| 1 |
On 03/12/2017 09:14 AM, Alexis Ballier wrote: |
| 2 |
> Most of it seems more appropriate for a project page to me and up to |
| 3 |
> the sec. team, so I'll comment on the global parts only. |
| 4 |
> |
| 5 |
> The only global part I see is the "Security package version/revision |
| 6 |
> bumps and package masks". This one would benefit from a proper |
| 7 |
> definition of the rules here: If severity is X then inactive is defined |
| 8 |
> to be Y days. After that, sec. team can fix themselves. It should also |
| 9 |
> be the same for masking: If severity is X and no fix is known after Y |
| 10 |
> days/months then sec. team should mask it (but not last rite it, this |
| 11 |
> should still be maintainer/treecleaners). |
| 12 |
|
| 13 |
The severity levels and timelines are already defined in the referenced |
| 14 |
vulnerability treatment policy. We might be able to incorporate this |
| 15 |
suggestion by stronger reference to that for timeline, but in the end |
| 16 |
that should be the internal policy anyways. In general I would prefer |
| 17 |
the GLSA to be more higher level as we know things are going to need to |
| 18 |
be updated from time to time on these matters. |
| 19 |
|
| 20 |
> |
| 21 |
> I think the delay should be clearly stated in the bug with something |
| 22 |
> like: Please keep in mind that since this is a remote code execution |
| 23 |
> vulnerability, security team will take action if nothing happens within |
| 24 |
> one week. If you have tools filling the severity fields then a proper |
| 25 |
> definition allows to automate this too. |
| 26 |
> |
| 27 |
> My point here is to avoid having all the responsibility falling under |
| 28 |
> the lead but focus more on getting things done and educating fellow |
| 29 |
> developers: Lower delays for more serious bugs will make people |
| 30 |
> understand and prioritize better the issues at hand and their |
| 31 |
> implications. |
| 32 |
|
| 33 |
The lead sets policies and is responsible for keeping vulnerability |
| 34 |
treatment policy and other documentation up to date c.f Documentation of |
| 35 |
process |
| 36 |
|
| 37 |
The Project shall have procedures in place to document its process and |
| 38 |
regularly update the documentation including the Vulnerability Treatment |
| 39 |
Policies[3]. |
| 40 |
|
| 41 |
^^ which was intended to cover some of these concerns |
| 42 |
|
| 43 |
> |
| 44 |
> |
| 45 |
> Also, it'd be nice to have something more formal for sec. cleanup: |
| 46 |
> "After 30 days a sec. issue has been fixed, sec. team is free to |
| 47 |
> cleanup old vulnerable versions.". I've seen too much pings by sec. |
| 48 |
> team members on old bugs for this and they could have spent the same |
| 49 |
> amount of time simply doing it instead. |
| 50 |
|
| 51 |
This presumes all security members are gentoo developers with tree |
| 52 |
access and can do it themselves, but I'm not convinced cleanups are |
| 53 |
vital enough for security to interact as it requires quite a bit of work |
| 54 |
for an unfamiliar package to know which files to remove in files/ for |
| 55 |
specific versions and/or other package-specific quirks. The package |
| 56 |
maintainers really should be able to handle this or hand off the package |
| 57 |
to someone else. |
| 58 |
|
| 59 |
-- |
| 60 |
Kristian Fiskerstrand |
| 61 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
| 62 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
Archives