1 |
Arturo Garcia wrote: |
2 |
|
3 |
> On Thursday 27 Sep 2007, Steve Long wrote: |
4 |
>> No the point, as I see it, is that a security _audit_ of the code is now |
5 |
>> being carried out. Not a fix to one bug. |
6 |
> As I said, fine with me, but *do* it and then close the bug. Open new |
7 |
> ones, assign them and link them to the original bug if you wish. We act |
8 |
> on them and we close them as well. |
9 |
> |
10 |
Er the point was that the audit *is* being carried out as we speak. How long |
11 |
it takes depends on 1) how much time taviso has spare and 2) how much real |
12 |
help he gets with it. |
13 |
|
14 |
We're getting a bit mixed up in terms of what is tracked as a bug on |
15 |
bugzilla and the actual initial problem (the command injection.) While the |
16 |
bug on bugzilla is about the injection problem, I personally wouldn't close |
17 |
it til the audit has been completed and the service is back on-line. |
18 |
|
19 |
>> That's why it would be great if the report were submitted. Or do you |
20 |
>> think it wise to bring the service back up with known flaws? |
21 |
> What report?!? Onkobu offered help in auditing any future patches if |
22 |
> anybody required so. Nothing more. Unfortunately, he got angry (no wonder) |
23 |
> and pulled out. Maybe he is now running another distro... I haven't been |
24 |
> in touch with him. |
25 |
> |
26 |
Well it read more like there were other flaws which he had spotted (in the |
27 |
bit I quoted at least.) So: /that/ report of all the flaws you or anyone |
28 |
else can find. If you've found the flaw you should know how to fix it, so |
29 |
attach a patch. |
30 |
|
31 |
> Regarding the flaws, as I said, look at the code and find for yourself. |
32 |
Er why should I? I'm not a dev, nor am I that bothered. You on the other |
33 |
hand seem quite concerned about this, yet reluctant to do anything. |
34 |
|
35 |
> As far as I know, Tavis *has* reviewed the patch and the code. All what |
36 |
> is outstanding is for the site to be tested. If he opens new bugs, then |
37 |
> we will patch and close them. |
38 |
> |
39 |
One patch to one flaw, when you concede that there are others. Fine, if it's |
40 |
been patched then close it and make a tracker for other flaws: it won't |
41 |
lead to the service being back quicker, in fact it'll probably take longer |
42 |
since additional bugs would be filed. To my mind, once he's found another |
43 |
flaw, it's a lot less time to fix it: why then would it be useful to file a |
44 |
bug about it? |
45 |
|
46 |
>> I didn't write the lines about the whole service needing reworking |
47 |
>> either. I'm just trying to explain why I think the process is being |
48 |
>> carried out properly. |
49 |
> ?_? again. I don't understand what are you trying to say?!? I don't see |
50 |
> the correlation between this and your (or my) first post. Sorry. |
51 |
> |
52 |
OK. My point is, and was, that an audit covers the whole codebase. IOW he |
53 |
literally has to scan every single line. This process is being carried out |
54 |
properly IMO, since to only patch one flaw and put the service back on-line |
55 |
would be irresponsible at best. |
56 |
|
57 |
> As a summary, the next step now is for security@g.o to their work |
58 |
> (as Infra has *repeatedly* said and requested). If someone can poke them |
59 |
> to do so please, it will be highly appreciated. If they audit, test, or |
60 |
> jump on one foot while holding raw eggs on their head I don't care. It's |
61 |
> their job. |
62 |
Er they're not paid for it, so it's not a job in the sense that you imply. |
63 |
How exactly do you want "them" to be poked? As stated there's only one dev |
64 |
assigned to it and he's busy starting Uni. While I agree this is |
65 |
unfortunate, I imagine there simply aren't that many security devs. |
66 |
|
67 |
> Bug please test and come back to us. Thanks. |
68 |
> |
69 |
FWIW I totally agree that p.g.o should be back online as a matter of |
70 |
priority. If you want that done, help with the audit: get a report together |
71 |
of all the flaws (and fixes) that you can find. If not, stop whinging that |
72 |
no one else is doing it (and more importantly stop telling me to do it), |
73 |
when a volunteer has already been assigned. It'll take him as long as it |
74 |
takes him. |
75 |
"With Free software you either do, or you wait." Pick one. |
76 |
|
77 |
|
78 |
-- |
79 |
gentoo-project@g.o mailing list |