Suggestion for Linux Distro (from PSA: Linux vulnerability)

Peter J. Holzer hjp-python at hjp.at
Sat Apr 16 04:14:05 EDT 2022


On 2022-04-14 19:31:58 +0200, Marco Sulla wrote:
> On Wed, 13 Apr 2022 at 20:05, Peter J. Holzer <hjp-python at hjp.at> wrote:
> >
> > On 2022-04-12 21:03:00 +0200, Marco Sulla wrote:
> > > On Tue, 29 Mar 2022 at 00:10, Peter J. Holzer <hjp-python at hjp.at> wrote:
> > > > They are are about a year apart, so they will usually contain
> > > > different versions of most packages right from the start. So the
> > > > Ubuntu and Debian security teams probably can't benefit much
> > > > from each other.
> > >
> > > Well, this is what my updater on Lubuntu says to me today:
[...]
> > >     - debian/patches/CVE-2018-16301.patch: Add check of
[...]
> > >     - debian/patches/CVE-2020-8037.patch: Add a limit to the
[...]
> > > I use an LTS version. So it seems that Ubuntu benefits from Debian
> > > security patches.
> >
> > Why do you think so? Because the release notes mention
> > debian/patches/*.patch?
> 
> Of course.
> 
> > This may be an artefact of the build process. The build tools for .deb
> > packages expect all kinds of meta-data to live in a subdirectory called
> > "debian", even on non-debian systems. This includes patches, at least if
> > the maintainer is using quilt (which AFAIK is currently the recommended
> > tool for that purpose).
> 
> And why does the security update package contain metadata about Debian
> patches,

It doesn't (or at least you can't conclude that from the evidence you
posted).

There is a subdirectory called "debian" in the build directory of every
.deb package. This is true on Debian, Ubuntu and every other
distribution which uses the .deb package format. This directory is
required by the build tools and it contains all the data (e.g. build
instructions, dependencies, patches, description, extra documentation)
which was added by the packager. The name of the directory does not
imply that any of the files there was created by Debian. I have built
quite a few packages myself and I'm not a member of the Debian team.

        hp

-- 
   _  | Peter J. Holzer    | Story must make more sense than reality.
|_|_) |                    |
| |   | hjp at hjp.at         |    -- Charles Stross, "Creative writing
__/   | http://www.hjp.at/ |       challenge!"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://mail.python.org/pipermail/python-list/attachments/20220416/7ad6f8ab/attachment.sig>


More information about the Python-list mailing list