1 |
Hi, |
2 |
|
3 |
regarding "security supported architectures" a few words from security |
4 |
project: |
5 |
|
6 |
We don't like the differentiation. And in practice, it doesn't even |
7 |
matter nor does it work: |
8 |
|
9 |
In theory, "security supported architectures" would allow us to ignore |
10 |
bugs only affecting specific architectures. But examples are rare. I can |
11 |
only think about a vulnerability affecting just x86 |
12 |
(https://security.gentoo.org/glsa/202003-13) or arm (like some |
13 |
vulnerabilities in Xen hypervisor making use of specific hardware |
14 |
features) in the past 24 months. So this is not really important and in |
15 |
the end we don't really have the man power to differentiate. We just |
16 |
bump because if we would skip a bug fix just because we thought it |
17 |
doesn't affect us, this could have serious impact for no real reason. |
18 |
|
19 |
We also always have to cc all architectures which have stable keywords |
20 |
set on any affected ebuild which should be removed (cleaned up) after |
21 |
security stabilization or maintainers will be unable to do the cleanup. |
22 |
|
23 |
In the past, "security supported architecture" was also used to |
24 |
determine when security team was allowed to publish a GLSA. However, we |
25 |
changed this policy ~3 years ago: |
26 |
|
27 |
Some people don't do regular world upgrades. They only pull updates when |
28 |
they want a newer version or for security reasons via glsa-check tool. |
29 |
Not telling amd64 users that they are using a vulnerable package where |
30 |
we already have a fix for just because slacking architecture like hppa |
31 |
in these days didn't stabilize this package yet was just unacceptable. |
32 |
|
33 |
It wasn't an easy decision even in our small team because some members |
34 |
had the concern that users will get warned about a vulnerability without |
35 |
a solution yet available for their architecture, resulting in bug |
36 |
spam/nagging. However, this never happened and some members even believe |
37 |
that this is also an opportunity: Maybe some users not knowing that |
38 |
their arch team is slacking would step up and join their architecture |
39 |
team and help. |
40 |
|
41 |
For the future some members even want to go one step further and release |
42 |
GLSAs more often and not just for B2 or more severe vulnerabilities. |
43 |
|
44 |
Back to "security supported architectures: |
45 |
|
46 |
tl;dr |
47 |
|
48 |
Security project wants to remove "security supported architectures" for |
49 |
years. |
50 |
|
51 |
Any architecture in Gentoo which is carrying stable keywords must keep |
52 |
up with stabilization or keyword requests. Security stabilization |
53 |
shouldn't be treated special (Because new ebuilds often depend on recent |
54 |
libs. If an arch team would only focus on security bugs, calling for |
55 |
stabilization will become more difficult because we would have to add |
56 |
all the missing deps which are now required but already stable |
57 |
everywhere else and just ignored by this arch until today). |
58 |
If an architecture can no longer keep up with stabilization/keywording |
59 |
demand, the entire architecture must be dropped to ~arch. No exception. |
60 |
Stop pretending that this architecture is in good shape and that those |
61 |
users have the same stable experience like you have on more common |
62 |
architectures. |
63 |
|
64 |
Keep in mind: You would also need to explain a user, "Yeah, you are |
65 |
using something we name 'stable' but it doesn't mean what you are |
66 |
expecting and BTW, while we have said we have fixed vulnerability X in |
67 |
Gentoo you heard about in the media, don't forget to check on your own |
68 |
if this is also true for your architecture because in theory the |
69 |
maintainer could have decided to make use of arch-depending eapply for |
70 |
some reason..." |
71 |
|
72 |
=> Keep it simple: Stable should mean the same across all architectures |
73 |
|
74 |
|
75 |
-- |
76 |
Regards, |
77 |
Thomas Deutschmann / Gentoo Security Team |
78 |
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |