1 |
On Jan 18, 2014 1:35 PM, Pacho Ramos <pacho@g.o> wrote: |
2 |
> |
3 |
> El sáb, 18-01-2014 a las 19:19 +0100, Alex Legler escribió: |
4 |
> [...] |
5 |
> > So you observed correctly there's still plenty of delays. There are |
6 |
> > three parts to an advisory that take time: |
7 |
> > - Drafting: Collecting information, linking references, getting package |
8 |
> > versions done right (slots are a huge pain still). |
9 |
> > |
10 |
> > - Reviewing: Our current process asks for two independent positive |
11 |
> > reviews from other team members before an advisory can be sent. |
12 |
> > |
13 |
> > - Sending: The original author gets a .txt to email and have to check in |
14 |
> > the .xml to CVS. |
15 |
> > |
16 |
> > Going through these three steps requires at least three people, and the |
17 |
> > (group of) people whose action is required shifts twice. That overall |
18 |
> > process is spot #1 we are planning to improve. The current plan contains |
19 |
> > requiring only one review and the reviewer sends the advisory directly. |
20 |
> > So we go from author -> reviewer 1 -> reviewer 2 -> author to just |
21 |
> > author -> reviewer. |
22 |
> |
23 |
> This looks a nice improvement indeed :) |
24 |
> |
25 |
> > |
26 |
> > Concerning the single steps here are other measures: |
27 |
> > - Drafting: Implement a new GLSA format to |
28 |
> > * reduce the amount of editorial text written by us |
29 |
> > * support slots (makes specifying vulnerable ranges in slotted package |
30 |
> > much easier) |
31 |
> > * (cleanup old stuff no longer needed) |
32 |
> |
33 |
> That looks interesting as doing all the draft manually is really a huge |
34 |
> work (with leads to not so enhancement). I am unsure how will the |
35 |
> cleanup be done, as soon as the portage tree doesn't break (due some |
36 |
> other package requiring the old buggy version), why are not all devs |
37 |
> allowed to drop (or, at least, hardmask if needed for some base-system |
38 |
> package :/) the vulnerable versions? Looks like currently security team |
39 |
> waits for maintainers to do that, I try to do it fast but maybe will |
40 |
> take much more time in other situations. I think this could be improved |
41 |
> if other people like security team members or the last one stabilizing |
42 |
> the fixed version could do the cleanup too. |
43 |
We prefer that the maintainers do the drop in case there's some dependency situation we're not aware of, but we will drop if maintainers are unresponsive. |
44 |
|
45 |
> Also, currently looks like, when we (maintainers) get asked to bump the |
46 |
> package fixing it, we tend to wait for security team members to CC |
47 |
> arches, maybe the maintainers could do that directly to gain a bit of |
48 |
> time. |
49 |
By all means, maintainer should be the one to call for the stable. It's your package, I cannot think of any situation where security would not want the maintainer to do that. |
50 |
|
51 |
> > |
52 |
> > - Reviewing: Reduced editorial text means less to review. |
53 |
> > |
54 |
> > - Sending: We want to improve our tooling to automatically send |
55 |
> > advisories and push them to a git repository. |
56 |
> > |
57 |
> > The new GLSA format was up for review on -security last week. Next up |
58 |
> > will be getting it specified formally, implemented in our tooling, |
59 |
> > glsa-check and a new security.g.o frontend. [1] |
60 |
> > Then, we can adopt the new workflow. |
61 |
> > |
62 |
> > > |
63 |
> > > Then, instead of blaming on how should I have asked for clarification on |
64 |
> > > this (well, looks like the main topic here is that I have asked about |
65 |
> > > this in ML instead of the real problem :O), I think you should focus on |
66 |
> > > explaining how are you fixing this problem. |
67 |
> > |
68 |
> > Your original email didn't reflect actual interest in the details. Now |
69 |
> > that we've established you do care, I hope my explanations helped you |
70 |
> > out there. |
71 |
> > |
72 |
> |
73 |
> They helped for sure :) and I appreciate them, I simply thought nothing |
74 |
> was being worked out as I explained in previous mail (I was still saying |
75 |
> long delays) |
76 |
> |
77 |
> > > I have been long time wondering about this because: |
78 |
> > > 1. I usually get lots of bugs from alias I am a member whose we go fast |
79 |
> > > bumping, calling for stabilization and dropping vulnerable versions and, |
80 |
> > > the, the bugs get stalled. |
81 |
> > > 2. Once of the machines I maintain would benefit from being able to use |
82 |
> > > glsacheck to only update vulnerable packages as not always have enough |
83 |
> > > time for updating the full world |
84 |
> > > |
85 |
> > > |
86 |
> > > |
87 |
> > |
88 |
> > [1] Lots of code to be written here. .py+.rb, help wanted! |
89 |
> > |
90 |
> |
91 |
> |
92 |
> |