1 |
On 16/12/16 14:33, Rich Freeman wrote: |
2 |
> On Fri, Dec 16, 2016 at 9:04 AM, Kristian Fiskerstrand <k_f@g.o> wrote: |
3 |
>> On 12/16/2016 02:57 PM, Ciaran McCreesh wrote: |
4 |
>>> On Fri, 16 Dec 2016 13:25:14 +0100 |
5 |
>>> Thomas Deutschmann <whissi@g.o> wrote: |
6 |
>>> |
7 |
>>> Perhaps it's time to realise that security bugs aren't that |
8 |
>>> interesting, and that random data loss bugs and just plain missing |
9 |
>>> features can be far more impactful in practice than some obscure |
10 |
>>> security issue. All treating security bugs specially does is play into |
11 |
>>> the "look at me, I'm important so you should pay me money or I'll put |
12 |
>>> out another press release" drama certain consulting companies have set |
13 |
>>> up. Broken code is broken whether or not the bug has been given a cute |
14 |
>>> name and logo. |
15 |
>>> |
16 |
>> Exactly, a security vulnerability originally being an info leak or a low |
17 |
>> probability risk that turns out to a denial of service on a stable |
18 |
>> system due to lack of proper stabilization is a good argument for the |
19 |
>> way things are today. |
20 |
>> |
21 |
> We already have different risk tiers for security issues depending on impact: |
22 |
> https://www.gentoo.org/support/security/vulnerability-treatment-policy.html |
23 |
> |
24 |
> That is why I suggested sending out the notice once the fix is |
25 |
> available, or at the expiration of the target delay. For a |
26 |
> trivial-class issue that would mean that a notice would only be sent |
27 |
> out without a fix if it took over 40 days to resolve the problem. |
28 |
> |
29 |
> GLSAs are also marked with their severity/etc, so admins can use this |
30 |
> information to make an informed decision about the risks of deploying |
31 |
> an update out of cycle, or waiting for their normal testing cycle. |
32 |
> |
33 |
> Now, if we don't think that security is that important, then fine, |
34 |
> let's at least update the security policy to make it clear to our |
35 |
> users that we just treat remote network-only root code execution |
36 |
> exploits the same as the latest vlc bump. Then our users will know |
37 |
> that they aren't actually protected and will take additional measures |
38 |
> if they feel it is necessary. |
39 |
> |
40 |
> What I don't like is a public security policy that says we do xyz |
41 |
> within n days, and in reality we don't really do that and we take a |
42 |
> lot longer to do it. That is giving users a false sense of security. |
43 |
> |
44 |
> Now, I get that upstream doesn't always release information on |
45 |
> vulnerabilities, or even know about them. Sure, if you're trying to |
46 |
> run the NSA you probably shouldn't solely rely on your distro's |
47 |
> security update mechanism. People who REALLY care are going to |
48 |
> subscribe to various services/etc to get intel on issues, or even do |
49 |
> their own in-house research (if you're a major nation state). |
50 |
> |
51 |
> However, deploying fixes to known vulnerabilities just seems like a |
52 |
> good practice. |
53 |
> |
54 |
> In any case, fixing the security policy to match reality costs |
55 |
> nothing, and actually following it on the major archs shouldn't cost |
56 |
> THAT much. |
57 |
> |
58 |
Picking a rather random post to chip in on, but here we go with my |
59 |
thoughts... |
60 |
|
61 |
How about once we identify a [triaged] security issue, it gets assigned |
62 |
a GLSA there and then, and a templated email gets sent out to notify |
63 |
users of the vulnerability and the priority assigned to it internally. |
64 |
You could also tag a bugzilla reference, for users to track progress in |
65 |
between identification and resolution. Then, you should be able to meet |
66 |
your published policy by pushing out some information to users, and |
67 |
especially sysadmins, so they are informed, and can choose for |
68 |
themselves what actions they feel appropriate to take in the first |
69 |
instance (eg. mitigation until resolution is found). |
70 |
|
71 |
Then, post a 'FIXED' message referencing again the GLSA and bug ref. to |
72 |
indicate the 'preferred' resolution, any appropriate package updates, |
73 |
etc. once this has been tested/stabilised/etc. to allow for manpower |
74 |
issues and anything else that could be considered 'beyond reasonable |
75 |
control' from the Gentoo angle. Yes, so you get double the "spam", but |
76 |
since security issues are relatively infrequent (vs. -dev bikeshedding, |
77 |
etc) I don't honestly think that the burden of early vs. late |
78 |
notification against extra email messages to be kept informed would be a |
79 |
problem for most people appropriately concerned. |