[gentoo-dev] Proposed security policy for web-based apps

[gentoo-dev] Proposed security policy for web-based apps

[Stuart Herbert]

[-- Attachment #1: Type: text/plain, Size: 1848 bytes --]

Hi,

I'd like to introduce the following security policy for web-based apps.
If there are no objections, every new web-based app will have to conform
to the policy before it can be added to the tree.  Every existing
web-based app will have to conform to the policy by the end of August,
or I will remove it from the tree.

The proposed policy is simply that:

1. The Gentoo package's maintainer will identify one *named* contact
   UPSTREAM for security-related matters, and one named general contact
   UPSTREAM (as a fallback for when the security contact is
   unreachable).
2. This information will be held on the Dev Wiki.
3. This information will be checked every three months to ensure it
   remains valid.
4. In situations where the UPSTREAM contacts are unreachable, and no
   new contact can be identified, the package will be masked and
   marked for removal from the Portage tree (ie it fails this policy)

I believe that security holes will be discovered from time to time.  I
want to make sure that, when a hole has been found, everything's in
place for us to work with UPSTREAM at the greatest possible speed to get
things resolved.

I would rather we only distributed web-based apps where we can be
confident that security is taken appropriately seriously UPSTREAM.  Web
servers are too easy a target for us to be distributing software we
can't be confident about.

Thoughts, comments, other (constructive) feedback?

Best regards,
Stu
-- 
Stuart Herbert                                         stuart@gentoo.org
Gentoo Developer                                  http://www.gentoo.org/
                                              http://stu.gnqs.org/diary/

GnuGP key id# F9AFC57C available from http://pgp.mit.edu
Key fingerprint = 31FB 50D4 1F88 E227 F319  C549 0C2F 80BA F9AF C57C
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Proposed security policy for web-based apps

[Mike Frysinger]

On Tuesday 05 July 2005 04:21 pm, Stuart Herbert wrote:
> 1. The Gentoo package's maintainer will identify one *named* contact
>    UPSTREAM for security-related matters, and one named general contact
>    UPSTREAM (as a fallback for when the security contact is
>    unreachable).
> 2. This information will be held on the Dev Wiki.

wtf is the Dev Wiki ?  what's wrong with metadata.xml ?
-mike
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Proposed security policy for web-based apps

[Lance Albertson]

[-- Attachment #1: Type: text/plain, Size: 720 bytes --]

Mike Frysinger wrote:
> On Tuesday 05 July 2005 04:21 pm, Stuart Herbert wrote:
> 
>>1. The Gentoo package's maintainer will identify one *named* contact
>>   UPSTREAM for security-related matters, and one named general contact
>>   UPSTREAM (as a fallback for when the security contact is
>>   unreachable).
>>2. This information will be held on the Dev Wiki.
> 
> 
> wtf is the Dev Wiki ?  what's wrong with metadata.xml ?

Yeah, having it in metadata.xml would make more sense.

-- 
Lance Albertson <ramereth@gentoo.org>
Gentoo Infrastructure | Operations Manager

---
GPG Public Key:  <http://www.ramereth.net/lance.asc>
Key fingerprint: 0423 92F3 544A 1282 5AB1  4D07 416F A15D 27F4 B742

ramereth/irc.freenode.net

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Proposed security policy for web-based apps

[Stuart Herbert]

[-- Attachment #1: Type: text/plain, Size: 788 bytes --]

On Tue, 2005-07-05 at 15:40 -0500, Lance Albertson wrote:
> Yeah, having it in metadata.xml would make more sense.

We can do that.  

It'd perhaps make sense to extend the DTD for metadata.xml, so that the
<maintainer> tag has 'type' and 'organisation' attributes.  This would
allow tools to tell the difference between an entry for a Gentoo
maintainer, and an entry for an upstream maintainer.

Best regards,
Stu
-- 
Stuart Herbert                                         stuart@gentoo.org
Gentoo Developer                                  http://www.gentoo.org/
                                              http://stu.gnqs.org/diary/

GnuGP key id# F9AFC57C available from http://pgp.mit.edu
Key fingerprint = 31FB 50D4 1F88 E227 F319  C549 0C2F 80BA F9AF C57C
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Proposed security policy for web-based apps

[Andrej Kacian]

[-- Attachment #1: Type: text/plain, Size: 668 bytes --]

On Sun, 10 Jul 2005 09:57:44 +0100
Stuart Herbert <stuart@gentoo.org> wrote:

> It'd perhaps make sense to extend the DTD for metadata.xml, so that the
> <maintainer> tag has 'type' and 'organisation' attributes.  This would
> allow tools to tell the difference between an entry for a Gentoo
> maintainer, and an entry for an upstream maintainer.

Why modifying the DTD? We did something like this recently with
mail-filter/razor, in agreement with $upstream, and all that was needed was
the 'description' tag, which is already present in the DTD.

-- 
Andrej "Ticho" Kacian <ticho at gentoo dot org>
Gentoo Linux Developer - net-mail, antivirus, amd64

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Proposed security policy for web-based apps

[Alec Warner]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stuart Herbert wrote:
> Hi,
> 
<snip>
> 
> 1. The Gentoo package's maintainer will identify one *named* contact
>    UPSTREAM for security-related matters, and one named general contact
>    UPSTREAM (as a fallback for when the security contact is
>    unreachable).
> 2. This information will be held on the Dev Wiki.
> 3. This information will be checked every three months to ensure it
>    remains valid.

Are you volunteering to do 3?  If not, who will?

> 4. In situations where the UPSTREAM contacts are unreachable, and no
>    new contact can be identified, the package will be masked and
>    marked for removal from the Portage tree (ie it fails this policy)
> <snip...>
> Thoughts, comments, other (constructive) feedback?
> 
> Best regards,
> Stu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQIVAwUBQssBL2zglR5RwbyYAQKf8Q//QqbVG+xReAF5WyZMHOfOS0zoM0UJZRFJ
M7WM28JVR6aNAD4hVcv8EKVMLvt6nPiIu2REsO9ZrZwzIdBm8uLxqdnX76ZysW/6
h10igkCBa78RfuNHbul4muPk1SyAWg3ZextltaMXPrO8bDfoTENcLzp8+NqDyqel
6Ncr/pEcZnEJABKmDfuT/ehtI89+wps51Fkdq7wa8z+EXGCDd1HGNTA3x1OImgDM
VaHlLjGVS1lLcXGmZYKCZGvfKzbF/d9xJZ/LwdG+CpJD02avJ4iVv/51y/eGiVzm
CwB9d+5wCq5YZFBLOXr8HXFJhYkzSXuGZfbKXisdhzui5MqpErpMQw1TNATY//ha
HfFlYjnftS2vjzO/M9aiQqdqXF4HiejKRJGWVwxcqenFjj566t+uTvomwgI/2YLi
/yimNyoyG3/ueLLSEMtyo6MURrjT9bbohUVH7pMr3RHNbNjtn3K9omEB4Ngh8L2q
kA3hjoQRy1a6gNhG6eHg0j9sBmGb2TEBK/nMKCdyqONH+X/cdGCMIreMxcZ5pqu7
hBD/azcZI8jJr+tb0y3NHcfaT653HDAyeyOCD1OiDDlZeqzi1IGGW1p0ZHqg5J/+
NiGXnbCBT6NKzjvYfQ4nMYJaHGoZQDj8wHyFSUGKUFLjQ+L9X1ros8a1URhfinRf
0pDyFPfTmAI=
=6nmQ
-----END PGP SIGNATURE-----
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Proposed security policy for web-based apps

[David Morgan]

> > 1. The Gentoo package's maintainer will identify one *named* contact
> >    UPSTREAM for security-related matters, and one named general contact
> >    UPSTREAM (as a fallback for when the security contact is
> >    unreachable).

And what happens if upstream is only one person?


-- 
djm

-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Proposed security policy for web-based apps

[Stuart Herbert]

[-- Attachment #1: Type: text/plain, Size: 885 bytes --]

On Tue, 2005-07-05 at 23:12 +0100, David Morgan wrote:
> > > 1. The Gentoo package's maintainer will identify one *named* contact
> > >    UPSTREAM for security-related matters, and one named general contact
> > >    UPSTREAM (as a fallback for when the security contact is
> > >    unreachable).
> 
> And what happens if upstream is only one person?

In that case, it wouldn't be possible to have a fallback.  I wouldn't
want to exclude a package just because there's only one upstream dev.

Best regards,
Stu
-- 
Stuart Herbert                                         stuart@gentoo.org
Gentoo Developer                                  http://www.gentoo.org/
                                              http://stu.gnqs.org/diary/

GnuGP key id# F9AFC57C available from http://pgp.mit.edu
Key fingerprint = 31FB 50D4 1F88 E227 F319  C549 0C2F 80BA F9AF C57C
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Proposed security policy for web-based apps

[Renat Lumpau]

[-- Attachment #1: Type: text/plain, Size: 381 bytes --]

On Tue, Jul 05, 2005 at 05:52:47PM -0400, Alec Warner wrote:
> > 3. This information will be checked every three months to ensure it
> >    remains valid.
> 
> Are you volunteering to do 3?  If not, who will?

I'll help.

-- 
Renat Lumpau
Gentoo developer
GPG key id #C6A838DA on http://pgp.mit.edu
Key fingerprint = 04AF B5EE 17CB 1000 DDA5  D3FC 1338 ADC2 C6A8 38DA

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Proposed security policy for web-based apps

[Stuart Herbert]

[-- Attachment #1: Type: text/plain, Size: 824 bytes --]

On Tue, 2005-07-05 at 17:52 -0400, Alec Warner wrote:
> > 3. This information will be checked every three months to ensure it
> >    remains valid.
> 
> Are you volunteering to do 3?  If not, who will?

I'm proposing that 3. is the responsibility of the webapps herd
Strategic and Operational Leads - positions we need to create and elect
developers to.  Whether they do it themselves, or delegate it, would be
for them to decide.

Best regards,
Stu
-- 
Stuart Herbert                                         stuart@gentoo.org
Gentoo Developer                                  http://www.gentoo.org/
                                              http://stu.gnqs.org/diary/

GnuGP key id# F9AFC57C available from http://pgp.mit.edu
Key fingerprint = 31FB 50D4 1F88 E227 F319  C549 0C2F 80BA F9AF C57C
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Proposed security policy for web-based apps

[Marius Mauch]

[-- Attachment #1: Type: text/plain, Size: 790 bytes --]

On Tue, 05 Jul 2005 21:21:35 +0100
Stuart Herbert <stuart@gentoo.org> wrote:

> Hi,
> 
> I'd like to introduce the following security policy for web-based
> apps. If there are no objections, every new web-based app will have
> to conform to the policy before it can be added to the tree.  Every
> existing web-based app will have to conform to the policy by the end
> of August, or I will remove it from the tree.

[snip]

Hmm, what's the criteria to decide if something falls under this policy
or not? Package category, maintainership, dependency on webserver, ...?

Marius

-- 
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Proposed security policy for web-based apps

[Stuart Herbert]

[-- Attachment #1: Type: text/plain, Size: 896 bytes --]

On Wed, 2005-07-06 at 00:30 +0200, Marius Mauch wrote:
> Hmm, what's the criteria to decide if something falls under this policy
> or not? Package category, maintainership, dependency on webserver, ...?
> 
> Marius

The only criteria I can suggest is that any package which is maintained
by the web-apps herd would fall under this policy.

I'd love to see this policy adopted for all web-based packages, but I
respect the right of developers to make their own decisions about what
they think is best.

Best regards,
Stu
-- 
Stuart Herbert                                         stuart@gentoo.org
Gentoo Developer                                  http://www.gentoo.org/
                                              http://stu.gnqs.org/diary/

GnuGP key id# F9AFC57C available from http://pgp.mit.edu
Key fingerprint = 31FB 50D4 1F88 E227 F319  C549 0C2F 80BA F9AF C57C
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Proposed security policy for web-based apps

[Radoslaw Stachowiak]

On 7/5/05, Stuart Herbert <stuart@gentoo.org> wrote:
> I'd like to introduce the following security policy for web-based apps.

Why only web-based apps? What about other tools and apps exposed to the network?

-- 
radoslaw.

-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Proposed security policy for web-based apps

[Diego 'Flameeyes' Pettenò]

[-- Attachment #1: Type: text/plain, Size: 754 bytes --]

On Wednesday 06 July 2005 20:10, Radoslaw Stachowiak wrote:
> Why only web-based apps? What about other tools and apps exposed to the
> network?
Webapps are simpler to install to base users, they are generally just a 
"extract, change perms, execute php stuff".
Other stuff is quite more difficult, and sometime you don't have new security 
bugs while upstream is away or dead. If all the "upstream away for more than 
3 months" or "upstream dead, package works like a charm" will be removed in a 
couple of months from portage, users will start complaining.
And I cannot say I would disagrees with them.

-- 
Diego "Flameeyes" Pettenò
Gentoo Developer - http://dev.gentoo.org/~flameeyes/
(Gentoo/FreeBSD, Video, Gentoo/AMD64, Sound, PAM)

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Proposed security policy for web-based apps

[Martin Schlemmer]

[-- Attachment #1: Type: text/plain, Size: 1081 bytes --]

On Fri, 2005-07-08 at 11:58 +0200, Diego 'Flameeyes' Pettenò wrote:
> On Wednesday 06 July 2005 20:10, Radoslaw Stachowiak wrote:
> > Why only web-based apps? What about other tools and apps exposed to the
> > network?
> Webapps are simpler to install to base users, they are generally just a 
> "extract, change perms, execute php stuff".
> Other stuff is quite more difficult, and sometime you don't have new security 
> bugs while upstream is away or dead. If all the "upstream away for more than 
> 3 months" or "upstream dead, package works like a charm" will be removed in a 
> couple of months from portage, users will start complaining.
> And I cannot say I would disagrees with them.

Stupid question .. why does webapps.eclass have SLOT=${PVR} ? This
basically means that even a bump from foo-webapp-1.0-r1 to
foo-webapp-1.0-r2 will not unmerge foo-webapp-1.0-r1 ...  Why do you
want every version, never mind every revision slotted?


Thanks,

-- 
Martin Schlemmer
Gentoo Linux Developer, Desktop/System Team Developer
Cape Town, South Africa


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Proposed security policy for web-based apps

[Stuart Herbert]

[-- Attachment #1: Type: text/plain, Size: 1391 bytes --]

On Fri, 2005-07-08 at 12:58 +0200, Martin Schlemmer wrote:
> Stupid question .. why does webapps.eclass have SLOT=${PVR} ? 

If you're running a hosting server, and have many customers using the
same app, it may not be practical to bump them all at the same time.

* They may have different busy periods during the day, making it
impossible to schedule a common downtime.  
* Many upgrades require manual steps - it's less disruptive to upgrade
each installation one at a time.
* Different customers may want or need to run different versions of the
same app.  If a customer is happy with what they have, they may not wish
to upgrade.

> This
> basically means that even a bump from foo-webapp-1.0-r1 to
> foo-webapp-1.0-r2 will not unmerge foo-webapp-1.0-r1 ...

If you don't have USE=vhosts set, then the eclass will automatically
unmerge the older version.  If you have USE=vhosts set, then you're
telling Portage that you need the flexibility of running webapp-config
manually.

Best regards,
Stu


-- 
Stuart Herbert                                         stuart@gentoo.org
Gentoo Developer                                  http://www.gentoo.org/
                                              http://stu.gnqs.org/diary/

GnuGP key id# F9AFC57C available from http://pgp.mit.edu
Key fingerprint = 31FB 50D4 1F88 E227 F319  C549 0C2F 80BA F9AF C57C
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Proposed security policy for web-based apps

[Stuart Herbert]

[-- Attachment #1: Type: text/plain, Size: 937 bytes --]

Hi,

On Wed, 2005-07-06 at 20:10 +0200, Radoslaw Stachowiak wrote:
> On 7/5/05, Stuart Herbert <stuart@gentoo.org> wrote:
> > I'd like to introduce the following security policy for web-based apps.
> 
> Why only web-based apps? What about other tools and apps exposed to the network?

That's for other herds and developers to decide for themselves.  My
proposal is aimed at the web-apps herd, which I am a member of.

There's nothing stopping anyone writing up a security policy GLEP if
they want to apply a policy to a wider range of apps.

Best regards,
Stu
-- 
Stuart Herbert                                         stuart@gentoo.org
Gentoo Developer                                  http://www.gentoo.org/
                                              http://stu.gnqs.org/diary/

GnuGP key id# F9AFC57C available from http://pgp.mit.edu
Key fingerprint = 31FB 50D4 1F88 E227 F319  C549 0C2F 80BA F9AF C57C
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Proposed security policy for web-based apps

[Aaron Walker]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stuart Herbert wrote:

<snip>

> Thoughts, comments, other (constructive) feedback?
> 
> Best regards,
> Stu

Sorry for my delayed response.. Just now getting caught up on my mail from the
last week.

I'm definitely in favor of something like this.  Btw, I agree with Mike and
Lance wrt to keeping upstream email contact in metadata.xml.  It'll be much
easier  for tools, etc, to be able to get that information.

Cheers
- --
We all know Linux is great...it does infinite loops in 5 seconds.

   -- Linus Torvalds

Aaron Walker <ka0ttic@gentoo.org>
[ BSD | cron | forensics | shell-tools | commonbox | netmon | vim | web-apps ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCzkpqC3poscuANHARAmgiAKCF9kF1vEDcPI0SwKWxrGdCxMlNbACeJ1bU
L06uBQA2YTTRBSeoINYQIpw=
=Cwqr
-----END PGP SIGNATURE-----
-- 
gentoo-dev@gentoo.org mailing list