1 |
On Sat, Dec 19, 2015 at 8:44 AM, Rich Freeman <rich0@g.o> wrote: |
2 |
> On Sat, Dec 19, 2015 at 8:24 AM, Tobias Heinlein <keytoaster@g.o> wrote: |
3 |
>> Hi, |
4 |
>> |
5 |
>> On 18.12.2015 21:06, Mike Gilbert wrote: |
6 |
>>> Hi, please review the news item below. |
7 |
>> |
8 |
>> thanks for drafting this news item. However, the usual way to inform |
9 |
>> users about security flaws is by sending a GLSA. :) |
10 |
>> |
11 |
>> Based on your news item, we have drafted a GLSA now. It's currently |
12 |
>> pending review by one other member of the security team and we will send |
13 |
>> it in a few hours. |
14 |
>> |
15 |
> |
16 |
> The only concerns I have with this approach are: |
17 |
> 1. In this case timing is fine, but sometimes GLSAs have a |
18 |
> significant delay, especially when minor archs are involved in |
19 |
> stabilization. |
20 |
> 2. Users probably don't regularly read GLSAs, since for the most part |
21 |
> it just tells them to update packages they've probably already |
22 |
> updated. How do we make ones that actually have instructions beyond |
23 |
> updating stand out? |
24 |
> |
25 |
> I know I stopped reading GLSAs ages ago, because they tended to tell |
26 |
> me to update to a package I had updated to a week before, and when |
27 |
> they said something else 90% of the time it was because there was an |
28 |
> error in the GLSA (usually this happened with subslots and the GLSA |
29 |
> just said <n is vulnerable and the reality is that there were a number |
30 |
> of ranges that were vulnerable vs fixed). Granted, I have caught one |
31 |
> or two episodes over the years where the actual package might not have |
32 |
> been completely addressed and an older slot needed fixing. |
33 |
> |
34 |
> I guess my point isn't that GLSAs are a bad thing, but users need a |
35 |
> really high S/N ratio if we want them to pay attention. We need to |
36 |
> separate the mundane from the important. |
37 |
|
38 |
I had that same thought when keytoaster first replied to this. |
39 |
|
40 |
Realistically, I suspect very few Gentoo users are using |
41 |
authentication in GRUB. Those who do are certainly more security |
42 |
conscious than the average user, and more likely to read GLSAs and |
43 |
other security announcements. |
44 |
|
45 |
I think the pkg_postinst message and the GLSA are sufficient coverage |
46 |
for this issue. |