| 1 |
Hi, |
| 2 |
|
| 3 |
regarding "security supported architectures" a few words from security |
| 4 |
project: |
| 5 |
|
| 6 |
We don't like the differentiation. And in practice, it doesn't even |
| 7 |
matter nor does it work: |
| 8 |
|
| 9 |
In theory, "security supported architectures" would allow us to ignore |
| 10 |
bugs only affecting specific architectures. But examples are rare. I can |
| 11 |
only think about a vulnerability affecting just x86 |
| 12 |
(https://security.gentoo.org/glsa/202003-13) or arm (like some |
| 13 |
vulnerabilities in Xen hypervisor making use of specific hardware |
| 14 |
features) in the past 24 months. So this is not really important and in |
| 15 |
the end we don't really have the man power to differentiate. We just |
| 16 |
bump because if we would skip a bug fix just because we thought it |
| 17 |
doesn't affect us, this could have serious impact for no real reason. |
| 18 |
|
| 19 |
We also always have to cc all architectures which have stable keywords |
| 20 |
set on any affected ebuild which should be removed (cleaned up) after |
| 21 |
security stabilization or maintainers will be unable to do the cleanup. |
| 22 |
|
| 23 |
In the past, "security supported architecture" was also used to |
| 24 |
determine when security team was allowed to publish a GLSA. However, we |
| 25 |
changed this policy ~3 years ago: |
| 26 |
|
| 27 |
Some people don't do regular world upgrades. They only pull updates when |
| 28 |
they want a newer version or for security reasons via glsa-check tool. |
| 29 |
Not telling amd64 users that they are using a vulnerable package where |
| 30 |
we already have a fix for just because slacking architecture like hppa |
| 31 |
in these days didn't stabilize this package yet was just unacceptable. |
| 32 |
|
| 33 |
It wasn't an easy decision even in our small team because some members |
| 34 |
had the concern that users will get warned about a vulnerability without |
| 35 |
a solution yet available for their architecture, resulting in bug |
| 36 |
spam/nagging. However, this never happened and some members even believe |
| 37 |
that this is also an opportunity: Maybe some users not knowing that |
| 38 |
their arch team is slacking would step up and join their architecture |
| 39 |
team and help. |
| 40 |
|
| 41 |
For the future some members even want to go one step further and release |
| 42 |
GLSAs more often and not just for B2 or more severe vulnerabilities. |
| 43 |
|
| 44 |
Back to "security supported architectures: |
| 45 |
|
| 46 |
tl;dr |
| 47 |
|
| 48 |
Security project wants to remove "security supported architectures" for |
| 49 |
years. |
| 50 |
|
| 51 |
Any architecture in Gentoo which is carrying stable keywords must keep |
| 52 |
up with stabilization or keyword requests. Security stabilization |
| 53 |
shouldn't be treated special (Because new ebuilds often depend on recent |
| 54 |
libs. If an arch team would only focus on security bugs, calling for |
| 55 |
stabilization will become more difficult because we would have to add |
| 56 |
all the missing deps which are now required but already stable |
| 57 |
everywhere else and just ignored by this arch until today). |
| 58 |
If an architecture can no longer keep up with stabilization/keywording |
| 59 |
demand, the entire architecture must be dropped to ~arch. No exception. |
| 60 |
Stop pretending that this architecture is in good shape and that those |
| 61 |
users have the same stable experience like you have on more common |
| 62 |
architectures. |
| 63 |
|
| 64 |
Keep in mind: You would also need to explain a user, "Yeah, you are |
| 65 |
using something we name 'stable' but it doesn't mean what you are |
| 66 |
expecting and BTW, while we have said we have fixed vulnerability X in |
| 67 |
Gentoo you heard about in the media, don't forget to check on your own |
| 68 |
if this is also true for your architecture because in theory the |
| 69 |
maintainer could have decided to make use of arch-depending eapply for |
| 70 |
some reason..." |
| 71 |
|
| 72 |
=> Keep it simple: Stable should mean the same across all architectures |
| 73 |
|
| 74 |
|
| 75 |
-- |
| 76 |
Regards, |
| 77 |
Thomas Deutschmann / Gentoo Security Team |
| 78 |
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives