| 1 |
On Sun, 12 Mar 2017 19:59:11 +0100 |
| 2 |
Kristian Fiskerstrand <k_f@g.o> wrote: |
| 3 |
|
| 4 |
> On 03/12/2017 09:14 AM, Alexis Ballier wrote: |
| 5 |
> > Most of it seems more appropriate for a project page to me and up to |
| 6 |
> > the sec. team, so I'll comment on the global parts only. |
| 7 |
> > |
| 8 |
> > The only global part I see is the "Security package version/revision |
| 9 |
> > bumps and package masks". This one would benefit from a proper |
| 10 |
> > definition of the rules here: If severity is X then inactive is |
| 11 |
> > defined to be Y days. After that, sec. team can fix themselves. It |
| 12 |
> > should also be the same for masking: If severity is X and no fix is |
| 13 |
> > known after Y days/months then sec. team should mask it (but not |
| 14 |
> > last rite it, this should still be maintainer/treecleaners). |
| 15 |
> |
| 16 |
> The severity levels and timelines are already defined in the |
| 17 |
> referenced vulnerability treatment policy. We might be able to |
| 18 |
> incorporate this suggestion by stronger reference to that for |
| 19 |
> timeline, but in the end that should be the internal policy anyways. |
| 20 |
|
| 21 |
|
| 22 |
To me, this is the only thing that is *not* internal here. |
| 23 |
|
| 24 |
You have a target delay X. What happens after X expires ? After 2X ? |
| 25 |
10X ? When is it right for sec. team to intervene ? When is it right |
| 26 |
for sec. team to intervene after maintainer has asked for a delay ? When |
| 27 |
is it right for sec. team to intervene against maintainer wishes ? |
| 28 |
|
| 29 |
I'm pretty sure you have a good idea of when sec. team should act, and |
| 30 |
you're right in the sense that severity analysis does not belong to the |
| 31 |
GLEP, but something referencing your treatment policy and explicitly |
| 32 |
stating in the GLEP that (any member of) sec. team is allowed to take |
| 33 |
action after some multiple (possibly one) of the target delay would be |
| 34 |
more clear and avoid entirely having the lead to take a decision every |
| 35 |
time. |
| 36 |
|
| 37 |
I'm insisting here for various reasons: |
| 38 |
- It is preferable to have a clear resolution procedure, known in |
| 39 |
advance, instead of something at someone's discretion that happens |
| 40 |
to be brought up every time some other one is not happy. |
| 41 |
- Sometimes sec. masking will be controversial (nethack maybe?), having |
| 42 |
the lead take all the hate is not fair either. |
| 43 |
- I would definitely prefer saying about Gentoo: "We do not ship |
| 44 |
anything that has had a CVE reported for more than a month" than "We |
| 45 |
do our best to keep your system safe". |
| 46 |
|
| 47 |
|
| 48 |
Also, please keep in mind that for most people A4/A3/B3/B4/etc. are |
| 49 |
paper sizes :) (so that restating the delay in sec bugs is not wasted |
| 50 |
electrons) |
| 51 |
|
| 52 |
|
| 53 |
[...] |
| 54 |
> > Also, it'd be nice to have something more formal for sec. cleanup: |
| 55 |
> > "After 30 days a sec. issue has been fixed, sec. team is free to |
| 56 |
> > cleanup old vulnerable versions.". I've seen too much pings by sec. |
| 57 |
> > team members on old bugs for this and they could have spent the same |
| 58 |
> > amount of time simply doing it instead. |
| 59 |
> |
| 60 |
> This presumes all security members are gentoo developers with tree |
| 61 |
> access and can do it themselves, but I'm not convinced cleanups are |
| 62 |
> vital enough for security to interact as it requires quite a bit of |
| 63 |
> work for an unfamiliar package to know which files to remove in |
| 64 |
> files/ for specific versions and/or other package-specific quirks. |
| 65 |
> The package maintainers really should be able to handle this or hand |
| 66 |
> off the package to someone else. |
| 67 |
|
| 68 |
Well, I'm not saying the maintainer should not nor that sec. team must |
| 69 |
do it themselves, I'm just saying that sec. team can. There are |
| 70 |
complex cases but the vast majority of security cleanups are no |
| 71 |
brainers that anyone who has passed the quizzes can do. |
| 72 |
|
| 73 |
Alexis. |
Archives