| 1 |
On Thu, 2021-08-12 at 13:17 -0700, Matt Turner wrote: |
| 2 |
> On Thu, Aug 12, 2021 at 5:53 AM Michał Górny <mgorny@g.o> wrote: |
| 3 |
> > |
| 4 |
> > Hello, everyone. |
| 5 |
> > |
| 6 |
> > TL;DR: I'd like to propose that stabilizations are done via blockers of |
| 7 |
> > security bugs instead of security bugs themselves, i.e. as any other |
| 8 |
> > stabilizations. |
| 9 |
> > |
| 10 |
> > |
| 11 |
> > Right now we're often performing security-related stabilizations via |
| 12 |
> > security bugs. This has a few problems, that are: |
| 13 |
> > |
| 14 |
> > 1. Stabilization-related activity causes unnecessary mail to the widely |
| 15 |
> > subscribed security alias. That is, subscribed people get notified of |
| 16 |
> > package list changes, NATTkA results, every arch doing its work. |
| 17 |
> > However, in reality the security team only cares about stabilization |
| 18 |
> > being started, stalled or finished -- and for that, getting the usual |
| 19 |
> > 'dependent bug added/closed' mail should be sufficient. |
| 20 |
> > |
| 21 |
> > 2. NATTkA has no good way of distinguishing irrelevant security bugs |
| 22 |
> > from security bugs where something went wrong (and NATTkA doesn't use |
| 23 |
> > persistent state by design). The most important problem is that -- |
| 24 |
> > unlike regular stablereqs -- security bugs aren't supposed to be closed |
| 25 |
> > after stabilization. It can't really distinguish a security bug 'left |
| 26 |
> > open' from a security bug with incorrect package list. |
| 27 |
> > |
| 28 |
> > 3. Proxied maintainers without editbugs can't actually CC arches on |
| 29 |
> > security bugs since the bugs are assigned to security@. |
| 30 |
> > |
| 31 |
> > |
| 32 |
> > To resolve these problems going forward and establish consistent |
| 33 |
> > behavior in the future, I'd like to propose to disable 'package list' |
| 34 |
> > fields on security bugs and instead expect regular stabilization bugs to |
| 35 |
> > be used (and made block the security bugs) for stabilizations. While I |
| 36 |
> > understand that filing additional bugs might be cumbersome for some |
| 37 |
> > people, I don't think it's such a herculean effort to outweigh |
| 38 |
> > the problems solved. |
| 39 |
> > |
| 40 |
> > In the end, consistency is a good thing and we've introduced a dedicated |
| 41 |
> > stabilization category to reduce the spread of stabilization bugs all |
| 42 |
> > around the place. |
| 43 |
> |
| 44 |
> I love this. |
| 45 |
> |
| 46 |
> It sounds (from IRC) like you're on board with the idea of having |
| 47 |
> nattka add kw:security to appropriate stabilization bugs. |
| 48 |
> |
| 49 |
> Could nattka also do something to the security@-assigned but itself to |
| 50 |
> indicate that all security-supported architecture have been handled? |
| 51 |
> Something like leaving a comment or fiddling with the security |
| 52 |
> whiteboard. |
| 53 |
|
| 54 |
Yeah, this shouldn't be a problem. However, I would prefer if 'security |
| 55 |
supported' architectures were defined somewhere reasonably standard, |
| 56 |
rather than hardcoded in nattka. |
| 57 |
|
| 58 |
> |
| 59 |
> It would be nice to be able to resolve the security@-assigned but |
| 60 |
> before non-security-supported architectures are handled. |
| 61 |
> |
| 62 |
> To do that, I think we'd want to change what's required for the "clean |
| 63 |
> up" step. Since today the "clean up" step is dropping the vulnerable |
| 64 |
> package versions from the tree, it is dependent on |
| 65 |
> non-security-supported architectures completing the stabilization bug. |
| 66 |
> I think we'd like to break that dependence. |
| 67 |
> |
| 68 |
> I suggest that we redefine the "clean up" step to be: drop |
| 69 |
> security-supported architectures' keywords from vulnerable versions. |
| 70 |
> That would allow the security@-assigned bug to be resolved before |
| 71 |
> non-security-supported architectures are finished with stabilization. |
| 72 |
> |
| 73 |
|
| 74 |
To be honest, this sounds like doubling the effort for little benefit. |
| 75 |
After all, removing the old version of the package doesn't resolve any |
| 76 |
problems on the end user systems -- upgrading does, and upgrading |
| 77 |
usually happens entirely independently of whether we've cleaned up or |
| 78 |
not. |
| 79 |
|
| 80 |
Maybe it'd easier to release GLSAs before cleanup happens? We can |
| 81 |
always go the dekeywording way if arch teams are actually slacking. |
| 82 |
|
| 83 |
-- |
| 84 |
Best regards, |
| 85 |
Michał Górny |
Archives