On 06/02/2013 02:43 PM, enclair wrote:
I'd like a tool similar to portaudit in FreeBSD or debscan in Debian. This tool should list all packages which have a security issue.
I don't know about portaudit, but debsecan works completely out of the usual software management stack. Part of the reason for that is that you even get reports if you haven't configured the security archive properly (so that the package manager won't notice that there are updates available). The real work is in the backend and the data collection; debsecan is a short Python script which just runs a few version comparisons. In Debian's case, this isn't fully integrated with the repository management, either, which is mostly due to historical accident and not deliberate design.
But the key point is that this is not a question of software. It's all about the data that describes vulnerabilities and fixed packages, and this is currently not available for Fedora in consistent, machine-readable form.
-- Florian Weimer / Red Hat Product Security Team -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
