| 1 |
Gentoo has been vulnerable to a highly-publicized (Guardian, Slashdot, |
| 2 |
the works) local privilege escalation for almost two weeks now. (Well, |
| 3 |
it has been vulnerable for years, but of course we didn't know about it |
| 4 |
until two weeks ago.) |
| 5 |
|
| 6 |
In the bugzilla thread tracking the problem it has been mentioned a few |
| 7 |
times that the kernel does not receive GLSA support: |
| 8 |
http://bugs.gentoo.org/show_bug.cgi?id=337645 |
| 9 |
|
| 10 |
Looking at the security webpage, it seems to me that while we don't |
| 11 |
PUBLISH GLSAs for the kernel, the intent is to still fix problems (to do |
| 12 |
otherwise would seem quite insane). |
| 13 |
|
| 14 |
Looking at the normal GLSA process, this would rate as a A1 criticality |
| 15 |
problem (local escalation in a system component), with a target |
| 16 |
resolution of 3 days. We're going on 10 days now on bug 337645 with no |
| 17 |
mention of even targeting any particular release for stabilization. |
| 18 |
|
| 19 |
Obviously the current bug will get done when it gets done, and it isn't |
| 20 |
any skin off my back as I've upgraded (and in the likely event that |
| 21 |
34-r10 gets called for stable I can keyword it without further testing). |
| 22 |
However, for the longer term it seems like something needs to change in |
| 23 |
the process. I don't see how kernel vulnerabilities can sit around for |
| 24 |
days. Most distros pushed out patches to stable users same-day or |
| 25 |
within a day or two. |
| 26 |
|
| 27 |
Perhaps a mitigating solution might be to open a security bug as soon as |
| 28 |
Gentoo hears about a problem, and notify the package maintainers. Then |
| 29 |
the maintainers must either call for stabilization within 48 hours, or |
| 30 |
publish a plan for how they will get the fix stabilized within the |
| 31 |
target period. That is, we don't need to fix every problem in 48 hours, |
| 32 |
but there needs to be a strategy for an on-time fix within 48 hours. If |
| 33 |
a plan isn't available at the end of 48 hours, we publish to the GLSA |
| 34 |
mailing list a notice that Gentoo contains a known vulnerability that |
| 35 |
may not be resolved in accordance with our security targets, and provide |
| 36 |
what we know and a link to the bug. For confidential issues we |
| 37 |
obviously can't broadcast that to the world, but we should do so as soon |
| 38 |
as we can (unless we're back on track by then). Internally, the plan |
| 39 |
should still exist within 48 hours whether confidential or not. |
| 40 |
|
| 41 |
The council should monitor incidents that run late to determine if some |
| 42 |
teams need additional support. |
| 43 |
|
| 44 |
This is of course an idealized target. I realize we aren't paid to be |
| 45 |
here. Nobody should be put in the stocks anytime soon, as we probably |
| 46 |
aren't performing nearly to this level. However, there is no reason |
| 47 |
that we should just accept security vulnerabilities in the distro. Or, |
| 48 |
if we intend to do that we should at least be responsible and state that |
| 49 |
clearly so that users realize that we do not intend to support use of |
| 50 |
the distribution in situations where security matters (such as on the |
| 51 |
desktop, or in a server room, or on any system attached to the Internet). |
| 52 |
|
| 53 |
In any case, this is really just food for thought - no doubt other |
| 54 |
solutions exist. It just seems like we need to step it up a bit with |
| 55 |
regard to security problems. I don't want to single out the kernel team |
| 56 |
either, as no doubt they're not the only ones with delays. |
| 57 |
|
| 58 |
Rich |
Archives