1 |
On Sun, 12 Mar 2017 19:59:11 +0100 |
2 |
Kristian Fiskerstrand <k_f@g.o> wrote: |
3 |
|
4 |
> On 03/12/2017 09:14 AM, Alexis Ballier wrote: |
5 |
> > Most of it seems more appropriate for a project page to me and up to |
6 |
> > the sec. team, so I'll comment on the global parts only. |
7 |
> > |
8 |
> > The only global part I see is the "Security package version/revision |
9 |
> > bumps and package masks". This one would benefit from a proper |
10 |
> > definition of the rules here: If severity is X then inactive is |
11 |
> > defined to be Y days. After that, sec. team can fix themselves. It |
12 |
> > should also be the same for masking: If severity is X and no fix is |
13 |
> > known after Y days/months then sec. team should mask it (but not |
14 |
> > last rite it, this should still be maintainer/treecleaners). |
15 |
> |
16 |
> The severity levels and timelines are already defined in the |
17 |
> referenced vulnerability treatment policy. We might be able to |
18 |
> incorporate this suggestion by stronger reference to that for |
19 |
> timeline, but in the end that should be the internal policy anyways. |
20 |
|
21 |
|
22 |
To me, this is the only thing that is *not* internal here. |
23 |
|
24 |
You have a target delay X. What happens after X expires ? After 2X ? |
25 |
10X ? When is it right for sec. team to intervene ? When is it right |
26 |
for sec. team to intervene after maintainer has asked for a delay ? When |
27 |
is it right for sec. team to intervene against maintainer wishes ? |
28 |
|
29 |
I'm pretty sure you have a good idea of when sec. team should act, and |
30 |
you're right in the sense that severity analysis does not belong to the |
31 |
GLEP, but something referencing your treatment policy and explicitly |
32 |
stating in the GLEP that (any member of) sec. team is allowed to take |
33 |
action after some multiple (possibly one) of the target delay would be |
34 |
more clear and avoid entirely having the lead to take a decision every |
35 |
time. |
36 |
|
37 |
I'm insisting here for various reasons: |
38 |
- It is preferable to have a clear resolution procedure, known in |
39 |
advance, instead of something at someone's discretion that happens |
40 |
to be brought up every time some other one is not happy. |
41 |
- Sometimes sec. masking will be controversial (nethack maybe?), having |
42 |
the lead take all the hate is not fair either. |
43 |
- I would definitely prefer saying about Gentoo: "We do not ship |
44 |
anything that has had a CVE reported for more than a month" than "We |
45 |
do our best to keep your system safe". |
46 |
|
47 |
|
48 |
Also, please keep in mind that for most people A4/A3/B3/B4/etc. are |
49 |
paper sizes :) (so that restating the delay in sec bugs is not wasted |
50 |
electrons) |
51 |
|
52 |
|
53 |
[...] |
54 |
> > Also, it'd be nice to have something more formal for sec. cleanup: |
55 |
> > "After 30 days a sec. issue has been fixed, sec. team is free to |
56 |
> > cleanup old vulnerable versions.". I've seen too much pings by sec. |
57 |
> > team members on old bugs for this and they could have spent the same |
58 |
> > amount of time simply doing it instead. |
59 |
> |
60 |
> This presumes all security members are gentoo developers with tree |
61 |
> access and can do it themselves, but I'm not convinced cleanups are |
62 |
> vital enough for security to interact as it requires quite a bit of |
63 |
> work for an unfamiliar package to know which files to remove in |
64 |
> files/ for specific versions and/or other package-specific quirks. |
65 |
> The package maintainers really should be able to handle this or hand |
66 |
> off the package to someone else. |
67 |
|
68 |
Well, I'm not saying the maintainer should not nor that sec. team must |
69 |
do it themselves, I'm just saying that sec. team can. There are |
70 |
complex cases but the vast majority of security cleanups are no |
71 |
brainers that anyone who has passed the quizzes can do. |
72 |
|
73 |
Alexis. |