Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Mike Gilbert <floppym@g.o>
To: Gentoo Dev <gentoo-dev@l.g.o>
Cc: Tobias Heinlein <keytoaster@g.o>, PR team <pr@g.o>, security@g.o
Subject: Re: [gentoo-dev] Re: News item: GRUB security update
Date: Sat, 19 Dec 2015 17:04:55
Message-Id: CAJ0EP42Nb-_GiXDspn8gvQc8BjDRAana4mFT=f8=vM4As+KNhw@mail.gmail.com
In Reply to: [gentoo-dev] Re: News item: GRUB security update by Rich Freeman
1 On Sat, Dec 19, 2015 at 8:44 AM, Rich Freeman <rich0@g.o> wrote:
2 > On Sat, Dec 19, 2015 at 8:24 AM, Tobias Heinlein <keytoaster@g.o> wrote:
3 >> Hi,
4 >>
5 >> On 18.12.2015 21:06, Mike Gilbert wrote:
6 >>> Hi, please review the news item below.
7 >>
8 >> thanks for drafting this news item. However, the usual way to inform
9 >> users about security flaws is by sending a GLSA. :)
10 >>
11 >> Based on your news item, we have drafted a GLSA now. It's currently
12 >> pending review by one other member of the security team and we will send
13 >> it in a few hours.
14 >>
15 >
16 > The only concerns I have with this approach are:
17 > 1. In this case timing is fine, but sometimes GLSAs have a
18 > significant delay, especially when minor archs are involved in
19 > stabilization.
20 > 2. Users probably don't regularly read GLSAs, since for the most part
21 > it just tells them to update packages they've probably already
22 > updated. How do we make ones that actually have instructions beyond
23 > updating stand out?
24 >
25 > I know I stopped reading GLSAs ages ago, because they tended to tell
26 > me to update to a package I had updated to a week before, and when
27 > they said something else 90% of the time it was because there was an
28 > error in the GLSA (usually this happened with subslots and the GLSA
29 > just said <n is vulnerable and the reality is that there were a number
30 > of ranges that were vulnerable vs fixed). Granted, I have caught one
31 > or two episodes over the years where the actual package might not have
32 > been completely addressed and an older slot needed fixing.
33 >
34 > I guess my point isn't that GLSAs are a bad thing, but users need a
35 > really high S/N ratio if we want them to pay attention. We need to
36 > separate the mundane from the important.
37
38 I had that same thought when keytoaster first replied to this.
39
40 Realistically, I suspect very few Gentoo users are using
41 authentication in GRUB. Those who do are certainly more security
42 conscious than the average user, and more likely to read GLSAs and
43 other security announcements.
44
45 I think the pkg_postinst message and the GLSA are sufficient coverage
46 for this issue.
Report Message
Find on MARC Find on Google Groups