Page MenuHomeVyOS Platform

Remove /etc/debian_version from the image
Closed, ResolvedPublic

Description

The /etc/debian_version file contains the Debian release version number. Since VyOS uses image-based upgrade, that file serves no useful purpose for us.

However, security scanners love to jump to conclusions and declare an "old Debian version" vulnerable without checking if there may not be any packages from that version at all. Removing that file is an easy way to get fewer false positives.

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Internal change (not visible to end users)

Event Timeline

Please revert that commit (remove that hook) and use the excludes-file instead.

https://github.com/vyos/vyos-build/blob/current/data/live-build-config/rootfs/excludes

For example by adding the following to the bottom of the above file:

# T5624: Remove the Debian version file to avoid false positives from security scanners.
etc/debian_version
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.5) board.
syncer added a project: Restricted Project.
syncer edited projects, added VyOS 1.4 Sagitta; removed Restricted Project.