| 1 |
On 16/12/16 14:33, Rich Freeman wrote: |
| 2 |
> On Fri, Dec 16, 2016 at 9:04 AM, Kristian Fiskerstrand <k_f@g.o> wrote: |
| 3 |
>> On 12/16/2016 02:57 PM, Ciaran McCreesh wrote: |
| 4 |
>>> On Fri, 16 Dec 2016 13:25:14 +0100 |
| 5 |
>>> Thomas Deutschmann <whissi@g.o> wrote: |
| 6 |
>>> |
| 7 |
>>> Perhaps it's time to realise that security bugs aren't that |
| 8 |
>>> interesting, and that random data loss bugs and just plain missing |
| 9 |
>>> features can be far more impactful in practice than some obscure |
| 10 |
>>> security issue. All treating security bugs specially does is play into |
| 11 |
>>> the "look at me, I'm important so you should pay me money or I'll put |
| 12 |
>>> out another press release" drama certain consulting companies have set |
| 13 |
>>> up. Broken code is broken whether or not the bug has been given a cute |
| 14 |
>>> name and logo. |
| 15 |
>>> |
| 16 |
>> Exactly, a security vulnerability originally being an info leak or a low |
| 17 |
>> probability risk that turns out to a denial of service on a stable |
| 18 |
>> system due to lack of proper stabilization is a good argument for the |
| 19 |
>> way things are today. |
| 20 |
>> |
| 21 |
> We already have different risk tiers for security issues depending on impact: |
| 22 |
> https://www.gentoo.org/support/security/vulnerability-treatment-policy.html |
| 23 |
> |
| 24 |
> That is why I suggested sending out the notice once the fix is |
| 25 |
> available, or at the expiration of the target delay. For a |
| 26 |
> trivial-class issue that would mean that a notice would only be sent |
| 27 |
> out without a fix if it took over 40 days to resolve the problem. |
| 28 |
> |
| 29 |
> GLSAs are also marked with their severity/etc, so admins can use this |
| 30 |
> information to make an informed decision about the risks of deploying |
| 31 |
> an update out of cycle, or waiting for their normal testing cycle. |
| 32 |
> |
| 33 |
> Now, if we don't think that security is that important, then fine, |
| 34 |
> let's at least update the security policy to make it clear to our |
| 35 |
> users that we just treat remote network-only root code execution |
| 36 |
> exploits the same as the latest vlc bump. Then our users will know |
| 37 |
> that they aren't actually protected and will take additional measures |
| 38 |
> if they feel it is necessary. |
| 39 |
> |
| 40 |
> What I don't like is a public security policy that says we do xyz |
| 41 |
> within n days, and in reality we don't really do that and we take a |
| 42 |
> lot longer to do it. That is giving users a false sense of security. |
| 43 |
> |
| 44 |
> Now, I get that upstream doesn't always release information on |
| 45 |
> vulnerabilities, or even know about them. Sure, if you're trying to |
| 46 |
> run the NSA you probably shouldn't solely rely on your distro's |
| 47 |
> security update mechanism. People who REALLY care are going to |
| 48 |
> subscribe to various services/etc to get intel on issues, or even do |
| 49 |
> their own in-house research (if you're a major nation state). |
| 50 |
> |
| 51 |
> However, deploying fixes to known vulnerabilities just seems like a |
| 52 |
> good practice. |
| 53 |
> |
| 54 |
> In any case, fixing the security policy to match reality costs |
| 55 |
> nothing, and actually following it on the major archs shouldn't cost |
| 56 |
> THAT much. |
| 57 |
> |
| 58 |
Picking a rather random post to chip in on, but here we go with my |
| 59 |
thoughts... |
| 60 |
|
| 61 |
How about once we identify a [triaged] security issue, it gets assigned |
| 62 |
a GLSA there and then, and a templated email gets sent out to notify |
| 63 |
users of the vulnerability and the priority assigned to it internally. |
| 64 |
You could also tag a bugzilla reference, for users to track progress in |
| 65 |
between identification and resolution. Then, you should be able to meet |
| 66 |
your published policy by pushing out some information to users, and |
| 67 |
especially sysadmins, so they are informed, and can choose for |
| 68 |
themselves what actions they feel appropriate to take in the first |
| 69 |
instance (eg. mitigation until resolution is found). |
| 70 |
|
| 71 |
Then, post a 'FIXED' message referencing again the GLSA and bug ref. to |
| 72 |
indicate the 'preferred' resolution, any appropriate package updates, |
| 73 |
etc. once this has been tested/stabilised/etc. to allow for manpower |
| 74 |
issues and anything else that could be considered 'beyond reasonable |
| 75 |
control' from the Gentoo angle. Yes, so you get double the "spam", but |
| 76 |
since security issues are relatively infrequent (vs. -dev bikeshedding, |
| 77 |
etc) I don't honestly think that the burden of early vs. late |
| 78 |
notification against extra email messages to be kept informed would be a |
| 79 |
problem for most people appropriately concerned. |
Archives