1 |
On 03/12/2017 09:14 AM, Alexis Ballier wrote: |
2 |
> Most of it seems more appropriate for a project page to me and up to |
3 |
> the sec. team, so I'll comment on the global parts only. |
4 |
> |
5 |
> The only global part I see is the "Security package version/revision |
6 |
> bumps and package masks". This one would benefit from a proper |
7 |
> definition of the rules here: If severity is X then inactive is defined |
8 |
> to be Y days. After that, sec. team can fix themselves. It should also |
9 |
> be the same for masking: If severity is X and no fix is known after Y |
10 |
> days/months then sec. team should mask it (but not last rite it, this |
11 |
> should still be maintainer/treecleaners). |
12 |
|
13 |
The severity levels and timelines are already defined in the referenced |
14 |
vulnerability treatment policy. We might be able to incorporate this |
15 |
suggestion by stronger reference to that for timeline, but in the end |
16 |
that should be the internal policy anyways. In general I would prefer |
17 |
the GLSA to be more higher level as we know things are going to need to |
18 |
be updated from time to time on these matters. |
19 |
|
20 |
> |
21 |
> I think the delay should be clearly stated in the bug with something |
22 |
> like: Please keep in mind that since this is a remote code execution |
23 |
> vulnerability, security team will take action if nothing happens within |
24 |
> one week. If you have tools filling the severity fields then a proper |
25 |
> definition allows to automate this too. |
26 |
> |
27 |
> My point here is to avoid having all the responsibility falling under |
28 |
> the lead but focus more on getting things done and educating fellow |
29 |
> developers: Lower delays for more serious bugs will make people |
30 |
> understand and prioritize better the issues at hand and their |
31 |
> implications. |
32 |
|
33 |
The lead sets policies and is responsible for keeping vulnerability |
34 |
treatment policy and other documentation up to date c.f Documentation of |
35 |
process |
36 |
|
37 |
The Project shall have procedures in place to document its process and |
38 |
regularly update the documentation including the Vulnerability Treatment |
39 |
Policies[3]. |
40 |
|
41 |
^^ which was intended to cover some of these concerns |
42 |
|
43 |
> |
44 |
> |
45 |
> Also, it'd be nice to have something more formal for sec. cleanup: |
46 |
> "After 30 days a sec. issue has been fixed, sec. team is free to |
47 |
> cleanup old vulnerable versions.". I've seen too much pings by sec. |
48 |
> team members on old bugs for this and they could have spent the same |
49 |
> amount of time simply doing it instead. |
50 |
|
51 |
This presumes all security members are gentoo developers with tree |
52 |
access and can do it themselves, but I'm not convinced cleanups are |
53 |
vital enough for security to interact as it requires quite a bit of work |
54 |
for an unfamiliar package to know which files to remove in files/ for |
55 |
specific versions and/or other package-specific quirks. The package |
56 |
maintainers really should be able to handle this or hand off the package |
57 |
to someone else. |
58 |
|
59 |
-- |
60 |
Kristian Fiskerstrand |
61 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
62 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |