debsecan should be either adjusted (for ubuntu) or removed

Bug #95925 reported by Daniël van Eeden on 2007-03-25
This bug affects 12 people
Affects Status Importance Assigned to Milestone
debsecan (Ubuntu)
Nominated for Lucid by Paul Tagliamonte
Nominated for Raring by Paul Tagliamonte

Bug Description

Binary package hint: debsecan

$ debsecan --suite=edgy
usage: debsecan OPTIONS...

debsecan: error: option --suite: invalid choice: 'edgy' (choose from 'woody', 'sarge', 'etch', 'sid')

It should have options for edgy, etc.

Daniel T Chen (crimsun) on 2008-09-30
Changed in debsecan:
importance: Undecided → Wishlist
status: New → Confirmed

this description is a small symptom of the large-scale problem with debsecan on ubuntu. the core issue is that ubuntu's debsecan conveys information that is just plain wrong. this is because ubuntu's debescan gets reference data from debian's security tracker [1], which does not track ubuntu issues. hence any issues in *-ubuntu1 packages, etc that do not exist in debian's database are not tracked at all. in fact no fixed ubuntu package has ever been tracked.

a robust solution for this problem would be a major undertaking. ubuntu would need to replicate debian's security tracker system and commit to populating the database with up to date information. although that may not be necessary if one was to get permission from debian to add and maintain ubuntu-specific security data in their tracker.

anyway, as it stands now, debsecan is lying to its users, which is just plain wrong. in its current state, the package should be removed from ubuntu.


Changed in debsecan:
assignee: nobody → michael-s-gilbert

the severity of this bug should really be set to high.

Changed in debsecan:
assignee: michael-s-gilbert → nobody
Paul Tagliamonte (paultag) wrote :

This bug should be targeted for Lucid. Lucid is an LTS, and it would be a big mistake to ship an app that reports false data about something as serious as security information.

Still no update. debsecan is considering being removed from the Ubuntu repositories, since it is currently useless otherwise adapted. Info in bug #498058.

summary: - debsecan should be adjusted for ubuntu
+ debsecan should be either adjusted for ubuntu or removed
tags: added: precise quantal raring
summary: - debsecan should be either adjusted for ubuntu or removed
+ debsecan should be either adjusted (for ubuntu) or removed
Paul Tagliamonte (paultag) wrote :

Someone: Just please RM this :)

Changed in debsecan (Ubuntu):
importance: Wishlist → Medium
Norbert (nrbrtx) wrote :

Guys, I think that it is very important to make debsecan compatible with Ubuntu-ecosystem.

Sometimes I use Gentoo Linux, they have great tool - glsa-check (, - it tests installed packages against known vulnerabilities and recommends to update affected packages.

You already have CVE-tracking page ( and Ubuntu security notices ( The remaining task is to integrate them with debsecan.

Michael Boelen (cisofy) wrote :

While investigating this tool as an addition to Lynis, I discovered this bug thread. Even after years, the output of this tool is confusing and showing false positives for Ubuntu. It actually does more harm than good at this point.

Did someone from security team already looked at this case?

Sheldon Hearn (sheldonh) wrote :

It's great to aspire to fixing the package. When it's fixed, it can return to the archive. In the meantime, it doesn't belong in the archive. It's useless at best, dangerous at worst.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers