| 1 |
On 07/05/2016 10:43 PM, Aaron Bauman wrote: |
| 2 |
> On Wednesday, July 6, 2016 9:00:12 AM JST, Anthony G. Basile wrote: |
| 3 |
>> On 7/4/16 11:26 PM, Aaron Bauman wrote: |
| 4 |
>> |
| 5 |
>>> Finally, that does not dissolve the developer of providing usable, |
| 6 |
>>> substantiated, and verifiable information regarding the |
| 7 |
>>> vulnerabilities. The idea that a developer gets to choose whether or |
| 8 |
>>> not they do so should not be considered. Anthony's verbiage on Freenode |
| 9 |
>>> was very frank, in that if he chose to do so he would. We ask for |
| 10 |
>>> all ... |
| 11 |
>> |
| 12 |
>> 1) In bug #473770 upstream gave sufficient information. I stated so in |
| 13 |
>> comments #1 and #2 with links. You ignored this fact and proceeded to |
| 14 |
>> p.mask in comment #3. This CVE should never have been filed. Its junk. |
| 15 |
>> |
| 16 |
>> 2) Bug #459274 is not a security bug. A CVE request was filed by Ago |
| 17 |
>> which, as far as I can tell, went no where. The log file in question |
| 18 |
>> does not disclose much more than one could obtain with just ps and |
| 19 |
>> netstat. I fixed a related issue with access.log in bug #459274. |
| 20 |
> |
| 21 |
> That CVE request was not from Ago. It was from the respective OSS ML |
| 22 |
> referenced in the URL field of the bug report. Not to mention, you as a |
| 23 |
> maintainer were able to discover another issue with that package and fix |
| 24 |
> it. |
| 25 |
> |
| 26 |
>> |
| 27 |
>> 3) My point on IRC is that you are acting on junk CVEs and I question |
| 28 |
>> your judgment. You can't produce "substantiated and verifiable |
| 29 |
>> information" on junk. Your above paragraph eclipses that side of my |
| 30 |
>> argument and strawmans me. |
| 31 |
>> |
| 32 |
> |
| 33 |
> Why is this so difficult? All of the follow up information you gave, |
| 34 |
> after the p.mask and inquiry from Alex, is exactly what we need from the |
| 35 |
> maintainers. If the CVE is junk, which often happens, then the |
| 36 |
> verifiable and substantiating information is perfectly acceptable from |
| 37 |
> the maintainer. No one here is challenging your ability to provide such |
| 38 |
> information, but given the multitude of security related bugs we need |
| 39 |
> cooperation from the maintainers. We are not familiar with every |
| 40 |
> package in the tree, but we do our best to ensure any potential |
| 41 |
> vulnerability is mitigated. Again, you are the only developer who has |
| 42 |
> had an issue with this. As previously mentioned, a p.mask is not the |
| 43 |
> end of the road, it is just an obligation to ensure the user is warned |
| 44 |
> of longstanding security issues. If they choose to unmask it then so be |
| 45 |
> it. |
| 46 |
> |
| 47 |
>> I personally would like to see only QA oversee any forced p.maskings and |
| 48 |
>> have the security team pass that task over to QA for review. By forced |
| 49 |
>> I mean without the cooperation of the maintainer. |
| 50 |
>> |
| 51 |
> |
| 52 |
> Again, no one else has had an issue with this except you. The one who |
| 53 |
> doesn't want to cooperate. I apologized for not pinging an active |
| 54 |
> developer, but you cannot reciprocate the professionalism here and work |
| 55 |
> with us. Why can't you just work the issue like you did following the |
| 56 |
> p.mask and we can move on? Inevitably proving the point of why the |
| 57 |
> p.mask is an option. Look at the myriad of security bugs and you will |
| 58 |
> see such examples of developers working together in order to validate, |
| 59 |
> mitigate, and close these bugs. Sometimes this process highlights the |
| 60 |
> reality that CVE's are not perfect in their descriptions or assessments. |
| 61 |
> -Aaron |
| 62 |
> |
| 63 |
|
| 64 |
I think it is a little bit of a stretch to say that he's the only one to |
| 65 |
have an issue. Now, I've spoken with the parties involved, so my issue |
| 66 |
is resolved, but I had a package of mine bumped in the name of security |
| 67 |
without being pinged/consulted at all. I'm not attempting to point |
| 68 |
blame at anyone, but merely show that there are others who have been |
| 69 |
affected by security workflow sometimes going around the maintainer. I |
| 70 |
don't think there should be any harm in acknowledging that, and striving |
| 71 |
to make sure it doesn't happen in the future, where possible. |
| 72 |
|
| 73 |
-- |
| 74 |
NP-Hardass |
Archives