On Fri, May 1, 2020 at 7:12 PM Rebecca N. Palmer wrote: > Around 200 packages [0] include upstream scripts that download code via > (non-secure) http, then run it without an integrity check.
A lot of these appear to be in documentation, dependency installation scripts (such as in docker) or continuous integration scripts. > How should this be dealt with? Review each one manually. Report security issues for things that end up in a .deb to upstream security contacts along with CVEs for each issue that warrants the fixes. The upstream security reports should probably get a Debian report too, as many upstreams will be un(der)maintained. For CI, Dockerfiles, documentation issues probably just an upstream pull request. > - (imperfect) Lintian check based on [0]? Probably better added to per-language static analysis tools like ShellCheck etc. I don't think lintian is the place to do static analysis, that should be done by upstream developers either on their dev machines or in their CI and possibly by distro packagers when analysing new upstream releases. check-all-the-things aims to make it easy and useful for devs/packagers to run all the available tools. https://github.com/collab-qa/check-all-the-things/ -- bye, pabs https://wiki.debian.org/PaulWise
