| 1 |
30.09.2014 14:11, Pacho Ramos пишет: |
| 2 |
> El mar, 30-09-2014 a las 13:47 +0400, Sergey Popov escribió: |
| 3 |
> [...] |
| 4 |
>> I think you are get some things wrong - they are masked not instead of |
| 5 |
>> GLSA, but prior to it. |
| 6 |
>> |
| 7 |
>> Let me explain the process on behalf on my security hat - before |
| 8 |
>> releasing GLSA we should rid of all vulnerable versions in tree. |
| 9 |
>> However, sometimes it leads to problems with migration on new |
| 10 |
>> versions(usually happens with complex packages, for example OpenLDAP). |
| 11 |
>> So, to mark that some versions are really not for ordinary users we can |
| 12 |
>> security mask them. After that - we do not need to remove them, just |
| 13 |
>> keep an eye that they would not be unmasked. The next step for these |
| 14 |
>> versions is only to be removed from tree, after all issues with |
| 15 |
>> dependant packages will be fixed. |
| 16 |
>> |
| 17 |
>> And then - we can proceed with making GLSA. Masking of package does not |
| 18 |
>> replace making GLSA and never was! |
| 19 |
>> |
| 20 |
>> If you are claim that GLSA making process is too slow, well... We have |
| 21 |
>> vast amount of security issues and not many people who handles them, so |
| 22 |
>> - here we are... |
| 23 |
>> |
| 24 |
>> As for ppp, i masked it, because there are some packages in tree that |
| 25 |
>> hardcodes usage for specific versions of ppp and they should be patched |
| 26 |
>> BEFORE vulnerable versions of ppp will leave tree. |
| 27 |
>> |
| 28 |
>> I want to notice, that such practice was established a long time ago, |
| 29 |
>> from the very beginning of Gentoo Security team and i do not think that |
| 30 |
>> we should change something in it |
| 31 |
>> |
| 32 |
> |
| 33 |
> Only a question: why GLSAs aren't released until the vulnerable version |
| 34 |
> is not dropped? Wouldn't be better for people relying on GLSAs to get |
| 35 |
> the glsa as soon as they can install the fixed version (I mean, when |
| 36 |
> that version is stabilized)? |
| 37 |
> |
| 38 |
> Thanks for the info :) |
| 39 |
> |
| 40 |
> |
| 41 |
|
| 42 |
That's more like established practice then policy, cause after |
| 43 |
publishing glsa we should auto-close all relevant security bugs. And we |
| 44 |
can not do this if vulnerable versions are still in tree. So it's better |
| 45 |
to mask them to speed up things with publishing GLSA, maintainers can |
| 46 |
drop old versions of their later. |
| 47 |
|
| 48 |
-- |
| 49 |
Best regards, Sergey Popov |
| 50 |
Gentoo developer |
| 51 |
Gentoo Desktop Effects project lead |
| 52 |
Gentoo Proxy maintainers project lead |
Archives