1 |
Ühel kenal päeval, N, 15.12.2016 kell 16:43, kirjutas Yury German: |
2 |
> The problem with that is that a GLSA check will fail at that point, |
3 |
> we can not also include the fix are (security project) in the fix |
4 |
> section as we do not know what version will be final on |
5 |
> stabilization. For example, if you look in Bug Tracker the bugs can |
6 |
> go stable but to stabilize them will take a very long time. Sometimes |
7 |
> it takes as long to stabilize them that a new version is out before |
8 |
> the original is stabilized. (Just a note, not blaming the arches |
9 |
> groups here, it is simple the way it is). What about the times that |
10 |
> during stabilization a dependency is found and it takes a month or |
11 |
> two to fix it? The GLSA goes out, it now tells the users to update to |
12 |
> a version that does not exist. |
13 |
> |
14 |
> It does sound good, but not practical as it will introduce confusion |
15 |
> for the users especially those that do not constantly maintain their |
16 |
> system and only update the security patches. |
17 |
|
18 |
My proposal addresses this by introducing a new glsa-check identifier, |
19 |
so one is for actionable issues, another for informative. |
20 |
We can bikeshed if the one people are used to use ('affected') would be |
21 |
including only actionable, all known vulnerabilities in its report, or |
22 |
perhaps a mix with some agreed grace period based on security severity. |
23 |
I mean we can do such bikeshed AFTER it has been agreed to change the |
24 |
general approach of GLSA release timing, if that gets agreed to, no |
25 |
point yet to drown the thread with that yet. |
26 |
Also we could still agree to push out a GLSA only after the first |
27 |
architecture has stabled it, provided it is written and the first |
28 |
stabling happens fast enough. |
29 |
|
30 |
I have not thought about the optics for the GLSA releases to other |
31 |
mediums, which get picked up by various other parties. |
32 |
|
33 |
|
34 |
> Those users that have a practice of updating (world update) on a |
35 |
> schedule (Weekly / Monthly) would receive the patches if the stable |
36 |
> version is in the tree. |
37 |
|
38 |
Those updating periodically are vulnerable for a longer time right now |
39 |
on architectures that stable fast, which is the majority of what our |
40 |
userbase is on imho (amd64). E.g fix to a remotely triggered |
41 |
vulnerability is provided on Tuesday, amd64 stables on Wednesday, ppc64 |
42 |
as the last architecture stables on Saturday (for sake of example, they |
43 |
have only weekend manpower), and this monthly upgrading sysadmin checks |
44 |
for GLSA issues every Friday - because with the status quo we didn't |
45 |
push out a GLSA that got drafted on Tuesday for amd64 users, this |
46 |
sysadmin will end up keeping his systems vulnerable for a week longer |
47 |
than he could have if we didn't artificially delay the glsa report. |
48 |
Even if that sysadmin responsibly checks GLSAs daily, we still keep his |
49 |
systems artificially vulnerable in this example for 2 days longer than |
50 |
necessary. |
51 |
And that's why I'm saying just reducing what is security supported due |
52 |
to some architectures taking too long to stabilize is NOT a good enough |
53 |
solution, unless we define "too long, you aren't security supported |
54 |
anymore" as "you take over 1 day longer to stabilize than amd64" or |
55 |
something and end up with only amd64/alpha (and maybe x86) as security |
56 |
supported as it happens to be right now with response speed. Hence this |
57 |
alternative proposal. |
58 |
|
59 |
|
60 |
Mart |
61 |
|
62 |
> > |
63 |
> > On Dec 15, 2016, at 2:05 PM, Paweł Hajdan, Jr. <phajdan.jr@gentoo.o |
64 |
> > rg> wrote: |
65 |
> > |
66 |
> > On 13/12/2016 21:36, Mart Raudsepp wrote: |
67 |
> > > |
68 |
> > > Solution proposal: |
69 |
> > > |
70 |
> > > Push out a GLSA as soon as the relevant fix is available in the |
71 |
> > > tree in |
72 |
> > > any form (usually when the security bug moves from [ebuild] to |
73 |
> > > [stable] |
74 |
> > > state), so the fixed_in (unaffected) atoms have become known. |
75 |
> > |
76 |
> > Sounds good. |
77 |
> > |
78 |
> > Given the GLSA process itself introduces delays, and it seems to |
79 |
> > start |
80 |
> > only after [stable], sending it earlier and in a simpler way is a |
81 |
> > nice |
82 |
> > simplification of the process. |
83 |
> > |
84 |
> > Paweł |
85 |
> > |
86 |
> |
87 |
> |