1 |
Gentoo has been vulnerable to a highly-publicized (Guardian, Slashdot, |
2 |
the works) local privilege escalation for almost two weeks now. (Well, |
3 |
it has been vulnerable for years, but of course we didn't know about it |
4 |
until two weeks ago.) |
5 |
|
6 |
In the bugzilla thread tracking the problem it has been mentioned a few |
7 |
times that the kernel does not receive GLSA support: |
8 |
http://bugs.gentoo.org/show_bug.cgi?id=337645 |
9 |
|
10 |
Looking at the security webpage, it seems to me that while we don't |
11 |
PUBLISH GLSAs for the kernel, the intent is to still fix problems (to do |
12 |
otherwise would seem quite insane). |
13 |
|
14 |
Looking at the normal GLSA process, this would rate as a A1 criticality |
15 |
problem (local escalation in a system component), with a target |
16 |
resolution of 3 days. We're going on 10 days now on bug 337645 with no |
17 |
mention of even targeting any particular release for stabilization. |
18 |
|
19 |
Obviously the current bug will get done when it gets done, and it isn't |
20 |
any skin off my back as I've upgraded (and in the likely event that |
21 |
34-r10 gets called for stable I can keyword it without further testing). |
22 |
However, for the longer term it seems like something needs to change in |
23 |
the process. I don't see how kernel vulnerabilities can sit around for |
24 |
days. Most distros pushed out patches to stable users same-day or |
25 |
within a day or two. |
26 |
|
27 |
Perhaps a mitigating solution might be to open a security bug as soon as |
28 |
Gentoo hears about a problem, and notify the package maintainers. Then |
29 |
the maintainers must either call for stabilization within 48 hours, or |
30 |
publish a plan for how they will get the fix stabilized within the |
31 |
target period. That is, we don't need to fix every problem in 48 hours, |
32 |
but there needs to be a strategy for an on-time fix within 48 hours. If |
33 |
a plan isn't available at the end of 48 hours, we publish to the GLSA |
34 |
mailing list a notice that Gentoo contains a known vulnerability that |
35 |
may not be resolved in accordance with our security targets, and provide |
36 |
what we know and a link to the bug. For confidential issues we |
37 |
obviously can't broadcast that to the world, but we should do so as soon |
38 |
as we can (unless we're back on track by then). Internally, the plan |
39 |
should still exist within 48 hours whether confidential or not. |
40 |
|
41 |
The council should monitor incidents that run late to determine if some |
42 |
teams need additional support. |
43 |
|
44 |
This is of course an idealized target. I realize we aren't paid to be |
45 |
here. Nobody should be put in the stocks anytime soon, as we probably |
46 |
aren't performing nearly to this level. However, there is no reason |
47 |
that we should just accept security vulnerabilities in the distro. Or, |
48 |
if we intend to do that we should at least be responsible and state that |
49 |
clearly so that users realize that we do not intend to support use of |
50 |
the distribution in situations where security matters (such as on the |
51 |
desktop, or in a server room, or on any system attached to the Internet). |
52 |
|
53 |
In any case, this is really just food for thought - no doubt other |
54 |
solutions exist. It just seems like we need to step it up a bit with |
55 |
regard to security problems. I don't want to single out the kernel team |
56 |
either, as no doubt they're not the only ones with delays. |
57 |
|
58 |
Rich |