1 |
On Mon, Jan 26, 2015 at 8:21 AM, Duncan <1i5t5.duncan@×××.net> wrote: |
2 |
> The result of the current policy is that if you're waiting for the GLSA, |
3 |
> unless it's _extreme_ priority (heartbleed level), on at least amd64, |
4 |
> you're very often sitting there exposed for well over a week, and too |
5 |
> often a month, after the fix is out there, actually installed on /my/ |
6 |
> systems. And to me that's a game of Russian Roulette odds that I'm |
7 |
> simply not willing to play. |
8 |
|
9 |
Agree. Honestly, I think we should really reconsider the current GLSA |
10 |
policy. I half-consider unsubscribing to them since they often come |
11 |
out weeks after a vulnerability is fixed on amd64, let alone |
12 |
discovered. If you're relying on glsa-check as the indicator as to |
13 |
whether you should update, then you're probably going to be vulnerable |
14 |
for weeks. |
15 |
|
16 |
I wonder if it would make sense to just send them out on first-fix, or |
17 |
even on stablereq. The main reason that I'd hold off on sending them |
18 |
out at first sign of vulnerability is that information on what |
19 |
versions are/aren't vulnerable is going to be hazy, and it won't have |
20 |
clear instructions on what to do. You might end up picking the wrong |
21 |
version to update to and then find yourself having to update again or |
22 |
downgrading or running ~arch because the package maintainer decided to |
23 |
do something different. By the time you have a stablereq things have |
24 |
settled down - maybe if a bug is found on another arch you might end |
25 |
up with a revbump, but that is going to be minor impact and anybody |
26 |
doing daily updates is going to get hit by that anyway. |
27 |
|
28 |
From a PR standpoint we'll be communicating to some users that they |
29 |
are vulnerable, and we haven't completely fixed the issue yet. I |
30 |
think we just need to reset expectations here. The fact is that today |
31 |
they're just as vulnerable, but we don't broadcast that. Sending out |
32 |
notice sooner will help out users who want to update based on GLSAs, |
33 |
and if there isn't a stable version yet the user can decide whether to |
34 |
just wait for testing or move ahead on their own. |
35 |
|
36 |
It just seems to me that the current approach of sending out GLSAs a |
37 |
month after the fix is available for 98% of our users makes them |
38 |
fairly unuseful. |
39 |
|
40 |
-- |
41 |
Rich |