Re: Reducing the attack surface caused by Berkeley DB...
- Date: Sat, 27 Jan 2018 14:50:07 +0200
- From: Adrian Bunk <bunk@xxxxxxxxxx>
- Subject: Re: Reducing the attack surface caused by Berkeley DB...
On Sat, Jan 27, 2018 at 12:22:59PM +0100, Lionel Debroux wrote:
> On 1/27/18 1:42 AM, Guillem Jover wrote:
> > On Thu, 2018-01-25 at 23:59:06 +0100, Lionel Debroux wrote:
> > > Several days ago, jmm from the security team suggested that I start
> > > a discussion on debian-devel about Berkeley DB, which has known
> > > security issues, because doing so may enable finding a consensus on
> > > how to move away from it in Debian (which is hard). So here's a
> > > post :)
> > > ---
> > > Do you think we should start the journey of getting rid of libdb5.3
> > > at a wide scale ? And if so, how to optimize resource usage in
> > > general ? :)
> > > ---
> > As with many things in Debian, this was already discussed some years
> > ago. :) The maintainers are supposedly even on board, see the thread
> > starting at:
> > <https://lists.debian.org/debian-devel/2014/06/msg00328.html>
> I suppose I should have searched better :)
> Looks like although several packages which (used to) depend on libdb5.3
> were removed or modified, most weren't... and an updated version of that
> list would therefore not learn us much.
> Out of curiosity, which tool was used to obtain this list, BTW ? There's
> nothing too obvious to me in apt, apt-get, apt-cache or the Tracker Web
I don't know what was used, perhaps something like
sudo apt-get install devscripts ubuntu-dev-tools
reverse-depends -l -s src:db5.3 | dd-list -i
> In order to sort libdb5.3's reverse dependencies by popularity,
I'm not convinced that would bring much value,
someone would still have to check all packages
for finding all interesting and hard cases.
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed