| 1 |
25.09.2014 16:42, Andrew Savchenko пишет: |
| 2 |
> Hello, |
| 3 |
> |
| 4 |
> many packages in tree are masked due to security issues instead of |
| 5 |
> issuing GLSA for them. Why? At this moment I counted 56 such |
| 6 |
> packages in package.mask. |
| 7 |
> |
| 8 |
> Some of these packages have GLSAs issued (e.g. nethack and friends) |
| 9 |
> and have no fixes, so this is understandable. But most packages are |
| 10 |
> just masked "due to security bugs", I recently stumbled upon: |
| 11 |
> ppp, mariadb, mysql, vlc... |
| 12 |
> |
| 13 |
> Why such masking is bad? Because it undermines the whole idea of |
| 14 |
> GLSA as a sole security provider for Gentoo users. |
| 15 |
> |
| 16 |
> I manage about 50 Gentoo boxes (with more than 10 unique setups) |
| 17 |
> and I'm not an update monkey to update them weekly. My usual |
| 18 |
> workflow is to emerge all world somewhere within 6 month and 1 |
| 19 |
> year, but to install security updates regularly and critical ones |
| 20 |
> ASAP. GLSA serves this purpose well (Yes, I understood that |
| 21 |
> security team can't embrace all issues so some extra lookup for |
| 22 |
> CVEs is needed as well). But security-masked packages undermine |
| 23 |
> such approach, because they're not listed in glsa-check -l affected |
| 24 |
> and message about masked packages doesn't appear in elog, only on |
| 25 |
> top of build log, which is likely to be lost. |
| 26 |
|
| 27 |
|
| 28 |
I think you are get some things wrong - they are masked not instead of |
| 29 |
GLSA, but prior to it. |
| 30 |
|
| 31 |
Let me explain the process on behalf on my security hat - before |
| 32 |
releasing GLSA we should rid of all vulnerable versions in tree. |
| 33 |
However, sometimes it leads to problems with migration on new |
| 34 |
versions(usually happens with complex packages, for example OpenLDAP). |
| 35 |
So, to mark that some versions are really not for ordinary users we can |
| 36 |
security mask them. After that - we do not need to remove them, just |
| 37 |
keep an eye that they would not be unmasked. The next step for these |
| 38 |
versions is only to be removed from tree, after all issues with |
| 39 |
dependant packages will be fixed. |
| 40 |
|
| 41 |
And then - we can proceed with making GLSA. Masking of package does not |
| 42 |
replace making GLSA and never was! |
| 43 |
|
| 44 |
If you are claim that GLSA making process is too slow, well... We have |
| 45 |
vast amount of security issues and not many people who handles them, so |
| 46 |
- here we are... |
| 47 |
|
| 48 |
As for ppp, i masked it, because there are some packages in tree that |
| 49 |
hardcodes usage for specific versions of ppp and they should be patched |
| 50 |
BEFORE vulnerable versions of ppp will leave tree. |
| 51 |
|
| 52 |
I want to notice, that such practice was established a long time ago, |
| 53 |
from the very beginning of Gentoo Security team and i do not think that |
| 54 |
we should change something in it |
| 55 |
|
| 56 |
-- |
| 57 |
Best regards, Sergey Popov |
| 58 |
Gentoo developer |
| 59 |
Gentoo Desktop Effects project lead |
| 60 |
Gentoo Proxy maintainers project lead |
Archives