| 1 |
Ühel kenal päeval, N, 15.12.2016 kell 16:43, kirjutas Yury German: |
| 2 |
> The problem with that is that a GLSA check will fail at that point, |
| 3 |
> we can not also include the fix are (security project) in the fix |
| 4 |
> section as we do not know what version will be final on |
| 5 |
> stabilization. For example, if you look in Bug Tracker the bugs can |
| 6 |
> go stable but to stabilize them will take a very long time. Sometimes |
| 7 |
> it takes as long to stabilize them that a new version is out before |
| 8 |
> the original is stabilized. (Just a note, not blaming the arches |
| 9 |
> groups here, it is simple the way it is). What about the times that |
| 10 |
> during stabilization a dependency is found and it takes a month or |
| 11 |
> two to fix it? The GLSA goes out, it now tells the users to update to |
| 12 |
> a version that does not exist. |
| 13 |
> |
| 14 |
> It does sound good, but not practical as it will introduce confusion |
| 15 |
> for the users especially those that do not constantly maintain their |
| 16 |
> system and only update the security patches. |
| 17 |
|
| 18 |
My proposal addresses this by introducing a new glsa-check identifier, |
| 19 |
so one is for actionable issues, another for informative. |
| 20 |
We can bikeshed if the one people are used to use ('affected') would be |
| 21 |
including only actionable, all known vulnerabilities in its report, or |
| 22 |
perhaps a mix with some agreed grace period based on security severity. |
| 23 |
I mean we can do such bikeshed AFTER it has been agreed to change the |
| 24 |
general approach of GLSA release timing, if that gets agreed to, no |
| 25 |
point yet to drown the thread with that yet. |
| 26 |
Also we could still agree to push out a GLSA only after the first |
| 27 |
architecture has stabled it, provided it is written and the first |
| 28 |
stabling happens fast enough. |
| 29 |
|
| 30 |
I have not thought about the optics for the GLSA releases to other |
| 31 |
mediums, which get picked up by various other parties. |
| 32 |
|
| 33 |
|
| 34 |
> Those users that have a practice of updating (world update) on a |
| 35 |
> schedule (Weekly / Monthly) would receive the patches if the stable |
| 36 |
> version is in the tree. |
| 37 |
|
| 38 |
Those updating periodically are vulnerable for a longer time right now |
| 39 |
on architectures that stable fast, which is the majority of what our |
| 40 |
userbase is on imho (amd64). E.g fix to a remotely triggered |
| 41 |
vulnerability is provided on Tuesday, amd64 stables on Wednesday, ppc64 |
| 42 |
as the last architecture stables on Saturday (for sake of example, they |
| 43 |
have only weekend manpower), and this monthly upgrading sysadmin checks |
| 44 |
for GLSA issues every Friday - because with the status quo we didn't |
| 45 |
push out a GLSA that got drafted on Tuesday for amd64 users, this |
| 46 |
sysadmin will end up keeping his systems vulnerable for a week longer |
| 47 |
than he could have if we didn't artificially delay the glsa report. |
| 48 |
Even if that sysadmin responsibly checks GLSAs daily, we still keep his |
| 49 |
systems artificially vulnerable in this example for 2 days longer than |
| 50 |
necessary. |
| 51 |
And that's why I'm saying just reducing what is security supported due |
| 52 |
to some architectures taking too long to stabilize is NOT a good enough |
| 53 |
solution, unless we define "too long, you aren't security supported |
| 54 |
anymore" as "you take over 1 day longer to stabilize than amd64" or |
| 55 |
something and end up with only amd64/alpha (and maybe x86) as security |
| 56 |
supported as it happens to be right now with response speed. Hence this |
| 57 |
alternative proposal. |
| 58 |
|
| 59 |
|
| 60 |
Mart |
| 61 |
|
| 62 |
> > |
| 63 |
> > On Dec 15, 2016, at 2:05 PM, Paweł Hajdan, Jr. <phajdan.jr@gentoo.o |
| 64 |
> > rg> wrote: |
| 65 |
> > |
| 66 |
> > On 13/12/2016 21:36, Mart Raudsepp wrote: |
| 67 |
> > > |
| 68 |
> > > Solution proposal: |
| 69 |
> > > |
| 70 |
> > > Push out a GLSA as soon as the relevant fix is available in the |
| 71 |
> > > tree in |
| 72 |
> > > any form (usually when the security bug moves from [ebuild] to |
| 73 |
> > > [stable] |
| 74 |
> > > state), so the fixed_in (unaffected) atoms have become known. |
| 75 |
> > |
| 76 |
> > Sounds good. |
| 77 |
> > |
| 78 |
> > Given the GLSA process itself introduces delays, and it seems to |
| 79 |
> > start |
| 80 |
> > only after [stable], sending it earlier and in a simpler way is a |
| 81 |
> > nice |
| 82 |
> > simplification of the process. |
| 83 |
> > |
| 84 |
> > Paweł |
| 85 |
> > |
| 86 |
> |
| 87 |
> |
Archives