1 |
On Fri, Dec 02, 2022 at 06:29:28PM +0000, Peter Stuge wrote: |
2 |
> John Helmert III wrote: |
3 |
> > So much yapping on the mailing lists, and no response in the bug which |
4 |
> > triggered the last rites... |
5 |
> |
6 |
> Apologies if I responed in the wrong forum. I thought on list would |
7 |
> be good, why are those mails on the list if not? |
8 |
> |
9 |
> |
10 |
> > So, Peter, do you use Boa? |
11 |
> |
12 |
> Not right now, but I have before and I might again. |
13 |
> |
14 |
> |
15 |
> > If you do, what niche does it fill that isn't filled by anything else? |
16 |
> |
17 |
> That's a strange question. Why should I agree with or even |
18 |
> reconfigure because of something that is in fact an error? |
19 |
> |
20 |
> I ask you to revert the lastrite not because it would break a use |
21 |
> case of mine but because the CVEs do not apply to boa itself but to |
22 |
> some unknown appliance that uses boa to serve unknown buggy CGI scripts. |
23 |
> |
24 |
> |
25 |
> > There are multiple CVEs for it, is it really on us to discriminate |
26 |
> > between which CVEs are valid and which are not? |
27 |
> |
28 |
> Yes. |
29 |
> |
30 |
> You are obviously /not/ responsible for what bogus CVEs people may |
31 |
> report, but we're all responsible for the commits we create. |
32 |
> |
33 |
> I assume that everyone wants to improve the overall state with each |
34 |
> commit - that we want to make things more correct since that's what |
35 |
> enables reliability, hence yes: it really is on every one of us to |
36 |
> verify our inputs before taking action on them. |
37 |
> |
38 |
> |
39 |
> > We can't possibly hope to do that accurately in all cases. |
40 |
> |
41 |
> Some times it will be easy, other times less easy. |
42 |
> |
43 |
> In this case the CVEs could be dismissed by searching the source code |
44 |
> for the file names in the CVEs. Or by having experience with what the |
45 |
> package provides, in particular that it doesn't include any CGI scripts. |
46 |
> |
47 |
> Maybe the accurate bigger picture is that no (current) Gentoo developer |
48 |
> knows enough about the package and thus can't be expected to action |
49 |
> such bogus CVEs correctly without a couple of minutes of investigation, |
50 |
> which would be too long, then I guess maintainer-needed is the most honest? |
51 |
|
52 |
No, when a package is believed to be vulnerable, it is not responsible |
53 |
for us to just leave it as maintainer-needed, that's not an accurate |
54 |
reflection of the situation. |
55 |
|
56 |
If you think the CVEs are invalid, maybe talk to upstream? Or MITRE? |
57 |
Or anybody that isn't only a CVE downstream? |
58 |
|
59 |
I also note that very few distributions package Boa: |
60 |
|
61 |
https://repology.org/project/boa/versions |
62 |
|
63 |
This is a good way to measure how many people care about the package |
64 |
(and thus, its security health). If the commercial distributions don't |
65 |
carry a package, nobody cares for it, and thus security issues are |
66 |
unlikely to be tracked and handled well. |
67 |
|
68 |
> The mere existance of CVEs can not be reason enough for any change, |
69 |
> that would mean resignation to fear instead of encouraging rational |
70 |
> behavior as required to actually improve technology. It would also |
71 |
> create incentive for permanent denial-of-service attacks by way of |
72 |
> bogus CVEs manipulating people into incorrect lastrites and other |
73 |
> changes. I don't want that to become common. |
74 |
|
75 |
That's not a real concern. We're not going to last rite something like |
76 |
nginx simply because there's a CVE against it. In the case of Boa, |
77 |
which doesn't seem to have been touched in approaching 20 years, the |
78 |
impact of last rites is minimal. |
79 |
|
80 |
> My question about the lastriting process was not an attack but a |
81 |
> genuine inquiry. The answer I receive so far is something like |
82 |
> "it can't work better because we react indiscriminately to CVEs", |
83 |
> that's an honest answer (thank you!) but not great quality. Does |
84 |
> everyone mostly agree with that policy? |
85 |
|
86 |
It generally can't work better with MITRE being useless in many |
87 |
cases. Yes, the CVEs seem garbage, but I can't say that |
88 |
authoritatively, so I don't. |
89 |
|
90 |
> |
91 |
> Thanks |
92 |
> |
93 |
> //Peter |
94 |
> |