| 1 |
El mar, 30-09-2014 a las 13:47 +0400, Sergey Popov escribió: |
| 2 |
[...] |
| 3 |
> I think you are get some things wrong - they are masked not instead of |
| 4 |
> GLSA, but prior to it. |
| 5 |
> |
| 6 |
> Let me explain the process on behalf on my security hat - before |
| 7 |
> releasing GLSA we should rid of all vulnerable versions in tree. |
| 8 |
> However, sometimes it leads to problems with migration on new |
| 9 |
> versions(usually happens with complex packages, for example OpenLDAP). |
| 10 |
> So, to mark that some versions are really not for ordinary users we can |
| 11 |
> security mask them. After that - we do not need to remove them, just |
| 12 |
> keep an eye that they would not be unmasked. The next step for these |
| 13 |
> versions is only to be removed from tree, after all issues with |
| 14 |
> dependant packages will be fixed. |
| 15 |
> |
| 16 |
> And then - we can proceed with making GLSA. Masking of package does not |
| 17 |
> replace making GLSA and never was! |
| 18 |
> |
| 19 |
> If you are claim that GLSA making process is too slow, well... We have |
| 20 |
> vast amount of security issues and not many people who handles them, so |
| 21 |
> - here we are... |
| 22 |
> |
| 23 |
> As for ppp, i masked it, because there are some packages in tree that |
| 24 |
> hardcodes usage for specific versions of ppp and they should be patched |
| 25 |
> BEFORE vulnerable versions of ppp will leave tree. |
| 26 |
> |
| 27 |
> I want to notice, that such practice was established a long time ago, |
| 28 |
> from the very beginning of Gentoo Security team and i do not think that |
| 29 |
> we should change something in it |
| 30 |
> |
| 31 |
|
| 32 |
Only a question: why GLSAs aren't released until the vulnerable version |
| 33 |
is not dropped? Wouldn't be better for people relying on GLSAs to get |
| 34 |
the glsa as soon as they can install the fixed version (I mean, when |
| 35 |
that version is stabilized)? |
| 36 |
|
| 37 |
Thanks for the info :) |
Archives