| 1 |
On Fri, Dec 02, 2022 at 06:29:28PM +0000, Peter Stuge wrote: |
| 2 |
> John Helmert III wrote: |
| 3 |
> > So much yapping on the mailing lists, and no response in the bug which |
| 4 |
> > triggered the last rites... |
| 5 |
> |
| 6 |
> Apologies if I responed in the wrong forum. I thought on list would |
| 7 |
> be good, why are those mails on the list if not? |
| 8 |
> |
| 9 |
> |
| 10 |
> > So, Peter, do you use Boa? |
| 11 |
> |
| 12 |
> Not right now, but I have before and I might again. |
| 13 |
> |
| 14 |
> |
| 15 |
> > If you do, what niche does it fill that isn't filled by anything else? |
| 16 |
> |
| 17 |
> That's a strange question. Why should I agree with or even |
| 18 |
> reconfigure because of something that is in fact an error? |
| 19 |
> |
| 20 |
> I ask you to revert the lastrite not because it would break a use |
| 21 |
> case of mine but because the CVEs do not apply to boa itself but to |
| 22 |
> some unknown appliance that uses boa to serve unknown buggy CGI scripts. |
| 23 |
> |
| 24 |
> |
| 25 |
> > There are multiple CVEs for it, is it really on us to discriminate |
| 26 |
> > between which CVEs are valid and which are not? |
| 27 |
> |
| 28 |
> Yes. |
| 29 |
> |
| 30 |
> You are obviously /not/ responsible for what bogus CVEs people may |
| 31 |
> report, but we're all responsible for the commits we create. |
| 32 |
> |
| 33 |
> I assume that everyone wants to improve the overall state with each |
| 34 |
> commit - that we want to make things more correct since that's what |
| 35 |
> enables reliability, hence yes: it really is on every one of us to |
| 36 |
> verify our inputs before taking action on them. |
| 37 |
> |
| 38 |
> |
| 39 |
> > We can't possibly hope to do that accurately in all cases. |
| 40 |
> |
| 41 |
> Some times it will be easy, other times less easy. |
| 42 |
> |
| 43 |
> In this case the CVEs could be dismissed by searching the source code |
| 44 |
> for the file names in the CVEs. Or by having experience with what the |
| 45 |
> package provides, in particular that it doesn't include any CGI scripts. |
| 46 |
> |
| 47 |
> Maybe the accurate bigger picture is that no (current) Gentoo developer |
| 48 |
> knows enough about the package and thus can't be expected to action |
| 49 |
> such bogus CVEs correctly without a couple of minutes of investigation, |
| 50 |
> which would be too long, then I guess maintainer-needed is the most honest? |
| 51 |
|
| 52 |
No, when a package is believed to be vulnerable, it is not responsible |
| 53 |
for us to just leave it as maintainer-needed, that's not an accurate |
| 54 |
reflection of the situation. |
| 55 |
|
| 56 |
If you think the CVEs are invalid, maybe talk to upstream? Or MITRE? |
| 57 |
Or anybody that isn't only a CVE downstream? |
| 58 |
|
| 59 |
I also note that very few distributions package Boa: |
| 60 |
|
| 61 |
https://repology.org/project/boa/versions |
| 62 |
|
| 63 |
This is a good way to measure how many people care about the package |
| 64 |
(and thus, its security health). If the commercial distributions don't |
| 65 |
carry a package, nobody cares for it, and thus security issues are |
| 66 |
unlikely to be tracked and handled well. |
| 67 |
|
| 68 |
> The mere existance of CVEs can not be reason enough for any change, |
| 69 |
> that would mean resignation to fear instead of encouraging rational |
| 70 |
> behavior as required to actually improve technology. It would also |
| 71 |
> create incentive for permanent denial-of-service attacks by way of |
| 72 |
> bogus CVEs manipulating people into incorrect lastrites and other |
| 73 |
> changes. I don't want that to become common. |
| 74 |
|
| 75 |
That's not a real concern. We're not going to last rite something like |
| 76 |
nginx simply because there's a CVE against it. In the case of Boa, |
| 77 |
which doesn't seem to have been touched in approaching 20 years, the |
| 78 |
impact of last rites is minimal. |
| 79 |
|
| 80 |
> My question about the lastriting process was not an attack but a |
| 81 |
> genuine inquiry. The answer I receive so far is something like |
| 82 |
> "it can't work better because we react indiscriminately to CVEs", |
| 83 |
> that's an honest answer (thank you!) but not great quality. Does |
| 84 |
> everyone mostly agree with that policy? |
| 85 |
|
| 86 |
It generally can't work better with MITRE being useless in many |
| 87 |
cases. Yes, the CVEs seem garbage, but I can't say that |
| 88 |
authoritatively, so I don't. |
| 89 |
|
| 90 |
> |
| 91 |
> Thanks |
| 92 |
> |
| 93 |
> //Peter |
| 94 |
> |
Archives