| 1 |
Hi all, |
| 2 |
|
| 3 |
as GLEP 14 has been accepted yesterday I made a little writeup that |
| 4 |
deals with the upcoming security project and the handling of security |
| 5 |
bugs. Some of the points mentioned here have been touched in |
| 6 |
#gentoo-security, this is basically a follow-up of that discussion and |
| 7 |
the discussion about GLEP 14, as the GLSA release process has to be |
| 8 |
changed for the final implementation of GLEP 14 (for those joining late: |
| 9 |
http://www.gentoo.org/proj/en/glep/glep-0014.html). |
| 10 |
This is just a (not very well thought) proposal, nothing definite. But |
| 11 |
I'd like to get this off the ground ASAP, as classes start in 3 weeks |
| 12 |
and will need a lot of time from me then. |
| 13 |
|
| 14 |
Basic idea for the handling of security bugs: |
| 15 |
|
| 16 |
Security bugs should be kept in bugzilla, but to automate the generation |
| 17 |
of GLSAs we need a special format somehow, if we use keywords, comments |
| 18 |
or something different for that is open. To maintain the integrity of |
| 19 |
that format the direct editing of these bugs should be limited to a few |
| 20 |
people if possible. |
| 21 |
The actual filing and editing of these bugs should be done with a new |
| 22 |
interface that is specially designed for security bugs and GLSA |
| 23 |
information. Once a security bug is marked as fixed a GLSA generation |
| 24 |
script is run that generates the GLSA, GPG-signs it (depending on |
| 25 |
policy) and distributes it on mailing lists, http- and rsync-servers. |
| 26 |
The update script then can take the GLSAs from /usr/portage/glsa or the |
| 27 |
http repository (to avoid unneeded syncs just to get the GLSA). |
| 28 |
|
| 29 |
course of action: |
| 30 |
- form the security project and find a lead |
| 31 |
- define the terms of reference for the security team |
| 32 |
- specify the format of a GLSA / finalize the DTD |
| 33 |
- define a policy for GLSAs |
| 34 |
- write a project website, including policy |
| 35 |
- define a special format for security bugs that allows script based |
| 36 |
parsing |
| 37 |
- code necessary extensions for bugzilla / edit bugzilla config to |
| 38 |
handle security bugs different |
| 39 |
- code an interface to bugzilla for entering security bugs using the |
| 40 |
defined format |
| 41 |
- code the GLSA generation script |
| 42 |
- finish the update script and include it in portage/gentoolkit or a new |
| 43 |
package |
| 44 |
- (update old GLSAs) |
| 45 |
|
| 46 |
special bugzilla handling for security bugs: |
| 47 |
- only allow a few people to file/close/edit them directly (to maintain |
| 48 |
the special format) if possible |
| 49 |
- run the generation script when a security bug is marked as fixed |
| 50 |
(maybe define other actions for other resolutions ??) |
| 51 |
|
| 52 |
needed tools: |
| 53 |
- bugzilla extension ?? |
| 54 |
- GLSA generation script which does: |
| 55 |
* convert the bugzilla/mysql data to plaintext and XML |
| 56 |
* signs the GLSA (details depend on policy) |
| 57 |
* sends the GLSA to a set of defined mailinglist |
| 58 |
* commits the GLSA into a repository from where it is uploaded/copied |
| 59 |
to the gentoo-x86 tree and the project website repository (for online |
| 60 |
checking) |
| 61 |
* sends a notice to the forum moderators (or post directly ??) |
| 62 |
- update script (which can be integrated into portage later), mostly |
| 63 |
done |
| 64 |
- bugzilla interface site |
| 65 |
|
| 66 |
idea for GLSA policy: |
| 67 |
- everyone who should be able to issue a GLSA needs a GPG key that is |
| 68 |
signed by a master security project key |
| 69 |
- the GLSA is signed with the master security project key and the key of |
| 70 |
the developer who closed the bug |
| 71 |
- before a bug is closed at least one other security project member has |
| 72 |
to confirm it |
| 73 |
|
| 74 |
I'm sure I missed a lot of things but I think the general idea should be |
| 75 |
clear. Everything is open for discussion. |
| 76 |
So, what do you think about this? |
| 77 |
|
| 78 |
Marius |
| 79 |
|
| 80 |
-- |
| 81 |
Public Key at http://www.genone.de/info/gpg-key.pub |
| 82 |
|
| 83 |
In the beginning, there was nothing. And God said, 'Let there be |
| 84 |
Light.' And there was still nothing, but you could see a bit better. |
Archives