Re: Reducing the attack surface caused by Berkeley DB...
- Date: Sat, 27 Jan 2018 12:22:59 +0100
- From: Lionel Debroux <lionel_debroux@xxxxxxxx>
- Subject: Re: Reducing the attack surface caused by Berkeley DB...
On 1/27/18 1:42 AM, Guillem Jover wrote:
> On Thu, 2018-01-25 at 23:59:06 +0100, Lionel Debroux wrote:
> > Several days ago, jmm from the security team suggested that I start
> > a discussion on debian-devel about Berkeley DB, which has known
> > security issues, because doing so may enable finding a consensus on
> > how to move away from it in Debian (which is hard). So here's a
> > post :)
> > ---
> > Do you think we should start the journey of getting rid of libdb5.3
> > at a wide scale ? And if so, how to optimize resource usage in
> > general ? :)
> > ---
> As with many things in Debian, this was already discussed some years
> ago. :) The maintainers are supposedly even on board, see the thread
> starting at:
I suppose I should have searched better :)
Looks like although several packages which (used to) depend on libdb5.3
were removed or modified, most weren't... and an updated version of that
list would therefore not learn us much.
Out of curiosity, which tool was used to obtain this list, BTW ? There's
nothing too obvious to me in apt, apt-get, apt-cache or the Tracker Web
In order to sort libdb5.3's reverse dependencies by popularity, I could
whip up a q&d Perl script to query the popcon Web interface in a loop,
or probably better, to parse the raw text in the by_inst page. But isn't
there already a way to do that ? :)
A generic search engine query wasn't helpful.