Software Management call for RFEs

Florian Weimer fweimer at redhat.com
Mon Jun 3 07:58:26 UTC 2013


On 06/02/2013 02:43 PM, enclair wrote:
> I'd like a tool similar to portaudit in FreeBSD or debscan in Debian.
> This tool should list all packages which have a security issue.

I don't know about portaudit, but debsecan works completely out of the 
usual software management stack.  Part of the reason for that is that 
you even get reports if you haven't configured the security archive 
properly (so that the package manager won't notice that there are 
updates available).  The real work is in the backend and the data 
collection; debsecan is a short Python script which just runs a few 
version comparisons.  In Debian's case, this isn't fully integrated with 
the repository management, either, which is mostly due to historical 
accident and not deliberate design.

But the key point is that this is not a question of software.  It's all 
about the data that describes vulnerabilities and fixed packages, and 
this is currently not available for Fedora in consistent, 
machine-readable form.

-- 
Florian Weimer / Red Hat Product Security Team


More information about the devel mailing list