1 |
On 07/05/2016 10:43 PM, Aaron Bauman wrote: |
2 |
> On Wednesday, July 6, 2016 9:00:12 AM JST, Anthony G. Basile wrote: |
3 |
>> On 7/4/16 11:26 PM, Aaron Bauman wrote: |
4 |
>> |
5 |
>>> Finally, that does not dissolve the developer of providing usable, |
6 |
>>> substantiated, and verifiable information regarding the |
7 |
>>> vulnerabilities. The idea that a developer gets to choose whether or |
8 |
>>> not they do so should not be considered. Anthony's verbiage on Freenode |
9 |
>>> was very frank, in that if he chose to do so he would. We ask for |
10 |
>>> all ... |
11 |
>> |
12 |
>> 1) In bug #473770 upstream gave sufficient information. I stated so in |
13 |
>> comments #1 and #2 with links. You ignored this fact and proceeded to |
14 |
>> p.mask in comment #3. This CVE should never have been filed. Its junk. |
15 |
>> |
16 |
>> 2) Bug #459274 is not a security bug. A CVE request was filed by Ago |
17 |
>> which, as far as I can tell, went no where. The log file in question |
18 |
>> does not disclose much more than one could obtain with just ps and |
19 |
>> netstat. I fixed a related issue with access.log in bug #459274. |
20 |
> |
21 |
> That CVE request was not from Ago. It was from the respective OSS ML |
22 |
> referenced in the URL field of the bug report. Not to mention, you as a |
23 |
> maintainer were able to discover another issue with that package and fix |
24 |
> it. |
25 |
> |
26 |
>> |
27 |
>> 3) My point on IRC is that you are acting on junk CVEs and I question |
28 |
>> your judgment. You can't produce "substantiated and verifiable |
29 |
>> information" on junk. Your above paragraph eclipses that side of my |
30 |
>> argument and strawmans me. |
31 |
>> |
32 |
> |
33 |
> Why is this so difficult? All of the follow up information you gave, |
34 |
> after the p.mask and inquiry from Alex, is exactly what we need from the |
35 |
> maintainers. If the CVE is junk, which often happens, then the |
36 |
> verifiable and substantiating information is perfectly acceptable from |
37 |
> the maintainer. No one here is challenging your ability to provide such |
38 |
> information, but given the multitude of security related bugs we need |
39 |
> cooperation from the maintainers. We are not familiar with every |
40 |
> package in the tree, but we do our best to ensure any potential |
41 |
> vulnerability is mitigated. Again, you are the only developer who has |
42 |
> had an issue with this. As previously mentioned, a p.mask is not the |
43 |
> end of the road, it is just an obligation to ensure the user is warned |
44 |
> of longstanding security issues. If they choose to unmask it then so be |
45 |
> it. |
46 |
> |
47 |
>> I personally would like to see only QA oversee any forced p.maskings and |
48 |
>> have the security team pass that task over to QA for review. By forced |
49 |
>> I mean without the cooperation of the maintainer. |
50 |
>> |
51 |
> |
52 |
> Again, no one else has had an issue with this except you. The one who |
53 |
> doesn't want to cooperate. I apologized for not pinging an active |
54 |
> developer, but you cannot reciprocate the professionalism here and work |
55 |
> with us. Why can't you just work the issue like you did following the |
56 |
> p.mask and we can move on? Inevitably proving the point of why the |
57 |
> p.mask is an option. Look at the myriad of security bugs and you will |
58 |
> see such examples of developers working together in order to validate, |
59 |
> mitigate, and close these bugs. Sometimes this process highlights the |
60 |
> reality that CVE's are not perfect in their descriptions or assessments. |
61 |
> -Aaron |
62 |
> |
63 |
|
64 |
I think it is a little bit of a stretch to say that he's the only one to |
65 |
have an issue. Now, I've spoken with the parties involved, so my issue |
66 |
is resolved, but I had a package of mine bumped in the name of security |
67 |
without being pinged/consulted at all. I'm not attempting to point |
68 |
blame at anyone, but merely show that there are others who have been |
69 |
affected by security workflow sometimes going around the maintainer. I |
70 |
don't think there should be any harm in acknowledging that, and striving |
71 |
to make sure it doesn't happen in the future, where possible. |
72 |
|
73 |
-- |
74 |
NP-Hardass |