1 |
Hello, everyone. |
2 |
|
3 |
TL;DR: I think we should work towards delivering a complete list of |
4 |
vulnerable packages and ability to rebuild on that (not only these that |
5 |
traditionally involved GLSAs), and possibly also information |
6 |
on vulnerabilities that are not fixed reasonably quickly. |
7 |
|
8 |
|
9 |
Background |
10 |
========== |
11 |
|
12 |
The Gentoo Security process right now seems to be focused on developers. |
13 |
We get Security bugs and CC package maintainers, we bump packages |
14 |
and fast stabilize if necessary, we clean vulnerable versions up. |
15 |
The process is good but in my opinion it's often missing the last step |
16 |
-- actually delivering the fixes to our users. |
17 |
|
18 |
Of course, it is a strong recommendation that people should keep their |
19 |
system up-to-date by frequently running deep @world upgrades. However, I |
20 |
think we all realize that not all people do that. In fact, our own Infra |
21 |
doesn't do that and I have to say that right now our own servers are |
22 |
probably running dozens of vulnerable packages. |
23 |
|
24 |
While we could argue that people shouldn't do that (and we've been doing |
25 |
this for years now), so far we haven't managed any great success at it. |
26 |
Not to mention all the corner cases where you either can't upgrade or |
27 |
you're simply silently forced by Portage to stay on an older version. So |
28 |
it's time to explore the alternatives. |
29 |
|
30 |
A quick grep shows that around 20% of Security bugs are getting GLSAs |
31 |
('glsa+' vs 'noglsa' whiteboard). This means that in roughly 80% cases |
32 |
GLSA-based infrastructure (e.g. glsa-check) can't reliably inform users |
33 |
of vulnerable packages and/or trigger upgrades. |
34 |
|
35 |
The other side of the problem is that the GLSA process seems to be |
36 |
rather focused on fixed vulnerabilities. However, we do not seem to |
37 |
release GLSAs before a fixed version is available, even if there is |
38 |
no fix in sight and there is a suggested mitigation (that we can't apply |
39 |
ourselves). |
40 |
|
41 |
|
42 |
The problems |
43 |
============ |
44 |
|
45 |
All this considered, I'd like to formulate two problems with the current |
46 |
process: |
47 |
|
48 |
1. Users are not explicitly informed and not provided with explicit |
49 |
upgrade mechanism for vulnerabilities that are not considered GLSA- |
50 |
worthy. |
51 |
|
52 |
2. Users are not informed of important vulnerabilities that do not have |
53 |
a proper fix at hand. |
54 |
|
55 |
|
56 |
Potential solutions for Problem 1. |
57 |
================================== |
58 |
|
59 |
I think the problem should be considered in two parts: the developer |
60 |
input part and the delivery part. |
61 |
|
62 |
As for the delivery part, one option would be to reuse the GLSA format. |
63 |
Loosen the specification a little, and start publishing GLSAs without |
64 |
specific details, possibly just some short summary and package matchers. |
65 |
However, this would result in the GLSA repository growing significantly |
66 |
-- not sure if we consider this a problem. |
67 |
|
68 |
An alternative I can think of would be to use a flat file for this. This |
69 |
is e.g. what NetBSD does (it keeps the verbose advisories and full list |
70 |
of vulnerabilities separate). In fact, I suppose we could roughly use |
71 |
package.mask-alike format to avoid inventing new formats. |
72 |
|
73 |
As for the input part, I think we should try to avoid imposing much |
74 |
additional work on Security team members. Ideally, we'd be able to make |
75 |
this a 'one click' solution reusing the existing data (i.e. Security |
76 |
bugs). However, I don't think this is entirely possible right now. |
77 |
|
78 |
Something like having GLSAMaker pre-fill a template based on 'Package |
79 |
list' field of a Security bug could be a good start. Alternatively, we |
80 |
could look into doing the reverse -- giving all involved developers |
81 |
minimal access to GLSAMaker, and having it initially file Security bugs |
82 |
based on structured input. |
83 |
|
84 |
|
85 |
Potential solutions to Problem 2. |
86 |
================================= |
87 |
|
88 |
Here I don't think we need much of a technical solution. Rather, |
89 |
I think that Security team should be able to release GLSAs in these |
90 |
cases to inform users of the situation. |
91 |
|
92 |
|
93 |
Comments |
94 |
======== |
95 |
|
96 |
WDYT? |