Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Aaron Bauman <bman@g.o>
To: gentoo-dev@l.g.o
Cc: pr@g.o, Thomas Deutschmann <whissi@g.o>
Subject: Re: [gentoo-dev] [PATCH] 2021-07-09-systemd-tmpfiles: re-add news item
Date: Wed, 14 Jul 2021 14:24:03
Message-Id: YO7ze5uWV5TJwg4N@Aaron-Baumans-MacBook-Pro.local
In Reply to: Re: [gentoo-dev] [PATCH] 2021-07-09-systemd-tmpfiles: re-add news item by "Andreas K. Huettel"
1 On Wed, Jul 14, 2021 at 10:49:34AM +0200, Andreas K. Huettel wrote:
2 > > >
3 > > > 1) either the severity assignment of this bug by the Security project as B1 wrong (i.e. it should have been classified "harmless")
4
5 <snip>
6
7 > Well, over the last year or so every 2-3 months the (uninformed) discussion came up, "don't use openrc stages because you are automatically rooted". That leaves a rather bad impression of Gentoo, independent of whether it is true or not. If noone from sec team noticed the discussions...
8
9 Absolutely, that would leave a bad impression. Where were these
10 discussions taking place?
11
12 >
13 > > > 2) or the entire classification of severity levels according to the Security project pointless (i.e. you can't base any actions on them because a mystery onion needs to be taken into account).
14 > > >
15 > >
16 > > I am not sure if this is sarcasm, but every bug must be considered
17 > > through the correct aperture. That is, based on your environment,
18 > > protections in place, defense in depth, and other buzzwords... hence the
19 > > onion analogy.
20 >
21 > It's not sarcasm. The point of the classification is to give clear rules (why else would you list, e.g., required response times on the vulnerability treatment page (no matter how illusory they are)).
22 >
23 > If you don't take all factors into account when *making* the classification, then all gain you have from the classification is lost.
24 >
25
26 Let me explain differently. Gentoo has a vulnerability rating system
27 that is indepedent of any other system. This system is used to classify
28 bugs from a distro perspective and common usage of various applications.
29
30 However, one cannot consider all possible attack vectors, impacts, and
31 configuration scenarios being used by our users. So, it is not lost...
32 we just can't possibly account for all the things.
33
34 Yes, the response times are utter crap and as I mentioned the Gentoo
35 system needs to be overhauled/adapted.
36
37 -Aaron

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups