Contents of /bin/checklist

#!/usr/bin/perl
# Must run on a machine with madison.
# 
# To check for un-updated binary kernel packages, also needs grep-dctrl 
# and a Sources file for the distribution. Set the location of the Sources
# file in SOURCES_FILE in the environment.
use URI::Escape;
use Getopt::Long;

my $html=0;
my $debug=0;
my $suite="testing";
my $output;
if (! GetOptions(
                "html" => \$html,
                "debug" => \$debug,
                "suite=s" => \$suite,
                "sta=s" => \$sta,
                "output=s", \$output)
    || ! @ARGV) {
        die "usage: $0 [--suite suite] [--sta sta-mirror] [--html] [--output=file] [--debug] list ...\n";
}

my $sta = "http://secure-testing.debian.net/debian-security-updates/dists/testing/security-updates/main/source/Sources.gz";

system("wget -q -O /tmp/Sources.sta.gz $sta");

if (defined $output) {
        open (OUT, ">$output.tmp.$$") || die "output.tmp.$$: $!"; # Set the output to a file
}
else {
        open (OUT, ">&STDOUT"); # Set the output to stdout
}

if ($html) { # It's HTML, so we need a header
        print OUT "<html><title>$suite security issues</title>\n";
        
        # This is being run against something it's not meant to be, so print a warning
        if ($suite ne 'testing' && $suite ne 'unstable') { 
                print OUT <<"EOF";
<p>
<em>Warning:</em> This page is the result of running the testing security
check script against the $suite distribution. As data is only gathered for
the testing distribution, results may be innacurate if a package has
changed its name, if a vulnerability affects $suite and not testing, or if a
vulnerability has been fixed in $suite by the $suite security team.
</p>
EOF
        }
        print OUT "<ul>\n";
}


my %data;
my %advlist;
my %needkernel=qw/2.4.27 0 2.6.11 0/;
my $list_unknown=1; #set to 1 to display kernel images with unknown source version
my $sources=$ENV{SOURCES_FILE};
my $need_rebuild=0;

# Set some colours for the urgency types
my @urgencies=("high", "medium", "low", "unknown");
my %colormap=(
        high => "#FF0000",
        medium => "#FF9999",
        low => "#FFFFFF",
        unknown => "#FFFF00"
);

my $unprop = my $unprop_all = my $unfixed = my $todos = my $fixedsta = 0;

# Add an item into the data array.
sub record {
        my ($package, $condition, $item, $urgency)=@_;
                
        if ($html) {
                $condition=~s{bug #(\d+)}{<a href="http://bugs.debian.org/$1">bug #$1</a>}g;
                $condition=~s{unfixed}{<b>unfixed</b>}g;
                $item=~s#((?:CAN|CVE)-\d+-\d+)#<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=$1">$1</a>#g;
        }

        push @{$data{$package}{$condition}}, {item => $item, urgency => $urgency};
}

foreach my $list (@ARGV) {
        # Each of the @ARGVs we've got passed need parsing. So lets do that
        
        # If it's a directory, set the file to list, cause we need that.
        if (-d $list) {
                $list="$list/list";
        }
        
        open (IN, $list) || die "open $list: $!";
        while (<IN>) {
                print STDERR "line: $_" if $debug;
                chomp;
                if (/\s+TODO/) { # It's a todo item. Add it to the count, and ignore it
                        $todos++;
                }
                elsif (/^\[/) { # Checking adv. number for a line starting with [ : Set $id to it
                        ($id)=m/((?:DSA|DTSA|CAN|CVE)-[^\s]+) /;
                }
                elsif (/^((?:DSA|DTSA|CAN|CVE)-[^\s]+)/) { # Check for a line with an advisory at the start : Set $id to it
                        $id=$1;
                }
                elsif (/^\s+[!-]\s+(\S+)\s+(.*?)\s*$/) { # Deal with the rest of the lines
                        my $package=$1; # We know which package it is.
                        my $rest=$2; 
                        my $version;
                        my $notes;
                        if ($rest=~/([^\(\s]+)\s+\((.*)\)/) {
                                $version=$1;
                                $notes=$2;
                        }
                        elsif ($rest=~/\((.*)\)/) {
                                $version="";
                                $notes=$1;
                        }
                        else {
                                $version=$rest;
                                $notes="";
                        }

                        # by now, we also have the version that's affected by the security problem.
                        # This is stored in $version
                
                        my @notes=split(/\s*;\s+/, $notes);

                        # Fetch the urgency, if we can.
                        my $urgency="unknown";
                        foreach my $u (@urgencies) {
                                if (grep { $_ eq $u } @notes) {
                                        $urgency=$u;
                                        @notes = grep { $_ ne $u } @notes;
                                        last;
                                }
                        }
                
                        # It's a kernel. Add it to the list of kernels that need to be looked at.
                        if ($package=~/kernel-source-([0-9.]+)/) {
                                my $kernversion=$1;
                                if (exists $needkernel{$kernversion} &&
                                    length $version &&
                                    system("dpkg --compare-versions $needkernel{$kernversion} lt $version") != 0) {
                                        $needkernel{$kernversion}=$version;
                                }
                        }

                        # Fire up madison.
                        my @maddy;
                        for (1..5) {
                                @maddy=`madison -s '$suite' '$package'`;
                                if ($? & 127 || ($? >> 8 != 0 && $? >> 8 != 1)) {
                                        # good old unrelaible newraff,
                                        # home of our archive..
                                        next;
                                }
                                last;
                        }
                        if ($? & 127) {
                                record($package, "<em>[madison segfaulted 5 times in a row.. Medic!]</em>", $id);
                        }
                        elsif ($? >> 8 != 0 && $? >> 8 != 1) {
                                record($package, "<em>[madison exited with ".($? >> 8)."]</em>", $id);
                        }
                        if (! @maddy) {
                                next;
                        }
                        
                        if (grep { $_ eq 'unfixed' || $_ eq 'pending' } @notes) {
                                record($package, '('.join("; ", @notes).')', $id, $urgency);
                                $unfixed++;
                                # It's not been fixed!
                        }
                        else {
                                foreach my $maddy (@maddy) {
                                        my @fields = split(/\s*\|\s*/, $maddy);
                                        my $havver=$fields[1]; # It's this version in the archive I'm checking.
                                        my $arches=$fields[3];
                                        $version=~s/\s+//; # strip whitespace
                                        $arches=~s/\s+$//;
                                        my $starchive = "";
                                        
                                        # Is the version in the archive greater than the version that's vulnerable?
                                        my $cmp=system("dpkg --compare-versions '$havver' '>=' '$version'"); 
                                        if ($cmp != 0){ # No, so the archive is vulnerable.
                                        
                                                # Does the version exist in the secure-testing archive?
                                                my $staversion = `zcat /tmp/Sources.sta.gz |grep-dctrl -F Package -e ^$package\$ -s Version -`;
                                                chomp $staversion;
                                                $staversion=~s/Version: //;
                                                $staversion=~s/\s+//;
                                                if (length ($staversion)) {
                                                        # Yes, but what version is in s-t?
                                                        my $stacmp = system("dpkg --compare-versions '$staversion' '>=' '$version'");
                                                        if ($stacmp == 0){
                                                                # Well, the version in the s-t archive fixes the issue
                                                                # but it's still vulnerable in the main archive
                                                                $starchive = " (fixed in $staversion in the secure-testing archive)";
                                                                $fixedsta++;
                                                        }
                                                }
                                                
                                                if ($html && $suite eq 'testing') {
                                                        $havver='<a href="http://bjorn.haxx.se/debian/testing.pl?package='.uri_escape($package).'">'.$havver.'</a>';
                                                }
                                                record($package, "$version needed, have $havver".(@maddy > 1 ? " [$arches]" : "").$starchive, $id, $urgency);
                                                $unprop++;
                                                $unprop_all++ unless @maddy > 1;
                                        }
                                }
                        }
                }
        }
}


foreach my $package (sort keys %data) {
        foreach my $condition (sort keys %{$data{$package}}) {
                print OUT "<li>" if $html;
                print OUT "$package $condition for ";
                my $items=0;
                foreach my $i (sort @{$data{$package}{$condition}}) {
                        print OUT ", " if $items > 0;
                        
                        if ($html) {
                                my $color=$colormap{$i->{urgency}};
                                print OUT "<span style=\"background:$color\">";
                        }
                        print OUT $i->{item};
                        if ($html) {
                                print OUT "</span>";
                        }
                        
                        $items++;
                }
                print OUT "\n";
        }
}

foreach my $version (sort keys %needkernel) {
        my %images;
        
        if ($needkern{$version} eq "0") {
                next;
        }

        my @dctrl;
        if (defined $sources && length $sources) {
                my $cat=($sources=~/\.gz/) ? "zcat" : "cat";
                @dctrl=`$cat $sources | grep-dctrl -F Binary kernel-image-$version -s Package,Build-Depends -`;
        }

        my $package="";
        my $haveversion;
        
        foreach my $line (@dctrl) {
                chomp;
                if ($line=~/Package:\s*(\S+)/) {
                        $package=$1;
                        $haveversion="0";
                } elsif ($line=~/Build-Depends/) {
                        if ($line=~/kernel-tree-$version-([^,\s]+)/) {
                                $haveversion="$version-$1";
                        } elsif ($line=~/kernel-source-$version\s+\(>?=\s*([^\s\)]+)\)/) {
                                $haveversion="$1";
                        }
                } else {
                        if ($package=~/linux-kernel-di/ || $package eq "") {
                                next;
                        }
                        $images{$package}=$haveversion;
                        $package="";
                }
        }

        foreach $package (sort keys %images) {
                if ($images{$package} eq "0") {
                        print OUT "<li>" if ($html && $list_unknown);
                        print OUT "$package built from kernel-source-$version $needkernel{$version} needed, current version unknown\n" if $list_unknown;
                } elsif (!system("dpkg --compare-versions $needkernel{$version} gt $images{$package}")) {
                print OUT "<li>" if $html;
                        print OUT "$package built from kernel-source-$version $needkernel{$version} needed, have $images{$package}\n";
                        $need_rebuild++;
                }
        }


}


if ($html) {
        print OUT "</ul>\n";
        print OUT "<hr>\n";
        print OUT "Key: ";
        foreach $keyline (@urgencies) {
                print OUT "<span style=\"border: 1px dashed; background:".$colormap{$keyline}."\">&nbsp;$keyline&nbsp;</span> ";
        }
        print OUT "<br>";
        print OUT "Total holes unfixed: $unfixed<br>\n";
        print OUT "Total holes fixed in unstable but not $suite: $unprop_all ($fixedsta fixed in secure-testing archive)";
        if ($unprop_all != $unprop) {
                print OUT " (+".($unprop - $unprop_all)." on some arches)";
        }
        print OUT "<br>\n";
        print OUT "Total number of kernel image packages not up to date: $need_rebuild<br>\n";
        print OUT "Number of TODO lines in <a href=\"http://svn.debian.org/wsvn/secure-testing/data/?rev=0&sc=0\">records</a>: $todos<br>\n";
        print OUT "Maintained by the <a href=\"http://secure-testing.debian.net/\">testing security team</a><br>\n";
        print OUT "Last update: ".`date`."<br>\n";
        print OUT "</html>\n";
}

close OUT;
if (defined $output) {
        rename("$output.tmp.$$", $output) || die "rename: $!";
}
1	joeyh	2	#!/usr/bin/perl
2			# Must run on a machine with madison.
3	joeyh	644	#
4			# To check for un-updated binary kernel packages, also needs grep-dctrl
5			# and a Sources file for the distribution. Set the location of the Sources
6			# file in SOURCES_FILE in the environment.
7	joeyh	256	use URI::Escape;
8	joeyh	1278	use Getopt::Long;
9	joeyh	2
10	joeyh	230	my $html=0;
11	joeyh	1280	my $debug=0;
12	joeyh	1281	my $suite="testing";
13	joeyh	1279	my $output;
14			if (! GetOptions(
15			"html" => \$html,
16	joeyh	1280	"debug" => \$debug,
17	joeyh	1279	"suite=s" => \$suite,
18	neilm	1763	"sta=s" => \$sta,
19	joeyh	1279	"output=s", \$output)
20			\|\| ! @ARGV) {
21	neilm	1763	die "usage: $0 [--suite suite] [--sta sta-mirror] [--html] [--output=file] [--debug] list ...\n";
22	joeyh	230	}
23
24	neilm	1763	my $sta = "http://secure-testing.debian.net/debian-security-updates/dists/testing/security-updates/main/source/Sources.gz";
25
26			system("wget -q -O /tmp/Sources.sta.gz $sta");
27
28	joeyh	1279	if (defined $output) {
29	neilm	1763	open (OUT, ">$output.tmp.$$") \|\| die "output.tmp.$$: $!"; # Set the output to a file
30	joeyh	1279	}
31			else {
32	neilm	1763	open (OUT, ">&STDOUT"); # Set the output to stdout
33	joeyh	1279	}
34
35	neilm	1763	if ($html) { # It's HTML, so we need a header
36	joeyh	1279	print OUT "<html><title>$suite security issues</title>\n";
37	neilm	1763
38			# This is being run against something it's not meant to be, so print a warning
39			if ($suite ne 'testing' && $suite ne 'unstable') {
40	joeyh	1279	print OUT <<"EOF";
41			<p>
42			<em>Warning:</em> This page is the result of running the testing security
43			check script against the $suite distribution. As data is only gathered for
44	joeyh	1285	the testing distribution, results may be innacurate if a package has
45	joeyh	1279	changed its name, if a vulnerability affects $suite and not testing, or if a
46			vulnerability has been fixed in $suite by the $suite security team.
47			</p>
48			EOF
49			}
50			print OUT "<ul>\n";
51			}
52
53
54	joeyh	307	my %data;
55	neilm	1763	my %advlist;
56	joeyh	1222	my %needkernel=qw/2.4.27 0 2.6.11 0/;
57	stef-guest	688	my $list_unknown=1; #set to 1 to display kernel images with unknown source version
58	joeyh	644	my $sources=$ENV{SOURCES_FILE};
59			my $need_rebuild=0;
60
61	neilm	1763	# Set some colours for the urgency types
62	joeyh	1243	my @urgencies=("high", "medium", "low", "unknown");
63			my %colormap=(
64			high => "#FF0000",
65			medium => "#FF9999",
66			low => "#FFFFFF",
67	joeyh	1246	unknown => "#FFFF00"
68	joeyh	1243	);
69
70	neilm	1763	my $unprop = my $unprop_all = my $unfixed = my $todos = my $fixedsta = 0;
71	joeyh	307
72	neilm	1763	# Add an item into the data array.
73	joeyh	307	sub record {
74	joeyh	1242	my ($package, $condition, $item, $urgency)=@_;
75	joeyh	307
76	joeyh	231	if ($html) {
77	joeyh	307	$condition=~s{bug #(\d+)}{<a href="http://bugs.debian.org/$1">bug #$1</a>}g;
78	joeyh	311	$condition=~s{unfixed}{<b>unfixed</b>}g;
79	joeyh	307	$item=~s#((?:CAN\|CVE)-\d+-\d+)#<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=$1">$1</a>#g;
80	joeyh	231	}
81	joeyh	307
82	joeyh	1242	push @{$data{$package}{$condition}}, {item => $item, urgency => $urgency};
83	joeyh	230	}
84
85	neilm	1763	foreach my $list (@ARGV) {
86			# Each of the @ARGVs we've got passed need parsing. So lets do that
87
88			# If it's a directory, set the file to list, cause we need that.
89	joeyh	31	if (-d $list) {
90			$list="$list/list";
91	joeyh	2	}
92	joeyh	31
93			open (IN, $list) \|\| die "open $list: $!";
94			while (<IN>) {
95	joeyh	1280	print STDERR "line: $_" if $debug;
96	joeyh	31	chomp;
97	neilm	1763	if (/\s+TODO/) { # It's a todo item. Add it to the count, and ignore it
98			$todos++;
99			}
100			elsif (/^\[/) { # Checking adv. number for a line starting with [ : Set $id to it
101	joeyh	1660	($id)=m/((?:DSA\|DTSA\|CAN\|CVE)-[^\s]+) /;
102	joeyh	2	}
103	neilm	1763	elsif (/^((?:DSA\|DTSA\|CAN\|CVE)-[^\s]+)/) { # Check for a line with an advisory at the start : Set $id to it
104	joeyh	242	$id=$1;
105	joeyh	31	}
106	neilm	1763	elsif (/^\s+[!-]\s+(\S+)\s+(.?)\s$/) { # Deal with the rest of the lines
107			my $package=$1; # We know which package it is.
108			my $rest=$2;
109	joeyh	1242	my $version;
110			my $notes;
111			if ($rest=~/([^\(\s]+)\s+\((.*)\)/) {
112			$version=$1;
113			$notes=$2;
114			}
115			elsif ($rest=~/\((.*)\)/) {
116			$version="";
117			$notes=$1;
118			}
119			else {
120			$version=$rest;
121			$notes="";
122			}
123	neilm	1763
124			# by now, we also have the version that's affected by the security problem.
125			# This is stored in $version
126
127	joeyh	1242	my @notes=split(/\s*;\s+/, $notes);
128
129	neilm	1763	# Fetch the urgency, if we can.
130	joeyh	1242	my $urgency="unknown";
131			foreach my $u (@urgencies) {
132			if (grep { $_ eq $u } @notes) {
133			$urgency=$u;
134			@notes = grep { $_ ne $u } @notes;
135			last;
136			}
137			}
138	neilm	1763
139			# It's a kernel. Add it to the list of kernels that need to be looked at.
140	joeyh	644	if ($package=~/kernel-source-([0-9.]+)/) {
141			my $kernversion=$1;
142	joeyh	1283	if (exists $needkernel{$kernversion} &&
143			length $version &&
144			system("dpkg --compare-versions $needkernel{$kernversion} lt $version") != 0) {
145			$needkernel{$kernversion}=$version;
146	joeyh	644	}
147			}
148
149	neilm	1763	# Fire up madison.
150	joeyh	657	my @maddy;
151			for (1..5) {
152	joeyh	1278	@maddy=`madison -s '$suite' '$package'`;
153	joeyh	659	if ($? & 127 \|\| ($? >> 8 != 0 && $? >> 8 != 1)) {
154			# good old unrelaible newraff,
155			# home of our archive..
156	joeyh	657	next;
157			}
158			last;
159			}
160	joeyh	654	if ($? & 127) {
161	joeyh	657	record($package, "<em>[madison segfaulted 5 times in a row.. Medic!]</em>", $id);
162	joeyh	564	}
163			elsif ($? >> 8 != 0 && $? >> 8 != 1) {
164	joeyh	654	record($package, "<em>[madison exited with ".($? >> 8)."]</em>", $id);
165	joeyh	564	}
166	joeyh	657	if (! @maddy) {
167	joeyh	307	next;
168			}
169	joeyh	241
170	joeyh	1242	if (grep { $_ eq 'unfixed' \|\| $_ eq 'pending' } @notes) {
171	joeyh	1244	record($package, '('.join("; ", @notes).')', $id, $urgency);
172	joeyh	257	$unfixed++;
173	neilm	1763	# It's not been fixed!
174	joeyh	2	}
175	joeyh	241	else {
176	joeyh	657	foreach my $maddy (@maddy) {
177			my @fields = split(/\s\\|\s/, $maddy);
178	neilm	1763	my $havver=$fields[1]; # It's this version in the archive I'm checking.
179	joeyh	657	my $arches=$fields[3];
180			$version=~s/\s+//; # strip whitespace
181			$arches=~s/\s+$//;
182	neilm	1763	my $starchive = "";
183
184			# Is the version in the archive greater than the version that's vulnerable?
185			my $cmp=system("dpkg --compare-versions '$havver' '>=' '$version'");
186			if ($cmp != 0){ # No, so the archive is vulnerable.
187
188			# Does the version exist in the secure-testing archive?
189			my $staversion = `zcat /tmp/Sources.sta.gz \|grep-dctrl -F Package -e ^$package\$ -s Version -`;
190			chomp $staversion;
191			$staversion=~s/Version: //;
192			$staversion=~s/\s+//;
193			if (length ($staversion)) {
194			# Yes, but what version is in s-t?
195			my $stacmp = system("dpkg --compare-versions '$staversion' '>=' '$version'");
196			if ($stacmp == 0){
197			# Well, the version in the s-t archive fixes the issue
198			# but it's still vulnerable in the main archive
199			$starchive = " (fixed in $staversion in the secure-testing archive)";
200			$fixedsta++;
201			}
202	neilm	1750	}
203	neilm	1763
204	joeyh	1278	if ($html && $suite eq 'testing') {
205	joeyh	657	$havver='<a href="http://bjorn.haxx.se/debian/testing.pl?package='.uri_escape($package).'">'.$havver.'</a>';
206			}
207	neilm	1763	record($package, "$version needed, have $havver".(@maddy > 1 ? " [$arches]" : "").$starchive, $id, $urgency);
208	joeyh	657	$unprop++;
209	joeyh	735	$unprop_all++ unless @maddy > 1;
210	joeyh	230	}
211	joeyh	31	}
212			}
213	joeyh	2	}
214			}
215			}
216	joeyh	230
217	joeyh	307
218			foreach my $package (sort keys %data) {
219			foreach my $condition (sort keys %{$data{$package}}) {
220	joeyh	1279	print OUT "<li>" if $html;
221			print OUT "$package $condition for ";
222	joeyh	307	my $items=0;
223	joeyh	1242	foreach my $i (sort @{$data{$package}{$condition}}) {
224	joeyh	1279	print OUT ", " if $items > 0;
225	joeyh	1242
226			if ($html) {
227	joeyh	1243	my $color=$colormap{$i->{urgency}};
228	joeyh	1279	print OUT "<span style=\"background:$color\">";
229	joeyh	1242	}
230	joeyh	1279	print OUT $i->{item};
231	joeyh	1243	if ($html) {
232	joeyh	1279	print OUT "</span>";
233	joeyh	1243	}
234	joeyh	1242
235	joeyh	307	$items++;
236			}
237	joeyh	1279	print OUT "\n";
238	joeyh	307	}
239			}
240
241	joeyh	644	foreach my $version (sort keys %needkernel) {
242			my %images;
243
244			if ($needkern{$version} eq "0") {
245			next;
246			}
247
248			my @dctrl;
249			if (defined $sources && length $sources) {
250	joeyh	645	my $cat=($sources=~/\.gz/) ? "zcat" : "cat";
251			@dctrl=`$cat $sources \| grep-dctrl -F Binary kernel-image-$version -s Package,Build-Depends -`;
252	joeyh	644	}
253
254			my $package="";
255			my $haveversion;
256
257			foreach my $line (@dctrl) {
258			chomp;
259			if ($line=~/Package:\s*(\S+)/) {
260			$package=$1;
261			$haveversion="0";
262			} elsif ($line=~/Build-Depends/) {
263			if ($line=~/kernel-tree-$version-([^,\s]+)/) {
264			$haveversion="$version-$1";
265	stef-guest	687	} elsif ($line=~/kernel-source-$version\s+\(>?=\s*([^\s\)]+)\)/) {
266	joeyh	644	$haveversion="$1";
267			}
268			} else {
269			if ($package=~/linux-kernel-di/ \|\| $package eq "") {
270			next;
271			}
272			$images{$package}=$haveversion;
273			$package="";
274			}
275			}
276
277			foreach $package (sort keys %images) {
278			if ($images{$package} eq "0") {
279	joeyh	1279	print OUT "<li>" if ($html && $list_unknown);
280			print OUT "$package built from kernel-source-$version $needkernel{$version} needed, current version unknown\n" if $list_unknown;
281	joeyh	644	} elsif (!system("dpkg --compare-versions $needkernel{$version} gt $images{$package}")) {
282	joeyh	1279	print OUT "<li>" if $html;
283			print OUT "$package built from kernel-source-$version $needkernel{$version} needed, have $images{$package}\n";
284	joeyh	644	$need_rebuild++;
285			}
286			}
287
288
289			}
290
291
292	joeyh	307	if ($html) {
293	joeyh	1279	print OUT "</ul>\n";
294			print OUT "<hr>\n";
295	neilm	1763	print OUT "Key: ";
296			foreach $keyline (@urgencies) {
297			print OUT "<span style=\"border: 1px dashed; background:".$colormap{$keyline}."\"> $keyline </span> ";
298			}
299			print OUT "<br>";
300	joeyh	1279	print OUT "Total holes unfixed: $unfixed<br>\n";
301	neilm	1763	print OUT "Total holes fixed in unstable but not $suite: $unprop_all ($fixedsta fixed in secure-testing archive)";
302	joeyh	735	if ($unprop_all != $unprop) {
303	joeyh	1279	print OUT " (+".($unprop - $unprop_all)." on some arches)";
304	joeyh	735	}
305	joeyh	1279	print OUT "<br>\n";
306			print OUT "Total number of kernel image packages not up to date: $need_rebuild<br>\n";
307			print OUT "Number of TODO lines in <a href=\"http://svn.debian.org/wsvn/secure-testing/data/?rev=0&sc=0\">records</a>: $todos<br>\n";
308	joeyh	1659	print OUT "Maintained by the <a href=\"http://secure-testing.debian.net/\">testing security team</a><br>\n";
309	joeyh	1279	print OUT "Last update: ".`date`."<br>\n";
310			print OUT "</html>\n";
311	joeyh	230	}
312	joeyh	1279
313			close OUT;
314			if (defined $output) {
315			rename("$output.tmp.$$", $output) \|\| die "rename: $!";
316			}