1 |
On Thu, 2021-08-12 at 13:17 -0700, Matt Turner wrote: |
2 |
> On Thu, Aug 12, 2021 at 5:53 AM Michał Górny <mgorny@g.o> wrote: |
3 |
> > |
4 |
> > Hello, everyone. |
5 |
> > |
6 |
> > TL;DR: I'd like to propose that stabilizations are done via blockers of |
7 |
> > security bugs instead of security bugs themselves, i.e. as any other |
8 |
> > stabilizations. |
9 |
> > |
10 |
> > |
11 |
> > Right now we're often performing security-related stabilizations via |
12 |
> > security bugs. This has a few problems, that are: |
13 |
> > |
14 |
> > 1. Stabilization-related activity causes unnecessary mail to the widely |
15 |
> > subscribed security alias. That is, subscribed people get notified of |
16 |
> > package list changes, NATTkA results, every arch doing its work. |
17 |
> > However, in reality the security team only cares about stabilization |
18 |
> > being started, stalled or finished -- and for that, getting the usual |
19 |
> > 'dependent bug added/closed' mail should be sufficient. |
20 |
> > |
21 |
> > 2. NATTkA has no good way of distinguishing irrelevant security bugs |
22 |
> > from security bugs where something went wrong (and NATTkA doesn't use |
23 |
> > persistent state by design). The most important problem is that -- |
24 |
> > unlike regular stablereqs -- security bugs aren't supposed to be closed |
25 |
> > after stabilization. It can't really distinguish a security bug 'left |
26 |
> > open' from a security bug with incorrect package list. |
27 |
> > |
28 |
> > 3. Proxied maintainers without editbugs can't actually CC arches on |
29 |
> > security bugs since the bugs are assigned to security@. |
30 |
> > |
31 |
> > |
32 |
> > To resolve these problems going forward and establish consistent |
33 |
> > behavior in the future, I'd like to propose to disable 'package list' |
34 |
> > fields on security bugs and instead expect regular stabilization bugs to |
35 |
> > be used (and made block the security bugs) for stabilizations. While I |
36 |
> > understand that filing additional bugs might be cumbersome for some |
37 |
> > people, I don't think it's such a herculean effort to outweigh |
38 |
> > the problems solved. |
39 |
> > |
40 |
> > In the end, consistency is a good thing and we've introduced a dedicated |
41 |
> > stabilization category to reduce the spread of stabilization bugs all |
42 |
> > around the place. |
43 |
> |
44 |
> I love this. |
45 |
> |
46 |
> It sounds (from IRC) like you're on board with the idea of having |
47 |
> nattka add kw:security to appropriate stabilization bugs. |
48 |
> |
49 |
> Could nattka also do something to the security@-assigned but itself to |
50 |
> indicate that all security-supported architecture have been handled? |
51 |
> Something like leaving a comment or fiddling with the security |
52 |
> whiteboard. |
53 |
|
54 |
Yeah, this shouldn't be a problem. However, I would prefer if 'security |
55 |
supported' architectures were defined somewhere reasonably standard, |
56 |
rather than hardcoded in nattka. |
57 |
|
58 |
> |
59 |
> It would be nice to be able to resolve the security@-assigned but |
60 |
> before non-security-supported architectures are handled. |
61 |
> |
62 |
> To do that, I think we'd want to change what's required for the "clean |
63 |
> up" step. Since today the "clean up" step is dropping the vulnerable |
64 |
> package versions from the tree, it is dependent on |
65 |
> non-security-supported architectures completing the stabilization bug. |
66 |
> I think we'd like to break that dependence. |
67 |
> |
68 |
> I suggest that we redefine the "clean up" step to be: drop |
69 |
> security-supported architectures' keywords from vulnerable versions. |
70 |
> That would allow the security@-assigned bug to be resolved before |
71 |
> non-security-supported architectures are finished with stabilization. |
72 |
> |
73 |
|
74 |
To be honest, this sounds like doubling the effort for little benefit. |
75 |
After all, removing the old version of the package doesn't resolve any |
76 |
problems on the end user systems -- upgrading does, and upgrading |
77 |
usually happens entirely independently of whether we've cleaned up or |
78 |
not. |
79 |
|
80 |
Maybe it'd easier to release GLSAs before cleanup happens? We can |
81 |
always go the dekeywording way if arch teams are actually slacking. |
82 |
|
83 |
-- |
84 |
Best regards, |
85 |
Michał Górny |