debsecan should be either adjusted (for ubuntu) or removed

Bug #95925 reported by Daniël van Eeden on 2007-03-25
This bug affects 27 people
Affects Status Importance Assigned to Milestone
debsecan (Ubuntu)
Nominated for Lucid by Paul Tagliamonte
Nominated for Raring by Paul Tagliamonte

Bug Description

Binary package hint: debsecan

$ debsecan --suite=edgy
usage: debsecan OPTIONS...

debsecan: error: option --suite: invalid choice: 'edgy' (choose from 'woody', 'sarge', 'etch', 'sid')

It should have options for edgy, etc.

Daniel T Chen (crimsun) on 2008-09-30
Changed in debsecan:
importance: Undecided → Wishlist
status: New → Confirmed

this description is a small symptom of the large-scale problem with debsecan on ubuntu. the core issue is that ubuntu's debsecan conveys information that is just plain wrong. this is because ubuntu's debescan gets reference data from debian's security tracker [1], which does not track ubuntu issues. hence any issues in *-ubuntu1 packages, etc that do not exist in debian's database are not tracked at all. in fact no fixed ubuntu package has ever been tracked.

a robust solution for this problem would be a major undertaking. ubuntu would need to replicate debian's security tracker system and commit to populating the database with up to date information. although that may not be necessary if one was to get permission from debian to add and maintain ubuntu-specific security data in their tracker.

anyway, as it stands now, debsecan is lying to its users, which is just plain wrong. in its current state, the package should be removed from ubuntu.


Changed in debsecan:
assignee: nobody → michael-s-gilbert

the severity of this bug should really be set to high.

Changed in debsecan:
assignee: michael-s-gilbert → nobody
Paul Tagliamonte (paultag) wrote :

This bug should be targeted for Lucid. Lucid is an LTS, and it would be a big mistake to ship an app that reports false data about something as serious as security information.

Still no update. debsecan is considering being removed from the Ubuntu repositories, since it is currently useless otherwise adapted. Info in bug #498058.

summary: - debsecan should be adjusted for ubuntu
+ debsecan should be either adjusted for ubuntu or removed
tags: added: precise quantal raring
summary: - debsecan should be either adjusted for ubuntu or removed
+ debsecan should be either adjusted (for ubuntu) or removed
Paul Tagliamonte (paultag) wrote :

Someone: Just please RM this :)

Changed in debsecan (Ubuntu):
importance: Wishlist → Medium
Norbert (nrbrtx) wrote :

Guys, I think that it is very important to make debsecan compatible with Ubuntu-ecosystem.

Sometimes I use Gentoo Linux, they have great tool - glsa-check (, - it tests installed packages against known vulnerabilities and recommends to update affected packages.

You already have CVE-tracking page ( and Ubuntu security notices ( The remaining task is to integrate them with debsecan.

Michael Boelen (cisofy) wrote :

While investigating this tool as an addition to Lynis, I discovered this bug thread. Even after years, the output of this tool is confusing and showing false positives for Ubuntu. It actually does more harm than good at this point.

Did someone from security team already looked at this case?

Sheldon Hearn (sheldonh) wrote :

It's great to aspire to fixing the package. When it's fixed, it can return to the archive. In the meantime, it doesn't belong in the archive. It's useless at best, dangerous at worst.

James Johnston (mail-codenest) wrote :

After getting flagged by Lynis for not having this installed, I looked into this tool to find out more. This absolutely sounds like a useful tool, and it should modified for Ubuntu, not removed...

Moritz (moritz-naumann) wrote :

Happy tenth birthday to this bug report on a (universe, I admit) package which has never worked in Ubuntu, and which has always provided incorrect information. :-/

~mail-codenest Lynis test PKGS-7366 is already restricted to Debian systems, see Lynis issue 446 (please open another bug report there if there is something else which needs to change).

We are working in a small piece of software to be able to generate debsecan compatible databases from the information available in the Ubuntu Security Tracker. After this is done, with some minor changes to debsecan, we could solve this issue.

Do this sound like a reasonable idea to you?

We've just finished a tool to build debsecan suitable databases from the Ubuntu CVE Tracker data.

It is open source under Apache 2.0 and it is available here:

Using Github's CI we rebuild the databases every 6 hours for them to contain the latest vulnerability information.

If anybody want to test the result you just have to run this command in your current Ubuntu installation:

debsecan --suite $(lsb_release --codename --short) --source

(Note: this is not an official Ubuntu tool)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers