Gentoo Archives: gentoo-dev

From: Rich Freeman <rich0@g.o>
To: gentoo-dev <gentoo-dev@l.g.o>
Subject: Re: [gentoo-dev] Re: Things one could be upset about
Date: Mon, 26 Jan 2015 14:20:39
Message-Id: CAGfcS_kShYAfvthNf_jDLB8qZbFhXd-wLqp9MBUD9kNQMnDPog@mail.gmail.com
In Reply to: [gentoo-dev] Re: Things one could be upset about by Duncan <1i5t5.duncan@cox.net>
1 On Mon, Jan 26, 2015 at 8:21 AM, Duncan <1i5t5.duncan@×××.net> wrote:
2 > The result of the current policy is that if you're waiting for the GLSA,
3 > unless it's _extreme_ priority (heartbleed level), on at least amd64,
4 > you're very often sitting there exposed for well over a week, and too
5 > often a month, after the fix is out there, actually installed on /my/
6 > systems. And to me that's a game of Russian Roulette odds that I'm
7 > simply not willing to play.
8
9 Agree. Honestly, I think we should really reconsider the current GLSA
10 policy. I half-consider unsubscribing to them since they often come
11 out weeks after a vulnerability is fixed on amd64, let alone
12 discovered. If you're relying on glsa-check as the indicator as to
13 whether you should update, then you're probably going to be vulnerable
14 for weeks.
15
16 I wonder if it would make sense to just send them out on first-fix, or
17 even on stablereq. The main reason that I'd hold off on sending them
18 out at first sign of vulnerability is that information on what
19 versions are/aren't vulnerable is going to be hazy, and it won't have
20 clear instructions on what to do. You might end up picking the wrong
21 version to update to and then find yourself having to update again or
22 downgrading or running ~arch because the package maintainer decided to
23 do something different. By the time you have a stablereq things have
24 settled down - maybe if a bug is found on another arch you might end
25 up with a revbump, but that is going to be minor impact and anybody
26 doing daily updates is going to get hit by that anyway.
27
28 From a PR standpoint we'll be communicating to some users that they
29 are vulnerable, and we haven't completely fixed the issue yet. I
30 think we just need to reset expectations here. The fact is that today
31 they're just as vulnerable, but we don't broadcast that. Sending out
32 notice sooner will help out users who want to update based on GLSAs,
33 and if there isn't a stable version yet the user can decide whether to
34 just wait for testing or move ahead on their own.
35
36 It just seems to me that the current approach of sending out GLSAs a
37 month after the fix is available for 98% of our users makes them
38 fairly unuseful.
39
40 --
41 Rich

Replies

Subject Author
Re: [gentoo-dev] Re: Things one could be upset about "Róbert Čerňanský" <openhs@×××××××××.com>
[gentoo-dev] Re: Things one could be upset about Duncan <1i5t5.duncan@×××.net>