1 |
25.09.2014 16:42, Andrew Savchenko пишет: |
2 |
> Hello, |
3 |
> |
4 |
> many packages in tree are masked due to security issues instead of |
5 |
> issuing GLSA for them. Why? At this moment I counted 56 such |
6 |
> packages in package.mask. |
7 |
> |
8 |
> Some of these packages have GLSAs issued (e.g. nethack and friends) |
9 |
> and have no fixes, so this is understandable. But most packages are |
10 |
> just masked "due to security bugs", I recently stumbled upon: |
11 |
> ppp, mariadb, mysql, vlc... |
12 |
> |
13 |
> Why such masking is bad? Because it undermines the whole idea of |
14 |
> GLSA as a sole security provider for Gentoo users. |
15 |
> |
16 |
> I manage about 50 Gentoo boxes (with more than 10 unique setups) |
17 |
> and I'm not an update monkey to update them weekly. My usual |
18 |
> workflow is to emerge all world somewhere within 6 month and 1 |
19 |
> year, but to install security updates regularly and critical ones |
20 |
> ASAP. GLSA serves this purpose well (Yes, I understood that |
21 |
> security team can't embrace all issues so some extra lookup for |
22 |
> CVEs is needed as well). But security-masked packages undermine |
23 |
> such approach, because they're not listed in glsa-check -l affected |
24 |
> and message about masked packages doesn't appear in elog, only on |
25 |
> top of build log, which is likely to be lost. |
26 |
|
27 |
|
28 |
I think you are get some things wrong - they are masked not instead of |
29 |
GLSA, but prior to it. |
30 |
|
31 |
Let me explain the process on behalf on my security hat - before |
32 |
releasing GLSA we should rid of all vulnerable versions in tree. |
33 |
However, sometimes it leads to problems with migration on new |
34 |
versions(usually happens with complex packages, for example OpenLDAP). |
35 |
So, to mark that some versions are really not for ordinary users we can |
36 |
security mask them. After that - we do not need to remove them, just |
37 |
keep an eye that they would not be unmasked. The next step for these |
38 |
versions is only to be removed from tree, after all issues with |
39 |
dependant packages will be fixed. |
40 |
|
41 |
And then - we can proceed with making GLSA. Masking of package does not |
42 |
replace making GLSA and never was! |
43 |
|
44 |
If you are claim that GLSA making process is too slow, well... We have |
45 |
vast amount of security issues and not many people who handles them, so |
46 |
- here we are... |
47 |
|
48 |
As for ppp, i masked it, because there are some packages in tree that |
49 |
hardcodes usage for specific versions of ppp and they should be patched |
50 |
BEFORE vulnerable versions of ppp will leave tree. |
51 |
|
52 |
I want to notice, that such practice was established a long time ago, |
53 |
from the very beginning of Gentoo Security team and i do not think that |
54 |
we should change something in it |
55 |
|
56 |
-- |
57 |
Best regards, Sergey Popov |
58 |
Gentoo developer |
59 |
Gentoo Desktop Effects project lead |
60 |
Gentoo Proxy maintainers project lead |