Changelog for previous entries

We use eLTS for Jessie without security, that has been archived and
signed with an expired key.

linux/CHANGELOG

@@ -5,14 +5,26 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
 
 ### Added
 
+* IS_BACKPORTS_VERSION: check if the Backports release matches the Debian release
+
 ### Changed
 
+* IS_BROADCOMFIRMWARE: use apt policy
+* Prefer long options
+* IS_POSTFIX_MYDESTINATION: use fixed string instead of escaping characters
+
 ### Deprecated
 
 ### Removed
 
 ### Fixed
 
+* IS_DEBIANSECURITY_LXC: don’t test older than Debian 9 containers
+* IS_KERNELUPTODATE: address false positive in case of kernel removal
+* IS_SSHPERMITROOTNO: specify lport, avoiding failure if sshd listens to more than one port
+* IS_DRBDTWOPRIMARIES: fix false positive (#151)
+* IS_ETCGIT_LXC, IS_GITPERMS_LXC: fix path
+
 ## [23.11.1]
 
 ### Fixed

linux/evocheck.sh

@@ -205,11 +205,21 @@ check_debiansecurity_lxc() {
     if is_installed lxc; then
         container_list=$(lxc-ls)
         for container in $container_list; do
-            lxc-attach --name $container apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
-            test $? -eq 0 || failed "IS_DEBIANSECURITY_LXC" "missing Debian-Security repository in container ${container}"
+            DEBIAN_LXC_VERSION=$(cut -d "." -f 1 < /var/lib/lxc/${container}/rootfs/etc/debian_version)
+            if [ $DEBIAN_LXC_VERSION -ge 9 ]; then
+                lxc-attach --name $container apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
+                test $? -eq 0 || failed "IS_DEBIANSECURITY_LXC" "missing Debian-Security repository in container ${container}"
+            fi
         done
     fi
 }
+check_backports_version() {
+    # Look for enabled "Debian Backports" sources from the "Debian" origin
+    apt-cache policy | grep "\bl=Debian Backports\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
+    test $? -eq 1 || ( \
+        apt-cache policy | grep "\bl=Debian Backports\b" | grep --quiet "\bn=${DEBIAN_RELEASE}-backports\b" && \
+        test $? -eq 0 || failed "IS_BACKPORTS_VERSION" "Debian Backports enabled for another release than ${DEBIAN_RELEASE}" )
+}
 check_oldpub() {
     # Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Stretch)
     apt-cache policy | grep --quiet pub.evolix.net
@@ -676,7 +686,7 @@ check_phpmyadminapacheconf() {
 check_kerneluptodate() {
     if is_installed linux-image*; then
         # shellcheck disable=SC2012
-        kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s)
+        kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot/*lin* | tail -n1 | awk '{print $6}')" +%s)
         last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
         if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then
             failed "IS_KERNELUPTODATE" "machine is running an outdated kernel, reboot advised"
@@ -770,7 +780,7 @@ check_gitperms_lxc() {
             if test -d $GIT_DIR; then
                 expected="700"
                 actual=$(stat -c "%a" $GIT_DIR)
-		[ "$expected" = "$actual" ] || failed "IS_GITPERMS_LXC" "$GIT_DIR must be $expected (in container ${container})"
+                [ "$expected" = "$actual" ] || failed "IS_GITPERMS_LXC" "$GIT_DIR must be $expected (in container ${container})"
             fi
         done
     fi
@@ -1553,6 +1563,7 @@ main() {
     test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf
     test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity
     test "${IS_DEBIANSECURITY_LXC:=1}" = 1 && check_debiansecurity_lxc
+    test "${IS_BACKPORTS_VERSION:=1}" = 1 && check_backports_version
     test "${IS_OLDPUB:=1}" = 1 && check_oldpub
     test "${IS_OLDPUB_LXC:=1}" = 1 && check_oldpub_lxc
     test "${IS_NEWPUB:=1}" = 1 && check_newpub