1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
PYTHON = python
PYTHON_MODULES = $(wildcard lib/python/*.py)
# The following variables need to be kept up-to-date and can be adjusted
# currently unsupported releases can be commented out
OLDOLDSTABLE = wheezy
OLDSTABLE = jessie
STABLE = stretch
TESTING = buster
MIRROR = http://debian.csail.mit.edu/debian
SECURITY_MIRROR = http://security.debian.org/debian-security
wheezy_ARCHS = amd64 armel armhf i386
jessie_ARCHS = amd64 arm64 armel armhf i386 mips mipsel powerpc ppc64el s390x
stretch_ARCHS = amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x
buster_ARCHS = amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x
sid_ARCHS = amd64 arm64 armel armhf hurd-i386 i386 kfreebsd-i386 kfreebsd-amd64 mips mips64el mipsel powerpc ppc64el s390x
# The rest of the file should not need to be edited
# Include the definitions of the releases to be fetched
include lib/*-releases.mk
# There's a "RELEASES" variable defining the name of all releases to
# process. Then for each release, there are 5 associated variables:
# <name>_MIRROR: the base URL of the mirror hosting the repository
# <name>_DIST: the sub-directory in $MIRROR/dists so that
# $MIRROR/dists/$DIST/Release is a valid URL
# <name>_ARCHS: the list of architectures supported in this release
# <name>_RELEASE: the release name for the security tracker
# <name>_SUBRELEASE: the sub-release identifier for the security tracker
all:
$(PYTHON) bin/update-db data/security.db
clean:
-rm -f data/security.db lib/python/test_security.db
-rm -f stamps/*-*
.PHONY: check check-syntax
test check: check-syntax
check-syntax: stamps/CVE-syntax \
stamps/DSA-syntax stamps/DTSA-syntax stamps/DLA-syntax
stamps/CVE-syntax: data/CVE/list bin/check-syntax $(PYTHON_MODULES)
$(PYTHON) bin/check-syntax CVE data/CVE/list
touch $@
stamps/DSA-syntax: data/DSA/list bin/check-syntax $(PYTHON_MODULES)
$(PYTHON) bin/check-syntax DSA data/DSA/list
touch $@
stamps/DTSA-syntax: data/DTSA/list bin/check-syntax $(PYTHON_MODULES)
$(PYTHON) bin/check-syntax DTSA data/DTSA/list
touch $@
stamps/DLA-syntax: data/DLA/list bin/check-syntax $(PYTHON_MODULES)
$(PYTHON) bin/check-syntax DLA data/DLA/list
touch $@
.PHONY: serve
serve:
@bash bin/test-web-server
.PHONY: update-packages
update-packages: $(foreach release,$(RELEASES),update-$(release))
# This rule is a bit complicated as we need to escape $ for the shell twice,
# once for the eval and once for the usual make processing
define add_update_rule =
.PHONY: update-$(1)
update-$(1):
set -e; \
prefix="$$($(1)_RELEASE)_$$($(1)_SUBRELEASE)"; \
dist="$$($(1)_DIST)"; \
mirror="$$($(1)_MIRROR)"; \
for section in main contrib non-free ; do \
$$(PYTHON) bin/apt-update-file \
$$$$mirror/dists/$$$$dist/$$$$section/source/Sources \
data/packages/$$$${prefix}_$$$${section}_Sources ; \
for arch in $$($(1)_ARCHS) ; do \
$$(PYTHON) bin/apt-update-file \
$$$$mirror/dists/$$$$dist/$$$$section/binary-$$$$arch/Packages \
data/packages/$$$${prefix}_$$$${section}_$$$${arch}_Packages ; \
done; \
done
endef
$(foreach release,$(RELEASES),$(eval $(call add_update_rule,$(release))))
# Define some common aliases
.PHONY: update-unstable update-testing update-stable update-oldstable update-oldoldstable
.PHONY: update-testing-security update-stable-security update-oldstable-security update-oldoldstable-security
.PHONY: update-main update-security update-backports
update-unstable: update-sid
update-testing: update-$(TESTING)
update-testing-security: update-$(TESTING)_security
update-stable: update-$(STABLE)
update-stable-security: update-$(STABLE)_security
update-oldstable: update-$(OLDSTABLE)
update-oldstable-security: update-$(OLDSTABLE)_security
ifeq ($(OLDOLDSTABLE),)
update-oldoldstable:
update-oldoldstable-security:
else
update-oldoldstable: update-$(OLDOLDSTABLE)
update-oldoldstable-security: update-$(OLDOLDSTABLE)_security
endif
update-main: $(foreach release,$(MAIN_RELEASES),update-$(release))
update-security: $(foreach release,$(SECURITY_RELEASES),update-$(release)_security)
update-backports: $(foreach release,$(BACKPORT_RELEASES),update-$(release)_backports)
supported-update-targets:
@echo -n "unstable testing stable oldstable oldoldstable "
@echo -n "testing-security stable-security oldstable-security oldoldstable-security "
@echo -n "main security backports "
@echo -n "$(RELEASES) "
@echo -n "lists nvd"
# Other custom update rules
update-lists:
git fetch -q origin && git checkout -f origin/master -- data
# Since October 16, 2015 the XML data feeds are no longer available for
# download in an uncompressed format.
update-nvd:
mkdir -p data/nvd
for x in $$(seq 2002 $$(date +%Y)) ; do \
name=nvdcve-$$x.xml.gz; \
wget -q -Odata/nvd/$$name https://nvd.nist.gov/download/$$name || true; \
gzip -f -d data/nvd/$$name || true; \
done
python bin/update-nvd data/nvd/nvdcve-*.xml
# Experimental code to compare the Debian and NVD CVE databases using
# CPE values as common key.
update-compare-nvd:
mkdir -p data/nvd2
for x in $$(seq 2002 $$(date +%Y)) ; do \
name=nvdcve-2.0-$$x.xml.gz; \
wget -q -Odata/nvd2/$$name https://static.nvd.nist.gov/feeds/xml/cve/$$name || true ; \
gzip -f -d data/nvd2/$$name || true; \
done
bin/compare-nvd-cve 2> compare-nvd-cve.log
update-all: update-nvd update-lists update-packages all
|