From: Rich Freeman <rich0@gentoo.org>
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] No GLSA since January?!?
Date: Sat, 27 Aug 2011 08:13:02 -0400 [thread overview]
Message-ID: <CAGfcS_koxCDPjPc3N_KKs3M_rAtnvbuDeePpLsaKbFcgQ3x7og@mail.gmail.com> (raw)
In-Reply-To: <4E58AF85.4020908@gocept.com>
On Sat, Aug 27, 2011 at 4:49 AM, Christian Kauhaus <kc@gocept.com> wrote:
> So in consequence I would appreciate to have both mechanisms: a timely
> up-front notification via GLSAs (probably more brief than the past ones) and
> some sort of security masking.
The current GLSA mechanism already provides both of these. There are
the email notifications, and there is an xml file that provides the
masking information (which the glsa-checker tool and some package
managers use).
From what I've seen (from a distance), the problem seems to be that
both of these are created using a software tool which is apparently
very cumbersome to use. However, both are just text files.
Part of me wonders if a workflow like this would help solve the problem:
1. Some contributor posts a GLSA email and xml file to a security
bug. This could be anybody. The content would be trimmed down a bit
- perhaps just a CVE reference, and then the information on vulnerable
and non-vulnerable versions.
2. Somebody on staff with commit access to the xml tree and the
mailing list would review and send out the advisory, and mark this as
done in the bug.
I also wonder if there would be in value in sending out the notice
after the fixed version is in the tree but before it is stable. Right
now advisories wait until the last security-supported arch stabilizes
the package. I would think that earlier notice would be useful - even
if sysadmins want to wait for a package to become stable they'll know
something is coming, and the delay on the major arches tends to be
hours to days. Plus, if somebody can't wait they can test/install on
their own, and perhaps even post feedback on the bug.
Obviously notices would have to wait until after any blackout period ends.
Note that I'm basically advocating ditching the tool. A tool is good
when it improves productivity. However, right now it appears that the
tool is keeping people from contributing who want to contribute.
Certainly things couldn't get worse without the tool. If a user just
edits an xml template and email template and posts it on the bug, then
very little work should be required to review the files before posting
them. Contributors wouldn't need any special access either - freeing
up devs to provide more of a QA role.
Ditching the tool would also simplify fixes to GLSAs. I haven't run
it in a while, but took glsa-checker out of my cron ages ago when it
would just report packages with vulnerabilities that had none. I did
log bugs, but apparently adding one line to the xml files requires as
much pain as sending out the original notice.
Bottom line, however, is I don't think that we can't consider
ourselves as a serious distro if we don't provide timely security
advisories.
All that said, I would say that from what I've seen in bugzilla, if
you're on x86 or amd64 and running an updated stable tree, you
shouldn't have longstanding security vulnerabilities. A new security
bug pops up almost weekly, and packages are updated fairly quickly on
those arches. The problem is just that we never tell anybody that
we're doing it.
Rich
next prev parent reply other threads:[~2011-08-27 12:14 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-26 16:12 [gentoo-security] No GLSA since January?!? Christian Kauhaus
2011-08-26 16:43 ` Christoph Jasinski
2011-08-26 16:57 ` JD Horelick
2011-08-26 17:18 ` Daniel A. Avelino
2011-08-26 17:57 ` Alex Legler
2011-08-26 18:22 ` Daniel A. Avelino
2011-08-26 18:44 ` Alex Legler
2011-08-26 19:27 ` Daniel A. Avelino
2011-08-26 16:55 ` Alex Legler
2011-08-26 17:06 ` Christian Kauhaus
2011-08-26 18:00 ` Joost Roeleveld
2011-08-26 18:07 ` Alex Legler
2011-08-26 19:30 ` Joost Roeleveld
2011-08-26 18:08 ` Kevin Bryan
2011-08-26 18:40 ` Alex Legler
2011-08-26 20:02 ` Kevin Bryan
2011-08-26 20:40 ` Daniel A. Avelino
2011-08-26 22:27 ` Alex Legler
2011-08-26 23:38 ` Daniel A. Avelino
2011-08-26 18:41 ` Daniel A. Avelino
2011-08-27 8:49 ` Christian Kauhaus
2011-08-27 12:13 ` Rich Freeman [this message]
2011-08-27 12:34 ` Tobias Heinlein
2011-08-27 13:06 ` Rich Freeman
2011-08-27 13:34 ` Tobias Heinlein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGfcS_koxCDPjPc3N_KKs3M_rAtnvbuDeePpLsaKbFcgQ3x7og@mail.gmail.com \
--to=rich0@gentoo.org \
--cc=gentoo-security@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox