Web lists-archives.com

Re: Reducing the attack surface caused by Berkeley DB...




On Sat, Jan 27, 2018 at 12:22:59PM +0100, Lionel Debroux wrote:
>...
> On 1/27/18 1:42 AM, Guillem Jover wrote:
> > On Thu, 2018-01-25 at 23:59:06 +0100, Lionel Debroux wrote:
> > > Several days ago, jmm from the security team suggested that I start
> > > a discussion on debian-devel about Berkeley DB, which has known
> > > security issues, because doing so may enable finding a consensus on
> > > how to move away from it in Debian (which is hard). So here's a
> > > post :)
> >
> > > ---
> > > Do you think we should start the journey of getting rid of libdb5.3
> > > at a wide scale ? And if so, how to optimize resource usage in
> > > general ? :)
> > > ---
> >
> > As with many things in Debian, this was already discussed some years
> > ago. :) The maintainers are supposedly even on board, see the thread
> > starting at:
> >
> >   <https://lists.debian.org/debian-devel/2014/06/msg00328.html>
> I suppose I should have searched better :)
> 
> Looks like although several packages which (used to) depend on libdb5.3
> were removed or modified, most weren't... and an updated version of that
> list would therefore not learn us much.
> Out of curiosity, which tool was used to obtain this list, BTW ? There's
> nothing too obvious to me in apt, apt-get, apt-cache or the Tracker Web
> interface.

I don't know what was used, perhaps something like
  sudo apt-get install devscripts ubuntu-dev-tools
  reverse-depends -l -s src:db5.3 | dd-list -i

> In order to sort libdb5.3's reverse dependencies by popularity,
>...

I'm not convinced that would bring much value,
someone would still have to check all packages
for finding all interesting and hard cases.

> Thanks,
> Lionel.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed