On Mon, Jun 28, 2004 at 02:45:21PM +0100, Steve Kemp wrote:
>
> Getting the information from source packages would be almost trivial,
> although I suspect you'd have a lot of false positives. The only issue
> is having a fast mirror, or all the source handy.
Well, I have a full mirror at home and (currently) over 30Gb of free space.
The partition for the Debian mirror is starting to fill up, however.
> > That is, unless there is a mechanism that I could use to automatically
> > track new packages that enter the archive. That would take away the need
> > for a complete mirror and I could just delete the processed packages.
>
> You could scan the section from the end of the DWN perhaps? That
> always has a section with new and noteworthy packages in it. Failing
DWN only includes some packages and it wouldn't provide information on
updates.
> that you could look at the NEW queue on master if you're a Debian
> developer.
Maybe checking out the current buildd system (or lintian) would be a way to
start this. Keeping track of which package has been analysed is just a
matter of keeping track of them somewhere (a file?) when some action is
taken and then comparing them afterwards to see if there are newer
packages.
> > That would be nice indeed. Some of the bugs I've come across could have
> > been found easily with an automated vulnerability scanner. Especially
> > stuff like passing user-controllable format strings to syslog() just
> > shouldn't happen any more..
>
> I've already started work on something very similar, I'll post a
> URL tomorrow or so. I have a system which downlaods and unpacks
> a given package then runs a recursive scan on it.
That's great.
>
> It would be used for a general audit - if I had the space to hold
> all the source packages...
I already have the source packages, and I we could have this run in one of
the Debian mirrors, even.
> I set asside a couple of hundred pounds for a non-x86 machine a while
> back - and still haven't been able to find a cheap working one, so
> it's almost certain I'll buy a pair of big drives with the cash
> instead. Not as sexy but at least it would be useful.
I have a couple of cheap drives currently holding personal mirrors
(Debian, OpenBSD, Adamantix, Owl, Knoppix...) and there's plenty of space
to run scripts to analyse the sources there.
> > I'd volunteer to write the extraction scripts.
>
> I'll post my code soon, any comments or suggestions would be
> appreciated.
>
Great. I can compromise to run my local mirror through it and tell you if
it works.
> The hardest part is getting a buildable source - many packages include
> the source in tarballs (eg. Apache) so "apt-get source foo" isn't
> sufficient to download the source and scan it..
Yes, that's one drawback, packages using dbs need to be run in order to
apply all the patches. Maybe running 'debian/rules setup' would do for
those but some others (including apache) which implement their own
mechanism might not even use dbs (but a home-grown mechanism).
Regards
Javier