Re: source packages linux-latest, linux-signed-amd64 in security tracker

To: findmyname@tutanota.com
Cc: debian-security-tracker@lists.debian.org
Subject: Re: source packages linux-latest, linux-signed-amd64 in security tracker
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 18 Jan 2022 07:39:14 +0100
Message-id: <YeZgkk/3hkh4iiSb@eldamar.lan>
Mail-followup-to: findmyname@tutanota.com, debian-security-tracker@lists.debian.org
In-reply-to: <[🔎] Mtbrohb--3-2@tutanota.com>
References: <[🔎] Mtbrohb--3-2@tutanota.com>

Hi,

On Mon, Jan 17, 2022 at 12:49:55PM +0100, findmyname@tutanota.com wrote:
> 
> Hello all,
> 
> I started to use https://security-tracker.debian.org/tracker/ and
> endpoint for JSON especially.
> Recently I bumped into weird issue. I noticed that all new binary
> packages for linux-image-amd64
> <https://packages.debian.org/buster-backports/linux-image-amd64> are
> either from linux-signed-amd64 or linux-latest source packages based
> on the OS release. The issue is that security tracker doesn't
> display any security vulnerability for those two,
> see linux-signed-amd64
> <https://security-tracker.debian.org/tracker/source-package/linux-signed-amd64>,
> linux-latest
> <https://security-tracker.debian.org/tracker/source-package/linux-latest>.
> It seems like all security issues are tracked for source package
> linux
> <https://security-tracker.debian.org/tracker/source-package/linux> only.
> 
> My script uses:
> 1) JSON endpoint to detect new CVE vulnerabilities/updates.
> 2) If it detects new update it resolves source package to binary
> one. However CVEs/updates are tracked only for linux source package.
> Linux source package isn't referenced to new binary packages for
> linux kernel. For that reason I cannot link these ...
> 
> Please let me know if it is intentional that security issues aren't
> tracked for linux-signed-amd64 or linux-latest source packages. If
> so is there possibility how I can interconnect linux source package
> with these two or with binary package? for example with this one
> <https://packages.debian.org/buster/linux-image-amd64>.
> Thanks a lot for keeping CVE data up to date ! 

Yes this is inentional. The perspective for the security tracker is
for tracking vulnerabilities in the source packages. The source for
the Linux kernel is contained in src:linux, while the binary packages
built from linux-signed-{i386,amd64,arm64} contain the signed image
and modules as to be used for Secure Boot. Samewise is the argument
for src:linux-latest.

Regards,
Salvatore

Reply to:

References:
- source packages linux-latest, linux-signed-amd64 in security tracker
  - From: findmyname@tutanota.com

Prev by Date: External check
Next by Date: External check
Previous by thread: source packages linux-latest, linux-signed-amd64 in security tracker
Next by thread: CVE-2021-46143
Index(es):
- Date
- Thread