| 1 |
On Fri, 2021-08-13 at 12:50 -0400, Aaron Bauman wrote: |
| 2 |
> On Thu, Aug 12, 2021 at 01:17:32PM -0700, Matt Turner wrote: |
| 3 |
> > On Thu, Aug 12, 2021 at 5:53 AM Michał Górny <mgorny@g.o> wrote: |
| 4 |
> > > |
| 5 |
> |
| 6 |
> <snip> |
| 7 |
> |
| 8 |
> > To do that, I think we'd want to change what's required for the "clean |
| 9 |
> > up" step. Since today the "clean up" step is dropping the vulnerable |
| 10 |
> > package versions from the tree, it is dependent on |
| 11 |
> > non-security-supported architectures completing the stabilization bug. |
| 12 |
> > I think we'd like to break that dependence. |
| 13 |
> > |
| 14 |
> |
| 15 |
> Yes, please. Thank you for bringing this up. This has been a hotly |
| 16 |
> debated item in the past with former security leads dictating that |
| 17 |
> "clean up" is not relevant to the security process, but it remained |
| 18 |
> codified in documentation that it needs to occur. |
| 19 |
> |
| 20 |
> It is indeed important, as leaving vulnerable versions is the tree is not |
| 21 |
> good for anyone and impacts many other areas (e.g. promoting tree |
| 22 |
> cleanliness). |
| 23 |
> |
| 24 |
> Further, as mgorny mentioned in a follow-up email to this, we need to |
| 25 |
> understand what is a "security supported" architecture. This has also |
| 26 |
> been an issue in the past with council intervention needed to declare |
| 27 |
> dropping specific arches to exp profiles and allowing security to drop |
| 28 |
> support and subsequently move bugs forward. |
| 29 |
> |
| 30 |
> And to continue on my soap box, we have a small blurb on the security |
| 31 |
> page [1] which states what architectures are considered security supported. |
| 32 |
> This is less than ideal. We also generally state that stable arches are |
| 33 |
> supported and must be dealt with during the vulnerability process. |
| 34 |
> |
| 35 |
> So, all in all, it is highly conflated IMHO and is *not* ideal for |
| 36 |
> anyone to have to determine that a particular arch is stable but not |
| 37 |
> security supported. |
| 38 |
> |
| 39 |
> As such, I advocate for any stable arch to be security supported by |
| 40 |
> default. If the arch lags or is dropped then it goes to unstable |
| 41 |
> (process TBD). |
| 42 |
> |
| 43 |
|
| 44 |
Yes, this sounds like a good idea. We should avoid having multiple |
| 45 |
classifications for architectures. If something's good enough to be |
| 46 |
stable, it should be security supported. If it's not, then it shouldn't |
| 47 |
be stable. |
| 48 |
|
| 49 |
In the end, I guess the primary problem is manpower. Given that secbugs |
| 50 |
are normally given priority, I don't really see a case for an arch that |
| 51 |
would be not good enough to be security supported but at the same time |
| 52 |
good enough to cope with the wider range of bugs. |
| 53 |
|
| 54 |
-- |
| 55 |
Best regards, |
| 56 |
Michał Górny |
Archives