Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
packages with known issues are not actually removed on debian/ubuntu #90
We have observed that the functionality to remove the list of packages with known issues has only be implemented for the redhat/fedora family of distributions, the debian family implementation is missing. We have also tested this on Ubuntu 14.04 by installing the xinetd package and then confirming applying this cookbook does not remove the package, even if
We intend to contribute a pull request to address this, following the guidance at http://hardening.io/docs/coding/contributing/
Please bear with me if my questions are somewhat inane, we are new to contributing changes back (and relatively new to Chef). We have benefited from the work of the hardening.io project though, so it is satisfying to be able to give something back (albeit minor initially, though that is a deliberate choice to get us started).
I've looked through the existing functionality for the redhat/fedora distro family (i.e. the os-hardening::yum recipe).
For the debian distro family, apt-get and aptitude are configured to check package signatures by default. Should we still check that this hasn't been disabled (i.e. check that 'APT::Get::AllowUnauthenticated=true' has not been specified in apt.conf)?
For the actual package removal section, it would seem better/more portable to use the built-in Chef package resource (https://docs.chef.io/resource_package.html) and therefore to move this into the os-hardening::packages recipe. Thoughts? I'll get an initial pull request up shortly for this change.