1 |
30.09.2014 14:11, Pacho Ramos пишет: |
2 |
> El mar, 30-09-2014 a las 13:47 +0400, Sergey Popov escribió: |
3 |
> [...] |
4 |
>> I think you are get some things wrong - they are masked not instead of |
5 |
>> GLSA, but prior to it. |
6 |
>> |
7 |
>> Let me explain the process on behalf on my security hat - before |
8 |
>> releasing GLSA we should rid of all vulnerable versions in tree. |
9 |
>> However, sometimes it leads to problems with migration on new |
10 |
>> versions(usually happens with complex packages, for example OpenLDAP). |
11 |
>> So, to mark that some versions are really not for ordinary users we can |
12 |
>> security mask them. After that - we do not need to remove them, just |
13 |
>> keep an eye that they would not be unmasked. The next step for these |
14 |
>> versions is only to be removed from tree, after all issues with |
15 |
>> dependant packages will be fixed. |
16 |
>> |
17 |
>> And then - we can proceed with making GLSA. Masking of package does not |
18 |
>> replace making GLSA and never was! |
19 |
>> |
20 |
>> If you are claim that GLSA making process is too slow, well... We have |
21 |
>> vast amount of security issues and not many people who handles them, so |
22 |
>> - here we are... |
23 |
>> |
24 |
>> As for ppp, i masked it, because there are some packages in tree that |
25 |
>> hardcodes usage for specific versions of ppp and they should be patched |
26 |
>> BEFORE vulnerable versions of ppp will leave tree. |
27 |
>> |
28 |
>> I want to notice, that such practice was established a long time ago, |
29 |
>> from the very beginning of Gentoo Security team and i do not think that |
30 |
>> we should change something in it |
31 |
>> |
32 |
> |
33 |
> Only a question: why GLSAs aren't released until the vulnerable version |
34 |
> is not dropped? Wouldn't be better for people relying on GLSAs to get |
35 |
> the glsa as soon as they can install the fixed version (I mean, when |
36 |
> that version is stabilized)? |
37 |
> |
38 |
> Thanks for the info :) |
39 |
> |
40 |
> |
41 |
|
42 |
That's more like established practice then policy, cause after |
43 |
publishing glsa we should auto-close all relevant security bugs. And we |
44 |
can not do this if vulnerable versions are still in tree. So it's better |
45 |
to mask them to speed up things with publishing GLSA, maintainers can |
46 |
drop old versions of their later. |
47 |
|
48 |
-- |
49 |
Best regards, Sergey Popov |
50 |
Gentoo developer |
51 |
Gentoo Desktop Effects project lead |
52 |
Gentoo Proxy maintainers project lead |