1 |
On Tue, 14 Mar 2017 19:55:44 -0400 |
2 |
Yury German <blueknight@g.o> wrote: |
3 |
|
4 |
> > On Mar 12, 2017, at 4:14 AM, Alexis Ballier <aballier@g.o> |
5 |
> > wrote: |
6 |
> > |
7 |
> > |
8 |
> > Also, it'd be nice to have something more formal for sec. cleanup: |
9 |
> > "After 30 days a sec. issue has been fixed, sec. team is free to |
10 |
> > cleanup old vulnerable versions.". I've seen too much pings by sec. |
11 |
> > team members on old bugs for this and they could have spent the same |
12 |
> > amount of time simply doing it instead. |
13 |
> |
14 |
> |
15 |
> Alexis, here is a problem that I have noticed over the years. |
16 |
> Everyone is short on time, but if the developers do not step in (and |
17 |
> only some) and clean up the packages then we might as well make this |
18 |
> another job for Security team as everyone will just leave it to |
19 |
> security. |
20 |
> |
21 |
> Security looks at every security bug, and needs to do a lot of things |
22 |
> behind the scenes. GLSA writing, look for CVE’s if not there, assign |
23 |
> them to bugs in the CVE system used for GLSA’s. If no CVE’s exist |
24 |
> communicate with upstream to see if it was requested, if not |
25 |
> requested request it on their behalf and work with MITRE in getting |
26 |
> it assigned. When you multiply that time over the 100+ security bugs |
27 |
> at any time. Cleanup is not a 5 second thing as for me typing three |
28 |
> characters to have that bug be submitted with that comment. |
29 |
> |
30 |
> The maintainer also knows the package, dependencies, other bugs |
31 |
> filed, etc. Removing things for your packages might be simple, but it |
32 |
> is not the same across all packages and that is the reason we ask the |
33 |
> Maintainers to take an active step in cleaning up. |
34 |
|
35 |
|
36 |
Agreed, but I was under the impression that sometimes sec. team was |
37 |
waiting for cleanup to close a bug. If you've just done the analysis |
38 |
that it is the only thing left, just do it and close the bug, instead |
39 |
of pinging on the bug and re-do that analysis in a later pass. This |
40 |
reduces context switches and makes everything more efficient :) |