| 1 |
On Tue, 14 Mar 2017 19:55:44 -0400 |
| 2 |
Yury German <blueknight@g.o> wrote: |
| 3 |
|
| 4 |
> > On Mar 12, 2017, at 4:14 AM, Alexis Ballier <aballier@g.o> |
| 5 |
> > wrote: |
| 6 |
> > |
| 7 |
> > |
| 8 |
> > Also, it'd be nice to have something more formal for sec. cleanup: |
| 9 |
> > "After 30 days a sec. issue has been fixed, sec. team is free to |
| 10 |
> > cleanup old vulnerable versions.". I've seen too much pings by sec. |
| 11 |
> > team members on old bugs for this and they could have spent the same |
| 12 |
> > amount of time simply doing it instead. |
| 13 |
> |
| 14 |
> |
| 15 |
> Alexis, here is a problem that I have noticed over the years. |
| 16 |
> Everyone is short on time, but if the developers do not step in (and |
| 17 |
> only some) and clean up the packages then we might as well make this |
| 18 |
> another job for Security team as everyone will just leave it to |
| 19 |
> security. |
| 20 |
> |
| 21 |
> Security looks at every security bug, and needs to do a lot of things |
| 22 |
> behind the scenes. GLSA writing, look for CVE’s if not there, assign |
| 23 |
> them to bugs in the CVE system used for GLSA’s. If no CVE’s exist |
| 24 |
> communicate with upstream to see if it was requested, if not |
| 25 |
> requested request it on their behalf and work with MITRE in getting |
| 26 |
> it assigned. When you multiply that time over the 100+ security bugs |
| 27 |
> at any time. Cleanup is not a 5 second thing as for me typing three |
| 28 |
> characters to have that bug be submitted with that comment. |
| 29 |
> |
| 30 |
> The maintainer also knows the package, dependencies, other bugs |
| 31 |
> filed, etc. Removing things for your packages might be simple, but it |
| 32 |
> is not the same across all packages and that is the reason we ask the |
| 33 |
> Maintainers to take an active step in cleaning up. |
| 34 |
|
| 35 |
|
| 36 |
Agreed, but I was under the impression that sometimes sec. team was |
| 37 |
waiting for cleanup to close a bug. If you've just done the analysis |
| 38 |
that it is the only thing left, just do it and close the bug, instead |
| 39 |
of pinging on the bug and re-do that analysis in a later pass. This |
| 40 |
reduces context switches and makes everything more efficient :) |
Archives