Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Tobias Heinlein (keytoaster)" <keytoaster@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/proj/en/security/meeting-logs: 20080714-log.txt
Date: Thu, 02 Sep 2010 13:12:46
Message-Id: 20100902131239.52D6120051@flycatcher.gentoo.org
1 keytoaster 10/09/02 13:12:39
2
3 Added: 20080714-log.txt
4 Log:
5 Moved from vorlon's devspace.
6
7 Revision Changes Path
8 1.1 xml/htdocs/proj/en/security/meeting-logs/20080714-log.txt
9
10 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/security/meeting-logs/20080714-log.txt?rev=1.1&view=markup
11 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/security/meeting-logs/20080714-log.txt?rev=1.1&content-type=text/plain
12
13 Index: 20080714-log.txt
14 ===================================================================
15 --- Log opened Mon Jul 14 19:00:29 2008
16 19:00 <@vorlon078> ok... it is 1900 UTC and thus time to begin I guess
17 19:01 <@vorlon078> we have rbu mjf_ p-y and keytoaster on board
18 19:01 <@vorlon078> anyone else?
19 19:01 * adir waves
20 19:01 <@vorlon078> :)
21 19:02 <@vorlon078> so let's start with a short status overview
22 19:02 <@vorlon078> btw... the agenda didn't change since the invitation went out, but we can append any topic that comes up during the meeting
23 19:03 <@p-y> yep, I've noted a few topics that i'd like to discuss
24 19:03 <@vorlon078> ok
25 19:03 -!- rbu changed the topic of #gentoo-security to: Project Meeting: *now* http://dev.gentoo.org/~vorlon/security/meeting-20080714.xml
26 19:04 <@vorlon078> for the sub projects... I guess both of them, kernel and auditing can be considered dead at the moment
27 19:04 <@vorlon078> and we are currently lacking recruits/scouts/...
28 19:04 <@p-y> solar: still around?
29 19:05 <@vorlon078> and some team members are missing or busy with real life issues
30 19:05 <@rbu> what's the point in listing dead subprojects? as for the kernel project, i believe we should put effort in reviving it. but i think we should drop the audit project and put the docs elsewhere
31 19:05 <@vorlon078> all that resulting in quite some delays in bug fixing and especially glsa drafting/sending
32 19:06 <@p-y> for auditing i think it's not very important, but kernel is a little bit more problematic
33 19:06 <@vorlon078> rbu: agreed... audit will come back when we have someone interested
34 19:07 <@vorlon078> kernel is important in the long term, because we really should start considering kernel security again
35 19:07 <@vorlon078> but so much about the current status of the project...
36 19:07 <@p-y> yeah, but what do we do with the tons of open kernel sec bugs?
37 19:07 <@rbu> vorlon078: until then, i think we should remove the audit project
38 19:07 <@vorlon078> let's append kernel security to the list of topics
39 19:07 <@rbu> ++
40 19:08 <@mjf_> p-y: surely many of them can be closed?
41 19:08 <@p-y> mjf_: maybe, but that needs to be checked out for every kernel version that we ship, it's a *lot* of work
42 19:08 <@vorlon078> p-y: mjf_ let's kinda stick with the agenda and just append kernel sec
43 19:08 <@rbu> p-y: mjf_: if we append kernel security to the agenda, we should discuss it later
44 19:08 <@p-y> ok
45 19:09 < armin76> bumb!
46 19:09 <@vorlon078> next big thing is recruiting...
47 19:09 <@rbu> vorlon078: wait one second
48 19:09 <@vorlon078> rbu: sure... sorry
49 19:09 <@vorlon078> rbu: and yeah... we could just remove auditing or put a note on the page that it is dead
50 19:09 <@rbu> vorlon078: you wanted to discuss the project in general, and i guess that should include the way we do in security bugs
51 19:10 <@rbu> vorlon078: what do your stats say about that? why are late so often?
52 19:10 <@vorlon078> http://dev.gentoo.org/~vorlon/security/stats.xml
53 19:10 <@rbu> oh wait, that's another topic
54 19:10 <@rbu> argh
55 19:10 <@vorlon078> yeah ;-)
56 19:11 <@vorlon078> so let's start with recruiting...
57 19:12 <@vorlon078> I cleaned up our padawans page and it turned out we only have one person left as a recruit more or less
58 19:12 <@vorlon078> and adir who wants to contribute again
59 19:12 <@vorlon078> we have lost quite some recruits after only a short time they were active
60 19:12 <@vorlon078> although some also became devs
61 19:12 <@p-y> i think some people wanted to join recently, but they didn't sent a mail on security@g.o
62 19:13 <@vorlon078> so the question would be how to improve our recruitment process
63 19:13 <@p-y> I have some ideas on that
64 19:13 <@vorlon078> :)
65 19:13 <@p-y> in archs teams, archs testers have some more privileges on bugzie
66 19:14 <@p-y> with security scouts, they can't do anything on bugs that they didn't open
67 19:14 <@p-y> that's problematic, since you can't do much then
68 19:14 <@p-y> maybe they should be allowed to edit bugs earlier
69 19:14 <@rbu> oh god, that must be annoying :-o
70 19:15 <@p-y> ?
71 19:15 <@vorlon078> so at what point should we give editbugs priv to recruits?
72 19:15 <@rbu> not being able to edit bugs
73 19:15 <@rbu> i believe there is enough people watching the bugmail that we can survive some mistakes with early participation.
74 19:15 <@p-y> agreed with rbu
75 19:16 <@p-y> i always check every bugmail
76 19:16 <@rbu> so i think one or two weeks might be enough if the person is active and does do goo
77 19:16 <@vorlon078> should we wait like a week or so before giving privs out?
78 19:16 <@p-y> the problem is if they change a bug which is not assigned to security
79 19:16 <@vorlon078> rbu: yeah
80 19:16 <@vorlon078> p-y: exactly
81 19:17 <@p-y> vorlon078: yeah, probably
82 19:17 <@rbu> p-y: i wonder if that can be limited
83 19:17 <@p-y> me too, don't know how bugzie works with this
84 19:18 <@vorlon078> just asked in #-infra
85 19:18 <@p-y> ok, good
86 19:18 <@vorlon078> another problem is that sometimes mails from potential scouts are not answered in time
87 19:19 <@vorlon078> does not happen often, since there are not many mails, but we should be quick with stuff like that
88 19:19 <@vorlon078> and an old idea was to assign a mentor to each padawan
89 19:19 <@rbu> i think that we can do better in describing the "daily" process, as in: where to look for bugs, how to open a bug. maybe some examples
90 19:19 <@vorlon078> rbu: yeah
91 19:20 <@p-y> evelyette: still around? I remember you wanted to join
92 19:20 <@vorlon078> we should update some of our docs for sure
93 19:20 <@vorlon078> and we need to get the word out more... since there are not many even contacting us about joining
94 19:21 < evelyette> p-y, yes I'm still here... I've been very busy with my exams and now I'm coding something c/c++ so I don't have so much time...but before I do any work here I have to research a little more what I have to do...so I need time
95 19:21 <@p-y> ok, sure
96 19:21 <@mjf_> i have some input on more info for new recruits, ping me when you wann hear it
97 19:21 <@p-y> mjf_: please do
98 19:22 <@vorlon078> mjf_: go ahead
99 19:22 <@rbu> i can write up some padawan docs, to put them up. -- mjf_, i hope you can help there?
100 19:22 <@mjf_> yes.
101 19:22 <@vorlon078> great
102 19:22 <@mjf_> you should have a run-through of opening a bug, getting arch teams in etc
103 19:22 <@rbu> mjf_: let's get together about that later then
104 19:22 <@mjf_> like a full example.
105 19:22 <@mjf_> rbu: sure.
106 19:22 <@rbu> vorlon078: what do you have in mind in terms of recruiting?
107 19:23 <@vorlon078> we could get something up in the GMN
108 19:23 <@rbu> one thing that is very important IMO is to *encourage* people to join --- i have seen comments sometimes when people were new
109 19:23 <@vorlon078> or try with a blog post for now
110 19:23 <@rbu> that it's "all day the same work" and everything
111 19:23 <@vorlon078> yeah... that is not very helpful
112 19:23 <@p-y> you can't deny it
113 19:24 <@vorlon078> yes, but it can also be fun
114 19:24 <@rbu> p-y: yes, and no. there are certain boring tasks, but as usual you can either automate them, or have them handy
115 19:24 <@p-y> it's useless to lie to people so they help, and when they realize it, they leave, generally after a month
116 19:24 <@keytoaster> yes, that's important, i actually joined when p-y sent a mail to -dev back in 2007, otherwise i wouldn't have done so
117 19:24 <@rbu> p-y: but if you approach people with that attitude, you will not win anyone
118 19:25 <@p-y> true
119 19:25 <@vorlon078> so let us be honest but not scare everyone away right at the beginning
120 19:25 <@rbu> vorlon078: you said you could write up something in your blog? what else would you have in mind?
121 19:25 <@vorlon078> and with more privileges and more integration into the whole sec work we might make it more interesting
122 19:26 <@p-y> that's the point, but it's not easy
123 19:26 <@vorlon078> gmn article might help... i believe we have done that in the gwn a long while ago and we had quite a few people coming
124 19:26 <@rbu> ok, sounds good. could the forums be a place to advertise?
125 19:26 <@vorlon078> or talking to people who file bugs
126 19:27 <@p-y> basically, you 1)watch sec list, 2)file a bug, 3)draft a GLSA, 4)back to 1)
127 19:27 <@vorlon078> if we see somebody shows interest we should just approach them
128 19:27 <@rbu> p-y: you missed the steps between 2 and 3, which are fun. reading up, understanding the issue -- testing exploits, and so on
129 19:28 <@rbu> dberkholz: i guess the main page could be more inviting to help in general gentoo areas -- how is that coming?
130 19:28 <@p-y> rbu: yeah, but it's not mandatory...
131 19:28 <@vorlon078> rbu: i actually don't use the forums that much
132 19:28 <@rbu> vorlon078: well, we could note down the intent, and decide who posts it later
133 19:29 <@vorlon078> p-y: but recruits should be welcome to help with that too if they want... or help develop better tools for us like rbu's cve stuff
134 19:29 <@p-y> of course
135 19:29 <@vorlon078> ok... what is something concrete we can achieve quickly
136 19:29 <@p-y> vorlon078: got an answer about bugzie privileges?
137 19:30 <@rbu> if mjf_ and me can get that padawan "howto" done in, say, a week -- we could start rolling the drums after that?
138 19:30 <@keytoaster> p-y: only possible in bugzilla-3, we run bugzilla-2
139 19:30 <@vorlon078> rbu: yeah... that would be great
140 19:30 <@p-y> :/
141 19:30 <@vorlon078> I can try and write something up for a blog or article
142 19:31 <@rbu> so, here's the deal about bugzilla: i think we can still do it. but a mentor for each padawan would have to *monitor* the padawan's mail alias
143 19:32 <@vorlon078> rbu: that would work i guess
144 19:32 <@p-y> mail alias is for mail *received*, not sent? or am I missing something?
145 19:32 <@rbu> it should be fairly easy to set up a rule to find all non-security changes by that person, so the mail should be low
146 19:32 <@keytoaster> shouldn't be a big problem anyways, arch testers can edit other bugs, too
147 19:33 <@vorlon078> ok... so we will ask infra about adding privs to people or for us to be able to set them
148 19:33 <@vorlon078> and a mentor will watch over a padawan
149 19:33 <@vorlon078> and help where needed
150 19:33 <@vorlon078> also rbu and mjf_ will write new docs for padawans
151 19:33 <@vorlon078> and i will get something together to invite more people to join
152 19:33 <@vorlon078> ok?
153 19:34 <@p-y> 21:29) (@p-y) mail alias is for mail *received*, not sent? or am I missing something?
154 19:34 <@p-y> I mean, for monitoring
155 19:34 <@mjf_> vorlon078: sounds good
156 19:34 <@rbu> vorlon078: ++
157 19:34 <@vorlon078> p-y: hm... you are right i think... but a search should be possible
158 19:34 < dberkholz> rbu: (sorry for lag) it's coming slowly because nobody besides neysx knows enough xslt to be useful
159 19:35 <@rbu> p-y: https://bugs.gentoo.org/userprefs.cgi?tab=email "Email is sent or not according to your preferences for their relationship to the bug (e.g. Assignee). "
160 19:36 <@rbu> so i enable it to send "all comments i leave, all bugs i close" and get all bugs the padawan closes
161 19:36 <@rbu> etc
162 19:37 <@rbu> dberkholz: well, i hope you two are still driving it though, thanks for answering
163 19:37 <@vorlon078> wfm
164 19:37 <@p-y> and what if they've no relationship?
165 19:37 <@p-y> like they're not assignee nor in CC?
166 19:38 <@vorlon078> rbu: ^
167 19:38 <@rbu> p-y: ok, very good point. then a search/rss will help, i guess
168 19:38 <@vorlon078> i could not find a search for that actually
169 19:39 <@vorlon078> well... let's do some research on that
170 19:39 <@vorlon078> anything else wrt recruiting?
171 19:39 <@rbu> nop
172 19:39 <@p-y> nope
173 19:40 <@vorlon078> then let's stick with my above summary and also try to find a way for the editbugs priv problem
174 19:40 <@p-y> ok
175 19:40 <@vorlon078> the next topic is our current delays with glsas
176 19:41 * rbu has a solution to editbugs ;-)
177 19:41 <@vorlon078> see http://dev.gentoo.org/~vorlon/security/stats.xml
178 19:41 <@rbu> but later*
179 19:41 <@vorlon078> heh ok
180 19:41 <@p-y> rbu: dont forget it ;)
181 19:41 <@vorlon078> the page shows some rough stats about delays and such... not 100% accurate bug a good hint
182 19:41 < dberkholz> rbu: we could really use someone new who has both interest and mad xslt skillz.
183 19:42 <@vorlon078> and it shows we are really behind on the timeframes given by our policy
184 19:42 < mariok> hello
185 19:42 <@vorlon078> i.e. not even 50% of bugs are closed in time
186 19:43 <@p-y> yeah
187 19:43 <@rbu> vorlon078: you don't have any numbers about the state that it is in the longest?
188 19:43 <@vorlon078> i guess it started going down around the time koon left
189 19:43 <@vorlon078> rbu: unfortunately not
190 19:44 <@vorlon078> to me it seems drafting/reviewing is taking the longest atm
191 19:44 <@vorlon078> but that is more of a guess
192 19:44 <@vorlon078> earlier we used to have more problems with maintainers and stable marking
193 19:44 <@rbu> except for some exceptions, i think most of the rot is in [glsa] state :-/
194 19:45 <@p-y> rbu: yeah
195 19:45 <@vorlon078> rbu: yeah... that is where more recruits are needed i guess
196 19:45 <@p-y> some glsa requests have been there for months :/
197 19:45 <@rbu> since we still stay at close peer reviewing, and i think we really need to, ...
198 19:46 <@rbu> ... we should find a way to enable earlier contributions
199 19:46 <@p-y> like the emul-baselibs stuff
200 19:46 <@rbu> but i don't see that happening with that glsamaker
201 19:46 <@vorlon078> rbu: what do you mean with earlier contributions?
202 19:47 <@rbu> vorlon078: well, right now editing GLSAs stands at the end of the recruiting process. why not allow contributions earlier?
203 19:47 <@rbu> as we do with ebuilds. anyone can add an ebuild to a bug.
204 19:48 <@p-y> rbu++
205 19:48 <@vorlon078> actually it comes right after scouting... which can be quite quick
206 19:48 <@vorlon078> but you might be right
207 19:48 <@p-y> that could be a real benefit I think
208 19:48 <@rbu> i know *i* had to fight for that glsamaker access, and i think keytoaster will agree :-)
209 19:48 <@keytoaster> right
210 19:48 <@vorlon078> heh
211 19:48 <@p-y> heh
212 19:48 <@keytoaster> i was scouting for about half a year until i got access
213 19:49 <@keytoaster> was slacking some time though :>
214 19:49 * vorlon078 remembers being invited to it ;)
215 19:49 <@p-y> I stayed scout during a few months too
216 19:49 <@vorlon078> ok... so earlier contribution by recruits to glsa drafting would be a +
217 19:49 <@rbu> just how do we do this?
218 19:49 <@keytoaster> also, falco told me that glsamaker access is the last step because it might contain classified stuff
219 19:49 < hoffie> mhh, when i first touched glsamaker code i thought about re-implementing it. unfortunately i havent had any time for that (and cant make promises for the near future anyway). one of my ideas (of course i'd asked before actually doing sth) was making it a bit more decentralized
220 19:49 <@vorlon078> especially since many bugs are filed bug us or other devs nowadays
221 19:49 <@keytoaster> which should be hidden for new recruits until they become devs
222 19:49 <@p-y> keytoaster: didn't think about that
223 19:50 <@vorlon078> keytoaster: that is correct
224 19:50 <+adir> I agree with rbu :) I didn't have to fight for it, but it took me a long time until I got that glsamaker access :)
225 19:50 < hoffie> like providing a readonly glsamaker interface to the public (or at least to all scouts etc.), making glsamaker a standalone tool (or extend it with one) and allowing simply importing/exporting glsa drafts
226 19:50 <@keytoaster> and yes, that's not possible with our current glsamaker, but i think it's not a problem to implment a simple checkbox for the new one
227 19:50 < hoffie> i.e. anybody could draft a glsa locally and attach the xml file to a bug or something
228 19:51 <@rbu> hoffie: that could be an option.
229 19:51 <@vorlon078> hoffie: that would work too
230 19:51 <@vorlon078> so either seperated privs for glsamaker or something like what hoffie proposed
231 19:51 < dertobi123> jaervosz: around? been in contact with DerCorny lately and know a way for me to contact him? :)
232 19:52 <@vorlon078> dertobi123: jaervosz isn't available currently
233 19:52 < dertobi123> hrmkay
234 19:52 <@vorlon078> what would be easier to implement?
235 19:52 <@vorlon078> or are the other ideas
236 19:53 <@p-y> hoffie: would it be feasible quickly to show when the glsa request was pooled?
237 19:53 <@rbu> rewrite glsamaker, and include privilege separation
238 19:53 <+adir> it was a bit frustrating, but it was worth it and I really liked to contribute. However, there might be some people who might not like such a long process. the question is what the team acheives from a long process of recruiment. there's some tradeoff between long process and motivation, I believe.
239 19:53 <+adir> jaervosz and dercorny... where are they? I miss them :)
240 19:54 <@rbu> adir: dercorny retired, jaervosz is just on travel
241 19:54 <@p-y> dercorny retired, jaervosz is in vacation IIRC
242 19:54 <@p-y> :p
243 19:54 <@vorlon078> rbu: who would do that... and how fast could that be achieved_ ,ss)
244 19:54 < hoffie> p-y: sorry, didnt get the question, i'm not into the glsamaker stuff that much, i mainly looked at the code when i touched it
245 19:54 < dertobi123> adir: that's why i want to get in contact with him (Corny) again :)
246 19:54 <+adir> nice :)
247 19:54 < hoffie> p-y: pooled as in "filed the request"?
248 19:54 <@vorlon078> s/_ ,ss/;)/
249 19:54 <@p-y> hoffie: exactly
250 19:55 <@rbu> vorlon078: i already do that, but i cannot promise anything. i drafted a database model for GLSAs, and could already file one in the new tool
251 19:55 <@rbu> but it's still missing some features :-(
252 19:55 <@rbu> like xml import and export, and edit... and so on
253 19:55 <@vorlon078> rbu: sounds interesting
254 19:56 <@vorlon078> although i am not sure if a db is needed ,)
255 19:56 <@vorlon078> anyways... the idea about earlier contribution to glsa drafting is a good one
256 19:56 <@rbu> vorlon078: well, it is not -- when you store and edit XML all the time.
257 19:56 < hoffie> p-y: erm.. so your question was if it is possible to show those requests to the public in the current glsamaker? or did i get you wrong?
258 19:56 <@rbu> vorlon078: *but* i object to that ;-)
259 19:56 <@p-y> hoffie: nope
260 19:56 <@p-y> it's for us only
261 19:57 <@vorlon078> but it appears that it would need some work on the tools
262 19:57 <@p-y> to show when the request was filed, so we can prioritize older requests
263 19:57 <@p-y> or at least try to ;)
264 19:57 <@vorlon078> so are there any suggestions on short/mid-term changes
265 19:57 <@rbu> p-y: where, in the list? because the details page shows that date
266 19:57 < hoffie> p-y: ah, you are currently missing a date there?
267 19:57 <@p-y> rbu: yeah, directly in the list
268 19:58 <@p-y> ideally, we could sort columns with that date
269 19:58 <@rbu> p-y: no sorting... not in that code!
270 19:58 <@p-y> :(
271 19:58 <@vorlon078> lol
272 19:58 <@rbu> p-y: displaying the date should be simple --> git.overlays.gentoo.org ;-)
273 19:59 <@rbu> vorlon078: for the short term -- i do not think we will find a technical solution for earlier contribution
274 19:59 <@rbu> or any other real issues in glsamaker
275 19:59 <@vorlon078> rbu: yeah, that's how i see it too
276 19:59 <@p-y> rbu: what am I supposed to do with that? I don't know PHP :p
277 19:59 <@rbu> so if we would allow people to contribute, it would have to be organized via plain text / mail
278 20:00 < hoffie> at least we now have a specific task to do rather than "do something to make it easier to contribute"
279 20:00 <@rbu> p-y: excuses!
280 20:01 <@rbu> hoffie: of the two solutions, implement privilege separation -- or have a central tool, and an external draft-tool, which would you prefer?
281 20:01 <@p-y> rbu: writing a draft with no tool is not handy at all
282 20:01 <@vorlon078> p-y: rbu: plain text would be ok though... could be copy&pasted to glsamaker
283 20:01 <@rbu> p-y: people would only contribute Synopsis, Description and Impact then
284 20:01 < hoffie> rbu: in the long time, definitely the latter. implementing privilege seperation is probably easier, but i guess noone wants to touch the current code..
285 20:02 <@vorlon078> but then the person could no see the reviews etc
286 20:02 <@vorlon078> ^ which would be the case for the external draft tool too
287 20:03 <@vorlon078> we just passed the first hour btw
288 20:04 <+adir> :)
289 20:04 <@rbu> vorlon078: do you have a better solution for the short term than manual contribution -- i mean all that is given that someone really wants to contribute GLSAs anyway
290 20:04 <@rbu> and i don't think anyone will touch the existing code for this feature
291 20:05 < hoffie> vorlon078: well, what about making all non-private (embargoed) drafts+comments (semi-)publically accessible? would be the same if we chose to go the other way (keeping central stuff, using privilege seperation)
292 20:05 <@vorlon078> this way of contributing drafts would actually not look very appealing to recruits i guess
293 20:06 < hoffie> the difference is mainly that in one case the user can directly edit drafts at the central place (and as such needs an account) and in the other case he doesnt (as someone from security will import the xml file)
294 20:07 <@vorlon078> you mean we should do it the other way around and keep non-public drafts out of glsamaker at first but allow people easier access to the rest?
295 20:07 <@rbu> hoffie: maybe we have a different understanding of privsep, but i would imagine that devs can see and edit all drafts, and non-devs can sign up, and contribute drafts -- but not see any but their own
296 20:08 <@vorlon078> rbu: that is what i had in mind too
297 20:08 <@p-y> rbu: sounds good
298 20:08 < hoffie> vorlon078: well no, just like bugzilla, certain drafts could be marked private, everything else is public
299 20:08 < hoffie> rbu: ah well, didnt think of user-can-signup-himself :)
300 20:08 <@p-y> but they would need to see the requests to be drafted too
301 20:09 <@vorlon078> hm... self sign up... dunno about that
302 20:09 <@p-y> hoffie: even displaying the draft is private is too much i think
303 20:09 <@vorlon078> um
304 20:09 <@p-y> it indicates the affected packages, and the versions
305 20:09 <@vorlon078> i guess we have some small variations of our view of priv sep here
306 20:10 <@vorlon078> in general i like the idea... more details could be talke about at a different time mazbe
307 20:10 <@vorlon078> for short term... i actuallz have no good idea
308 20:10 < hoffie> p-y: no, i mean, a security dev would mark the draft private and it would be hidden from any non-security member
309 20:11 <@p-y> vorlon078: I have: find the courage to draft some stuff :)
310 20:11 < hoffie> yeah i guess this topic could be postponed to some time else, maybe end of the meeting as it is unlikely that we find a short-term solution anyway
311 20:11 <@p-y> hoffie: ok
312 20:11 < hoffie> so i guess there are more important things to discuss now
313 20:11 <@vorlon078> p-y: ;) mainly lack of time here
314 20:11 <@vorlon078> let's postpone the topic then
315 20:11 <@p-y> vorlon078: I guess that's the same for every of us
316 20:12 <@vorlon078> i guess we have gotten at least some good ideas about a new tool
317 20:12 < hoffie> indeed
318 20:12 <@vorlon078> can we go on with the next topic?
319 20:12 <@p-y> yep
320 20:12 <@rbu> ++
321 20:13 <@vorlon078> GLSA related issues
322 20:13 <@vorlon078> there are two points
323 20:13 <@vorlon078> related to changes in the glsa xml
324 20:13 <@vorlon078> first should implement the correct date format in glsas
325 20:13 <@vorlon078> we should...
326 20:14 <@vorlon078> rbu: could you give a status overview on that maybe
327 20:14 <@vorlon078> i don't think there is much holding us back there
328 20:15 <@rbu> yes. the status as follows
329 20:15 <@rbu> right now we ship glsas with a date that does not follow the DTD -- old glsas have a different date format
330 20:16 <@rbu> also, the revision should be in an attribute, not in the date as " : $rev"
331 20:16 <@rbu> we have a patch to glsamaker ready, and a script to convert all files in glsamaker, and in CVS
332 20:16 <@rbu> and that will also allow dates in the RSS feed finally
333 20:16 <@vorlon078> https://bugs.gentoo.org/show_bug.cgi?id=196681
334 20:16 <@vorlon078> for reference
335 20:17 <@rbu> what we do not have is an announcement of the change, and the patch to portage
336 20:17 <@rbu> this will "break" output in current portage versions, they will display the date as in the XML
337 20:17 <@rbu> so "January 1, 2008 : 1" would change to "2008-01-01"
338 20:17 <@rbu> and the revision ignored
339 20:17 <@vorlon078> is it just glsa-check or portage itself?
340 20:18 <@rbu> glsa-check
341 20:18 <@vorlon078> a patch for glsa-check was attached to the other bug iirc
342 20:18 <@rbu> but portage 2.2 has glsa parsing directly, so i guess that too
343 20:18 <@vorlon078> and it actually seemed just to be a cosmetic issue
344 20:19 <@vorlon078> rbu: that is what i was just wondering about too
345 20:19 <@rbu> vorlon078: right, and from my reading the patch is ok. but one would really need to test it beforehand
346 20:19 <@vorlon078> so the single hold up is portage
347 20:19 <@rbu> vorlon078: yes
348 20:19 <@vorlon078> then let's bug the portage/glsa-check team again
349 20:19 <@rbu> .. and no, considering the cosmetics. but still, people might have scripts parsing glsa-check's output
350 20:19 <@vorlon078> rbu: true
351 20:20 <@vorlon078> then let's push for the portage changes
352 20:20 <@vorlon078> so we can get it over with
353 20:20 <@rbu> anyone up to test the patch and bug the portage people?
354 20:21 <@rbu> we would also need to get that thing stable, maybe a little earlier than usual
355 20:21 <@vorlon078> and it should also be announce beforehand for people parsing glsa in scripts and other package managers
356 20:23 <@rbu> vorlon078: what bothers me a little is that neysx edited the dtd to add the <revised count=""> attribute
357 20:23 <@vorlon078> he did alreadz?
358 20:23 <@vorlon078> ah... the dtd
359 20:23 <@vorlon078> what bothers you about it?
360 20:24 <@rbu> vorlon078: yes... well, editing the dtd is not an issue. but i do not think we should be using that attribute, and at the same time we pay attention not to add a SLOT attribute without versioning
361 20:24 <@vorlon078> ?
362 20:25 <@vorlon078> why not that attribute?
363 20:25 <@rbu> in the end both are the same thing (from a format / package manager) perspective: i understood genone that *no* attribute should be added to the DTD without proper versioning
364 20:25 <@rbu> if that holds for SLOT attributes, it should also hold for COUNT attribute
365 20:25 <@vorlon078> that sounds right
366 20:26 <@vorlon078> so (joining this and the next topic) we do need a glsa version tag and that should be updated for every change in the dtd too
367 20:27 < hoffie> or start versioning the dtd maybe? the xml should contain the url of the dtd anyway? (i assume it already does)
368 20:28 <@rbu> hoffie: it does
369 20:28 <@rbu> vorlon078: i also think the XML should not contain the version inside, but we should use a new DTD, that has a version in the name
370 20:28 <@rbu> glsa-2.dtd
371 20:29 <@vorlon078> yeah
372 20:29 < hoffie> that's what i meant
373 20:29 <@vorlon078> well if genone/portage/neysx are alright with that, then we should go that route
374 20:29 <@rbu> when changing the format of dates, all our glsas will be the new DTD then
375 20:30 <@vorlon078> yeah
376 20:30 <@rbu> so the transition would be on at least 4 weeks delay due to announcing the change. so getting it ready soon would be good
377 20:31 <@rbu> as always :-)
378 20:31 <@vorlon078> ;-)
379 20:31 <@vorlon078> first step would be to ask about that kind of versioning of the dtd
380 20:31 <@vorlon078> and integration of the date/revision stuff into portage
381 20:32 <@rbu> maybe proposing a solution we favor would be helpful
382 20:32 <@vorlon078> yeah
383 20:32 <@rbu> then we can move to the next point, slot support. how would we want to do this?
384 20:32 <@rbu> do we want to do this?
385 20:33 <@vorlon078> i would sorry... connection issues... back again
386 20:34 <@p-y> yeah, that would avoid the usual "glsa-check says that foo-1.2-r14 is vulnerable but it's not" bugs
387 20:34 <@vorlon078> -i would
388 20:35 <@vorlon078> so we could say slot 1 >1.1 unaffected, slot 2 >2.3 unaffected etc
389 20:35 <@vorlon078> first requirement from the portage team before implementation was the versioning of the dtd
390 20:36 <@rbu> well, i guess we are beyond that
391 20:36 <@vorlon078> yeah
392 20:37 <@vorlon078> this should be worked out together with genone et al i guess
393 20:37 <@rbu> do we want to discuss specifics to the format now, or later?
394 20:37 <@vorlon078> and will probably take ..... well quite some time
395 20:37 <@p-y> rbu: later, probably
396 20:37 <@vorlon078> agreed
397 20:37 <@rbu> vorlon078: about the time. usually all it needs is follow-through.
398 20:37 <@vorlon078> so what is the next action from our side for those two issues
399 20:38 <@vorlon078> push portage team for the glsa date stuff
400 20:38 <@vorlon078> and test the patch
401 20:38 <@vorlon078> anything else?
402 20:39 <@rbu> here's how i see the next steps: decide how we would do slot support in the DTD, talk to neysx/docs team about getting -2.dtd ready, and then talk to genone about implementing it
403 20:39 <@rbu> i think we should do SLOT support and the date issue at the same time.. otherwise we have to do it twice
404 20:39 <@vorlon078> true
405 20:40 <@vorlon078> then let's start a discussion about the slot support via mail maybe
406 20:40 <@vorlon078> or the wiki
407 20:40 * vorlon078 uses the chance to remind everyone of the wiki we have... see link in glsamaker
408 20:41 < hoffie> it's non-public i guess?
409 20:41 <@vorlon078> hoffie: glsamaker account needed
410 20:42 < hoffie> mh, i guess i dont have mine anymore, ok ;)
411 20:42 <@vorlon078> nothing much of interest in there atm anyways ;)
412 20:42 <@vorlon078> so if nobody wants to add to this topic anymore then i suggest to take the discussion to mail and go on with the next topic
413 20:42 <@p-y> ++
414 20:43 <@p-y> ah... CVE ids :)
415 20:43 <@vorlon078> which takes us to specifying cve ids in bugyilla
416 20:43 <@vorlon078> y=z z=y
417 20:44 <@vorlon078> atm we have to places where we put the ids.. in the title and as aliases
418 20:44 <@vorlon078> which both works fine for the one cve per bug issues
419 20:44 <@p-y> yep
420 20:44 <@vorlon078> but we run into problems where one bug deals with multiple cve ids
421 20:44 <@p-y> usually i put the lowest id as alias, but that doesn't help much actually
422 20:45 <@vorlon078> in the title (CVE-2008-{1234,1235,1236,1237}) works just fine if one uses searches like "ALL CVE-2008 1234" to find it
423 20:45 <@vorlon078> if there are multiple cves i don't put any of them as alias
424 20:46 <@p-y> imo we should add somehting about CVE in the vuln policy
425 20:46 <@vorlon078> rbu now has some issues with his notebook and should be right back
426 20:46 <@rbu> back -)(
427 20:46 <@p-y> heh
428 20:47 < hoffie> once again i'd have a suggestion which requires more than a little work, i guess... exposing the cve->bugid mapping from svn to the public using a small web tool, for example
429 20:47 <@vorlon078> p-y: yeah... i would like to specify a way now and document that in the coord guide
430 20:47 < hoffie> i.e. providing a small "search engine" specifically for cves
431 20:47 <@rbu> redhat does one bug per CVE, but i don't want to go down that mess
432 20:47 <@vorlon078> hoffie: kinda like debian does it... yeah
433 20:47 <@p-y> there's a cve bot already
434 20:47 <@vorlon078> rbu: yeah... too many bugs then
435 20:47 < hoffie> mh right
436 20:47 <@p-y> but a web tool could help
437 20:48 <@rbu> a web page *would* be helpful... but does anyone want to do that ? ;-)
438 20:48 <@p-y> rbu: espacially for mozilla bugs :D
439 20:48 <@vorlon078> as a side note... if we want to achieve cve compatibility, we need to have a way to link bugs/glsas/cve ids and make that searchable
440 20:49 < hoffie> rbu: you've got parsing code for those lists anyway, right (for !cve)?
441 20:49 < hoffie> then it should be *rather* easy to expose that as a small cgi script
442 20:49 <@p-y> vorlon078: maybe adding them in the glsa list at glsa.gentoo.org would be ok?
443 20:49 <@rbu> hoffie: kind of.... the way the bot works right now is really messy
444 20:49 <@p-y> then, ctrl+f in your browser ;)
445 20:50 <@vorlon078> p-y: i'm not sure that qualifies as searchable ,)
446 20:50 <@vorlon078> but having the cves listed there would be nice
447 20:50 <@p-y> at least that's better than nothing
448 20:50 <@vorlon078> but i think we have a lack of space on that page
449 20:51 <@vorlon078> and i believe it should also be possible to search for a certain cve and see that it does not affect us etc
450 20:51 <@vorlon078> s/possible/needed/
451 20:51 <@vorlon078> ah forget that
452 20:51 <@rbu> if you think we should employ the list in the SVN, which is the most complete (also features recent non-glsa bugs)... exposing that to the web is possible
453 20:51 < hoffie> so, what do we have? bug -> cve works (summary), bug -> glsa works (final comment), glsa -> cve works, glsa -> bugid? i dont think so, and cve -> bug is not accessible from web easily
454 20:51 <@rbu> and if we want to invest work, i think that would make the most sense
455 20:52 <@rbu> glsa-> bugid, is in the glsa
456 20:52 <@p-y> glsa already contains bugid, doesn't it?
457 20:52 <@p-y> ok :)
458 20:52 < hoffie> ok
459 20:52 < hoffie> so only cve -> bugid missing
460 20:52 <@vorlon078> hm
461 20:52 < hoffie> which would be implementable by using the list from svn as a source
462 20:52 <@p-y> !cve CVE-2008-2543
463 20:52 < rbubot> p-y: CVE-2008-2543 (The ooh323 channel driver in Asterisk Addons 1.2.x before 1.2.9 and ...)
464 20:52 < rbubot> p-y: * CVE-2008-2543 has bug 224949
465 20:53 < hoffie> s/missing/missing for non-irc/ ,9
466 20:53 < hoffie> ;)
467 20:53 <@p-y> :)
468 20:53 <@rbu> since i forked the tools from debian, the "security tracker" they run could almost handle our "database"
469 20:53 < hoffie> is it public as well?
470 20:53 <@rbu> yes, the code is public. but it is *huge*
471 20:53 <@vorlon078> rbu: yeah... i think we should look into implementing it that way maybe
472 20:53 <@p-y> it does the coffee too?
473 20:53 < hoffie> mh well, i'd rather have thought about a small cgi script
474 20:54 <@vorlon078> but we should also keep the cve ids in bug titles as we do it now and document that
475 20:54 < hoffie> yeah of course
476 20:54 <@rbu> the debian code is here http://svn.debian.org/wsvn/secure-testing/lib/python/?rev=0&sc=0
477 20:54 <@vorlon078> i am not sure about the alias
478 20:54 <@p-y> it's not possible to have multiple aliases for one bug?
479 20:55 <@p-y> one per cve i
480 20:55 <@rbu> p-y: nope
481 20:55 <@p-y> s/i/id
482 20:55 <@p-y> :/
483 20:55 <@rbu> and also, we have multiple bugs per CVE sometimes
484 20:55 <@rbu> we would need some kind of tracker then
485 20:56 <@rbu> tracker = tracker bug
486 20:56 <@vorlon078> yeah
487 20:57 <@rbu> hoffie: your interest in that tacker is rather passive? :-)
488 20:57 <@rbu> cve->bug tarcker
489 20:57 < hoffie> mh, i guess a mixture of the current system (sometimes handling multiple cves in one bug) and the redhat style (one bug per cve) would be messy as well. i.e. filing seperate bugs per cve but marking them as dups of the bug were all related cves are handled
490 20:58 < hoffie> well i could try to implement it :)
491 20:58 <@vorlon078> so we do want to have some kind of tracker site on the web for cve/bug/glsas
492 20:58 <@vorlon078> hoffie: hired
493 20:58 <@vorlon078> ;-)
494 20:59 < hoffie> well, for now i'd probably only want to implement cve->bug, as this is missing
495 20:59 < hoffie> we can then see if it's worth extending this to do all the other mappings as well
496 21:00 <@vorlon078> sounds good
497 21:00 <@rbu> hoffie: adding CVE->bug to that list could be done as well (by me), so that could be exported
498 21:00 <@vorlon078> we should also get more active with the tool in svn then
499 21:01 < hoffie> rbu: hu, this information is already in svn, isnt it?
500 21:01 < hoffie> that's what i was referring to
501 21:01 <@rbu> hoffie: not yet
502 21:01 < hoffie> 22:52:40 <@p-y> !cve CVE-2008-2543
503 21:01 < hoffie> 22:52:41 <rbubot> p-y: CVE-2008-2543 (The ooh323 channel driver in Asterisk Addons 1.2.x before 1.2.9 and ...)
504 21:01 < hoffie> 22:52:42 <rbubot> p-y: * CVE-2008-2543 has bug 224949
505 21:01 < hoffie> where does it come from then?
506 21:01 <@rbu> hoffie: oh, that. yes
507 21:01 <@rbu> bug is, glsa not
508 21:01 < hoffie> ah, you meant glsa
509 21:02 <@vorlon078> should we start adding glsa ids to the list file too?
510 21:02 <@rbu> sorry.. man, yes
511 21:02 <@rbu> concentration--
512 21:02 < hoffie> yeah, either that or add a possibility to parse glsas and extract the bug ids
513 21:02 < hoffie> but i guess we can postpone that a bit, main priority is cve -> bug
514 21:02 <@rbu> vorlon078: we could script that easily
515 21:02 <@vorlon078> true
516 21:02 <@vorlon078> hoffie: would be great if you could come up with something there
517 21:03 <@vorlon078> which could easily be expanded later
518 21:03 <@vorlon078> passing 2h
519 21:04 <@rbu> MOVIN ON THEN
520 21:04 <@rbu> oops
521 21:04 <@vorlon078> lol
522 21:04 <@p-y> :D
523 21:04 <@vorlon078> ok
524 21:04 <@vorlon078> then we delegate the creation of a tool for this issue to hoffie ;)
525 21:04 <@vorlon078> and move on...
526 21:05 < hoffie> ok
527 21:05 <@vorlon078> rbu proposed two additions to the vuln policy
528 21:05 < hoffie> if you dont hear anything from me regarding this by the end of the week, poke me again :p
529 21:05 < hoffie> but i'll try to work on it tomorrow
530 21:05 <@vorlon078> we will delegate someone else to poke you then
531 21:05 < hoffie> :D
532 21:05 <@vorlon078> "Insecure creation of temporary files" and "SQL Injection"
533 21:06 <@vorlon078> both are not really defined in the policy atm
534 21:06 < hoffie> i'm really in favor of listing more common cases there (although my vote might not count here :p)
535 21:06 <@vorlon078> rbu proposed level 3 for that which would result in normal severity in the glsa
536 21:07 <@p-y> hmm, maybe 2 for SQL injection
537 21:07 <@vorlon078> 2: Remote passive compromise: remote execution of arbitrary code by enticing a user to visit a malicious server or using malicious data
538 21:07 <@vorlon078> 3: Global service compromise: denial of service, passwords or full database leaks... 3 normal
539 21:07 < hoffie> mhhh... i guess those things are often a case-by-case thing
540 21:08 <@p-y> yeah but SQL injection is still remote exec of SQL code
541 21:08 < hoffie> php limits queries w/ mysql_query to one query. so being able to inject data to a SELECT query really means that the attacker can "only" get information he isnt supposed to see
542 21:08 < hoffie> in case of an INSERT he can also manipulate the database
543 21:08 < hoffie> in case of other queries (functions or whatever) he might be able to execute arbitrary code
544 21:08 <@vorlon078> just as info... 2 always results in a glsa and has a target delay of 5 or 10 days
545 21:09 <@p-y> I know
546 21:09 <@vorlon078> 3 only results in glsa for A packages and gets a vote for B
547 21:09 <@vorlon078> keytoaster: still here?
548 21:09 < hoffie> so there seems to be a wide variety of different impacts, imo
549 21:09 <@vorlon078> do we agree on 3 for temp files?
550 21:09 <@p-y> yeah
551 21:10 <@keytoaster> vorlon078: yes, but a bit busy
552 21:10 < hoffie> mhhh
553 21:10 <@vorlon078> and mjf_ ?
554 21:10 < hoffie> in some cases, insecure temp file creation could be equal to local privilege escalation to root. think of overwriting /etc/shadow
555 21:10 < hoffie> or am i wrong here?
556 21:11 < hoffie> always depends on the concrete case of course...
557 21:11 <@vorlon078> hoffie: it can have serious consequences
558 21:11 <@p-y> hoffie, true, depends if the content is controllable by the attacker
559 21:11 <@vorlon078> so yeah... it is both a case by case thing
560 21:11 < hoffie> yep, i'd say this too
561 21:12 < hoffie> but i guess it'll still be a good idea to add this statement to the document
562 21:12 <@vorlon078> full db leak is 3 and data disclosure is 4... even those can have serious impact depending on the data
563 21:12 < hoffie> not to the list itself, but rather below it, i think
564 21:12 <@rbu> sorry for lagging.... as for insecure tempfile: if it allows code execution, we can still rate it 2
565 21:12 <@p-y> rbu: how?
566 21:12 <@rbu> or 1, if by root.
567 21:13 <@rbu> p-y: what do you mean?
568 21:13 <@vorlon078> and there is always the possibility to change the severity in the glsa even if not in full agreement with the policy... like has been done with the lates bind issue
569 21:13 <@p-y> how overwriting a file could allow code exec?
570 21:13 < hoffie> p-y: libs, /etc/shadow allowing root login, ...
571 21:13 <@p-y> in this case it's privilege escalation
572 21:14 <@vorlon078> yeah
573 21:14 <@rbu> p-y: well, if the attacker can control content and the file
574 21:14 <@rbu> p-y: that depends on who is *needed* to run the code. if it can (but not must) be run as root, it is not a privse?
575 21:14 <@rbu> privsep
576 21:14 <@vorlon078> actually the current policy kinda covers tempfile issues
577 21:14 <@vorlon078> just not explicitly
578 21:14 <@rbu> vorlon078: how so?
579 21:15 <@vorlon078> well... that case would be local priv escalation
580 21:15 <@vorlon078> hm... but in other cases it is not that clear it seems
581 21:15 <@vorlon078> bah... serious lack of concentration
582 21:15 <@rbu> vorlon078: by the same argument, any user-assisted code execution would be priv. escalation, because root could start the application
583 21:16 <@rbu> vorlon078: it would only be priv. esc. if root *needs to* (or usually does) run the application
584 21:16 <@vorlon078> alright
585 21:18 <@vorlon078> so actually it is quite hard to find a fixed value for both cases sql and tmp file
586 21:18 <@vorlon078> 3 would appear to be a good compromise though i think
587 21:19 <@vorlon078> if we do want to explicitely list it in the policz
588 21:19 <@vorlon078> s/policz/policy/
589 21:19 < hoffie> i'm certainly in favor of adding it to the document. i'm not sure if it should be added to the list. in any case i'd add a short explanation about the case-by-case thing below the table
590 21:19 <@vorlon078> that is something we could do
591 21:19 <@rbu> ++
592 21:20 <@vorlon078> input from jaervosz and Falco would be interesting too here i believe
593 21:20 <@vorlon078> who would like to draft a paragraph for that?
594 21:20 * rbu hides
595 21:20 * p-y follows rbu
596 21:20 <@vorlon078> rbu: great... thanks for stepping up and taking that task
597 21:20 < hoffie> haha
598 21:20 <@vorlon078> ah... two volunteers
599 21:21 <@vorlon078> ;)
600 21:21 < hoffie> does jeeves have some choose-a-random-person command? :p
601 21:21 <@vorlon078> lol
602 21:21 <@vorlon078> feature request for willikins
603 21:21 < hoffie> :D
604 21:21 <@vorlon078> rbu: could you do it?
605 21:22 < gontranz> .
606 21:22 < gontranz> oops
607 21:22 <@rbu> vorlon078: well, i would like to, but for fairness i had hoped we could split the load better :-)
608 21:23 <@rbu> next meeting i will keep a TODO counter in the /topic
609 21:23 <@vorlon078> hehe
610 21:23 < hoffie> i'm already at 1 and not even a member of the sec team :p
611 21:24 <@rbu> keytoaster: how do you feel about typing up those a few additions?
612 21:24 <@p-y> hey, we received a mail from a new recruit :)
613 21:24 <@vorlon078> just a short draft which could be reviewed
614 21:24 < hoffie> probably someone who listened to this meeting? :p
615 21:24 <@p-y> indeed
616 21:25 <@rbu> well, if no one else steps up in the aftermath, mark it TODO for me
617 21:25 <@vorlon078> ok
618 21:25 <@rbu> vorlon078: i hope you do sum up who needs to do what, otherwise i will die
619 21:25 <@vorlon078> we gotta do a summary anyways
620 21:25 < hoffie> yeah, some kind of summary would be cool
621 21:25 < hoffie> :)
622 21:26 <@keytoaster> rbu: i will decide that when i read the backlog :p
623 21:26 <@vorlon078> lol
624 21:26 <@vorlon078> ok
625 21:26 <@vorlon078> lets move on quickly
626 21:26 <@vorlon078> security support of games
627 21:26 <@vorlon078> no decision just short discussion
628 21:26 <@vorlon078> problem is we have many games with sec problems which end up being masked and stuff
629 21:27 <@vorlon078> and many never get fixed
630 21:27 <@rbu> http://rafb.net/p/R2cmJm95.html for a list
631 21:27 < hoffie> as long as they get masked and not removed, i think that's perfectly fine. if people want to use it, they'll have to explicitly agree to installing vulnerable software by putting it in package.unmask
632 21:27 <@p-y> ~arch seems the best way
633 21:27 <@vorlon078> we could treat them like every other package or declare them as non-supported
634 21:27 < hoffie> it's not that convenient, right, but security is still more important i think
635 21:28 <@vorlon078> p-y: that would be an idea... like with many webapps
636 21:28 <@vorlon078> although our goal should be to have secure software in the tree
637 21:28 <@rbu> ~arch, but no mask is no solution
638 21:28 <@rbu> i think both declaring it unsupported, and having it supported but masked is favorable over ~arch
639 21:29 < hoffie> yep
640 21:29 <@vorlon078> personally i don't like many masks either and ususally like security masked packages to get out of the tree
641 21:29 < hoffie> i'd favor handling it as any other package as i said.
642 21:29 <@vorlon078> i am not much in favour of calling a category unsupported when the packages are in arch
643 21:30 <@vorlon078> so i would prefer to have them masked
644 21:30 < hoffie> rbu: what exactly do you mean by "declaring it unspported"? i guess one would still file sec bugs and fix them asap if possible, just that there is no "guarantee" which enforces that, right?
645 21:30 <@vorlon078> and handled like other packages, just not removed from the tree as long as they are still maintained
646 21:30 < hoffie> yep..
647 21:31 <@vorlon078> any other opinions?
648 21:31 <@rbu> hoffie: the policy right now states that all packages should be supported (except some kernel sources), and if masked then removed or fixed shortly
649 21:32 < hoffie> [OT: concentration dropping... i guess meetings should be done more often in the future and be kept shorter]
650 21:32 <@rbu> if we want to *keep* some of them forever, we should add that to the policy as exceptions
651 21:32 <@vorlon078> we have not enforced the removal though
652 21:32 <@vorlon078> but i would prefer we do so more often
653 21:32 < hoffie> rbu: didnt know that (about having them removed at some time), but yeah, then i'd be in favor of adding such an exception for games
654 21:32 <@rbu> .. and web-apps.... the exception does not have to be for games explicitly.
655 21:33 <@vorlon078> hm
656 21:33 < hoffie> hm yeah, just thought about it, games are not really that special
657 21:33 < hoffie> it's more like if the software in question is still used heavily (which is often the case of games, but not necessarily)
658 21:33 <@vorlon078> ok
659 21:33 < hoffie> just look at php-4 as an example, we've kept it in p.mask for almost a year now as well
660 21:33 <@rbu> i would just like it so: Some applications are impossible or infeasable to support, so they might stay in package.mask"
661 21:34 < hoffie> (although there have been concrete dates for removal)
662 21:34 < hoffie> ++
663 21:34 <@vorlon078> i will look into the policy and see what could be changed or added
664 21:34 <@rbu> vorlon078: ok
665 21:34 <@vorlon078> and check what it says about removal etc
666 21:34 <@rbu> done with that then?
667 21:34 <@vorlon078> yep
668 21:34 <@vorlon078> woohoo
669 21:34 <@vorlon078> anything else???
670 21:34 <@rbu> p-y: you had topics
671 21:35 <@p-y> yeah
672 21:35 <@rbu> ohh.. one question to the general audience:
673 21:35 <@p-y> actually I noted CVE alias, but it was already dealt with :)
674 21:35 <@p-y> one last thing
675 21:35 <@p-y> removal of vulnerable pkg
676 21:35 <@rbu> p-y: you go first
677 21:35 <@p-y> some herds like web-apps do it, but others don't
678 21:35 <@p-y> and others have special policies
679 21:36 <@vorlon078> p-y: you mean vulnerable versions of fixed packages?
680 21:36 <@p-y> e.g gnome keep 2 stable versions
681 21:36 <@vorlon078> or masked packages
682 21:36 <@p-y> vorlon078: yep
683 21:36 <@rbu> p-y: others also do eventually, i guess web-app is just the ones leaving comments often
684 21:36 < hoffie> p-y: i think lots of devs dont even know about that and in many cases slacker arches are preventing it anyway
685 21:36 <@p-y> rbu: you sure of that?
686 21:36 <@vorlon078> p-y: officially we like the vuln versions to be removed but do not enforce it
687 21:36 <@p-y> and the "eventually" is already a problem for me
688 21:37 <@rbu> p-y: not entirely
689 21:37 <@p-y> no need to keep them any longer than necessary
690 21:37 <@p-y> ie when the fixed version is stabke
691 21:37 <@rbu> p-y: we could generate a list of all packages affected by a GLSA older than 4 weeks easily
692 21:37 <@vorlon078> rbu: that would be good
693 21:37 < hoffie> i dont think the problem is enforcing (i.e. maintainers who forget to do it), it's rather making them know about it in the first place
694 21:37 <@rbu> "easily" as in: it can be scripted.
695 21:37 <@vorlon078> someone had a script for stuff like that but i forgot who
696 21:37 <@rbu> but NO todo for me ths time ;-)
697 21:38 <@vorlon078> might have been jakub
698 21:38 < hoffie> i.e. adding a notice to the related bugs once stabilization is done
699 21:38 <@vorlon078> a script would be nice for this
700 21:38 <@vorlon078> and we should inform devs better about it
701 21:38 <@vorlon078> like a mail to -dev-announce
702 21:38 <@vorlon078> and include a comment when closing a bug
703 21:39 <@rbu> hoffie: adding it to the bug is a good idea. i plan for the new glsamaker to be able to change [stable] to [glsa] anyway, and it could leave that comment :-)
704 21:39 < hoffie> well, what about new devs? how should they know about it? it's not part of ebuild quiz or some document which every dev is supposed to read
705 21:39 < hoffie> so i'm really in favor of the comment-on-bug thing
706 21:39 <@vorlon078> hm
707 21:39 <@vorlon078> hoffie: agreed
708 21:40 <@rbu> we could agree on a comment, and then copy paste it
709 21:40 <@vorlon078> at some point we should also review quizzes and dev-manual for security related stuff maybe
710 21:40 <@rbu> about the script... p-y ?
711 21:40 <@p-y> hmm?
712 21:40 <@rbu> vorlon078: VERY good idea!
713 21:40 <@rbu> p-y: up to write that glsa "who is affected" thing?
714 21:40 < hoffie> vorlon078: maybe generate a "long-term todo list" along with the summary of this meeting? :)
715 21:41 <@p-y> err, don't know when I could find time to do that :/
716 21:41 <@vorlon078> hoffie: yep
717 21:41 <@p-y> but why not
718 21:41 <@vorlon078> also we could add stuff like that to the project page
719 21:41 <@rbu> vorlon078: if we have TODOs, which do not get assigned.. we could also list them on the recruitment page / blog
720 21:41 <@vorlon078> rbu: good idea
721 21:41 <@rbu> ok, i guess we are done with that question
722 21:42 <@vorlon078> so lets start adding comments to bugs about removal of vuln versions
723 21:42 <@vorlon078> could be something informal for now
724 21:42 <@vorlon078> just to get the word out
725 21:42 < hoffie> only problem is slacker arches i think..
726 21:42 <@rbu> hoffie: true
727 21:42 < hoffie> so security needs to keep track by bugmail, as vulnerable versions can often only be removed some time after the glsa (or changing to FIXED)
728 21:43 <@vorlon078> true
729 21:43 <@rbu> hoffie: none of the slacker arches actually removes themselves from the bug, so watching bugmail does not make sense
730 21:43 < hoffie> mhh
731 21:43 <@vorlon078> yeah... been a long time since i saw that happen
732 21:43 <@rbu> i think finding candidates by script is the easiest and most powerful approach
733 21:43 < hoffie> that sucks, but is really out of the scope of security
734 21:44 < hoffie> yep, sounds good
735 21:44 <@rbu> just needs some lines of bash/python/
736 21:44 <@rbu> and i guess we could actually advertise with that kind of task
737 21:44 <@vorlon078> yep
738 21:44 <@vorlon078> rbu: you had another topic?
739 21:44 <@rbu> uhh... well, kinda
740 21:45 <@rbu> just a question for opinions
741 21:45 <@rbu> debian marks security bumps in the *changelog* with a special keyword -- they use it for migration between their distributions
742 21:45 <@rbu> if we would do the same, we might end up having portage mark security updates in a special way
743 21:45 <@rbu> is that something we should go after, or not?
744 21:45 <@rbu> (i always have the craziest ideas, i know)
745 21:46 < hoffie> hmm, would certainly be cool, but how would you implement that?
746 21:46 <@p-y> rbu: maybe :)
747 21:46 < hoffie> ChangeLogs are free-form and i think they are not read at all by default (unless you use -l or whatever that option was)
748 21:46 <@vorlon078> i would like a consequent way to note sec bumps in the changelog since it is not always very clear atm
749 21:46 <@p-y> I don't know
750 21:46 <@rbu> hoffie:ever did "emerge -l"?
751 21:47 < hoffie> rbu: see contents of the parentheses :p
752 21:47 <@vorlon078> so i guess we would like it but could not require it
753 21:47 <@rbu> ohh.. ok, i should read all before typing
754 21:47 <@vorlon078> i'm already glad the changelog mostly contains "security" somehow so i get a hilight in #-commits
755 21:48 <@rbu> about the format, we could add a tag to the * lines, or so
756 21:48 < hoffie> well, i guess one could start making it a policy in the near future (like requiring the word "security" in those bump messages) and see about getting it parsed later
757 21:48 <@rbu> well, if i'm not the only one to like the idea, i'll just query genone sometime
758 21:49 <@vorlon078> rbu: i guess a proposal for such a keyword would be good
759 21:49 < hoffie> i certainly like the idea, i've got only concerns about the technical side of things
760 21:49 < hoffie> but maybe portage folks can help us here
761 21:49 <@vorlon078> then propose it and at some point later it could become policy
762 21:49 <@rbu> hoffie: ++
763 21:49 <@vorlon078> yep
764 21:50 <@rbu> well, we can have a meeting sometime soon and see about the outcome of most of what we discussed today
765 21:50 <@vorlon078> yeah
766 21:50 <@rbu> if we get 50% of it done, wow ;-)
767 21:50 < hoffie> yep, just wanted to re-raise this proposal :)
768 21:50 < hoffie> more frequent meetings, probably still on an as-needed basis
769 21:50 < hoffie> 3h of concentration are hard to manage
770 21:50 <@vorlon078> when more devs are back we also need to hold some kinda lead election again
771 21:50 <@vorlon078> and we do need to hold more (short) meetings
772 21:50 <@p-y> hoffie++
773 21:51 <@vorlon078> and personally i would like more stuff to be discussed via mail
774 21:51 <@rbu> yes, agreement to all of you (esp. election)
775 21:51 <@vorlon078> maybe even on gentoo-security@
776 21:51 <@vorlon078> which would make more of our work transparent
777 21:51 <@rbu> vorlon078: yes, list!
778 21:51 <@vorlon078> and could involve more people from outside
779 21:51 < hoffie> indeed
780 21:52 < hoffie> i'm certainly interested in helping out on certain things, but i dont want to be forced to be a member of the sec team. i guess there are more people feeling like that ;)
781 21:52 <@vorlon078> hoffie: yeah
782 21:52 <@vorlon078> good point
783 21:52 <@vorlon078> we need to be more open in some cases
784 21:53 <@p-y> ok, time for bed approaching here
785 21:53 <@vorlon078> talking about openness... i would like everyone to be reminded that bugs marked as CLASSIFIED should never be opened, or at least it needs serious discussion before they are
786 21:53 <@p-y> I'll try to think of that script for detecting vuln pkg
787 21:54 <@p-y> that'll be the occasion to boost my python skillz :)
788 21:54 <@vorlon078> p-y: might ask on -dev... i remember such a script existed
789 21:54 < hoffie> p-y: pff, your nick being "py" and not knowing python perfectly? :P
790 21:54 <@vorlon078> lol
791 21:54 <@p-y> yeah, I know :D
792 21:54 <@vorlon078> is there anything else to be discussed?
793 21:54 <@rbu> no from me
794 21:55 < hoffie> vorlon078: CLASSIFIED == CONFIDENTIAL/EMBARGOED? or is it sth different
795 21:55 <@p-y> not that I can think of
796 21:55 <@vorlon078> hoffie: no... see coord guide
797 21:55 < hoffie> ok
798 21:55 < aetius> none from me
799 21:55 <@vorlon078> classified shall stay closed forevere.... containing mails maybe or such
800 21:55 <@vorlon078> confidential can be opened at the agreed upon date
801 21:56 <@vorlon078> then let's consider this meeting closed
802 21:56 < hoffie> that's why i asked, as this is what i always saw ;)
803 21:56 * hoffie didnt notice aetius was there as well ;)
804 21:56 <@rbu> aetius: hahaha
805 21:56 <@vorlon078> i will upload the log to our proj/ space if nobody objects and send out a summary and stuff
806 21:56 <@vorlon078> but that might take a while
807 21:56 <@rbu> aetius: welcome, btw ;-)
808 21:56 < aetius> I wasn't really, just trying to catch up in spurts while working to fix our tools after bungie changed their site. :\
809 21:56 <@vorlon078> aetius: yeah... welcome ;)
810 21:57 <@rbu> bung... who?
811 21:57 < hoffie> vorlon078: do you have full logs? i.e. were you one of those problems without any connectivity/notebook problems? :p
812 --- Log closed Mon Jul 14 21:57:11 2008
Report Message
Find on MARC Find on Google Groups