.com/~ubuntu-security/cve/) and Ubuntu security notices (http://www.ubuntu.com/usn/). The remaining task is to integrate them with debsecan.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers