| 1 |
Alec Warner wrote: |
| 2 |
> Currently mgorny is the listed maintainer of boa. What if instead of a |
| 3 |
> bunch of CVEs he just decided he had better things to do with his |
| 4 |
> time. |
| 5 |
> He last-rites the package, giving a 90d deadline for the package to |
| 6 |
> find a new owner. |
| 7 |
> No one cares to maintain boa, so no one steps up, and the package is |
| 8 |
> removed after 90d. |
| 9 |
|
| 10 |
That would be perfectly fine of course. |
| 11 |
|
| 12 |
Note that mgorny protested in the lastrite bug way before my mail. |
| 13 |
|
| 14 |
|
| 15 |
> I think the current state is that no one with commit access to |
| 16 |
> ::gentoo cares, so it will be removed unless someone changes their |
| 17 |
> mind. |
| 18 |
|
| 19 |
That seems accurate. |
| 20 |
|
| 21 |
|
| 22 |
John Helmert III wrote: |
| 23 |
> > Do you continue to believe that boa has vulnerabilites involving files |
| 24 |
> > and functionality (as mentioned by the maintainer mgorny in #882773#c1) |
| 25 |
> > which do not exist in the package? |
| 26 |
> |
| 27 |
> Just like it isn't your responsibility to "cleanup NVD", it's not my |
| 28 |
> responsibility to authoritatively verify every CVE that Gentoo |
| 29 |
> Security acts upon. |
| 30 |
|
| 31 |
Of course not by others in Gentoo Security, but I think it is for |
| 32 |
inputs that you yourself act on. (Everyone of course and I am mindful |
| 33 |
to do it too.) |
| 34 |
|
| 35 |
|
| 36 |
> Even if I did make such a judgement, I will *not* risk my being |
| 37 |
> wrong and exposing Gentoo users to vulnerabilities unecessarily, |
| 38 |
> even when prompted to by users on mailing lists. |
| 39 |
|
| 40 |
Your nginx example seemed to say otherwise. |
| 41 |
|
| 42 |
It's good to be afraid of being wrong but then please work with |
| 43 |
trusted peers to feel confident about being right instead of racing |
| 44 |
to bottom quality. |
| 45 |
|
| 46 |
Since you don't trust my analysis of both versions of the source code |
| 47 |
published by upstream please do collect further analysis from peers, |
| 48 |
so as to not be wrong in the opposite. |
| 49 |
|
| 50 |
|
| 51 |
> > The CVEs are obviously invalid and yes someone could contribute time |
| 52 |
> > to clean up NVD but I honestly don't think that either upstream or |
| 53 |
> > myself can reasonably be made responsible for invalid CVEs submitted |
| 54 |
> > by third parties. |
| 55 |
> |
| 56 |
> Again, we're not making judgements about "obviously invalid". |
| 57 |
|
| 58 |
I do think Gentoo Security needs to validate. *scratches head* |
| 59 |
|
| 60 |
This is obviously the most interesting part of this thread. |
| 61 |
|
| 62 |
|
| 63 |
> The time you've spent arguing with us on gentoo-dev could've been |
| 64 |
> easily spent asking upstream about the issue. |
| 65 |
|
| 66 |
I verified the three CVEs to be non-issues, what is there for me to |
| 67 |
ask upstream about? |
| 68 |
|
| 69 |
I analyzed the source code before sending my first mail and confirmed |
| 70 |
that the CVEs do not exist in boa. That's why I sent the mail saying |
| 71 |
that the reports are false. |
| 72 |
|
| 73 |
A lastrite commit in Gentoo based on invalid CVEs has little to do |
| 74 |
with upstream. |
| 75 |
|
| 76 |
You're reversing the burden of proof based on a false claim. |
| 77 |
|
| 78 |
|
| 79 |
> > I disagree, that's only a good way to measure how many distributions care. |
| 80 |
> |
| 81 |
> Which is *precisely* the point I'm making. If distributions with many |
| 82 |
> times the resources of Gentoo don't care to package it, that's a bad |
| 83 |
> indicator of how well the package is taken care of. |
| 84 |
|
| 85 |
How can you know why someone else does or *doesn't* do something? |
| 86 |
That's absurd. |
| 87 |
|
| 88 |
|
| 89 |
> > Each distribution has its own dynamic (but actually distributions also |
| 90 |
> > tend to herd behavior) |
| 91 |
|
| 92 |
You really leaned into the herd behavior there. :\ |
| 93 |
|
| 94 |
|
| 95 |
> > Again: Impact shouldn't matter, correctness should. |
| 96 |
> |
| 97 |
> And again, I'm generally not going to be validating every CVE ever for |
| 98 |
> correctness. |
| 99 |
|
| 100 |
Only those you act on. |
| 101 |
|
| 102 |
|
| 103 |
> > > It generally can't work better with MITRE being useless in many |
| 104 |
> > > cases. Yes, the CVEs seem garbage, but I can't say that |
| 105 |
> > > authoritatively, so I don't. |
| 106 |
> > |
| 107 |
> > What would convince you? |
| 108 |
> |
| 109 |
> Anything from upstream, or a withdrawal of the CVEs, or a notice from |
| 110 |
> the CVE reproters that they're invalid. But I really don't understand |
| 111 |
> why anybody cares about this leaf package that nobody actually seems |
| 112 |
> to use, including you. |
| 113 |
|
| 114 |
Imagine that I fork boa to a project called boah, change nothing but |
| 115 |
the version number, create a release and then tell you again that the |
| 116 |
three CVEs are invalid for both boa and boah. |
| 117 |
|
| 118 |
|
| 119 |
//Peter |
Archives