From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 6B80B138247 for ; Sat, 18 Jan 2014 18:19:27 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3EA6BE0B8B; Sat, 18 Jan 2014 18:19:21 +0000 (UTC) Received: from mail.a3li.li (sawfish.a3li.li [89.238.78.10]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 29E36E0B84 for ; Sat, 18 Jan 2014 18:19:20 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.a3li.li (Postfix) with ESMTP id 26800229BEE; Sat, 18 Jan 2014 19:19:19 +0100 (CET) X-Virus-Scanned: amavisd-new at a3li.li Received: from mail.a3li.li ([127.0.0.1]) by localhost (stingray.a3li.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WxM_WhNIFktd; Sat, 18 Jan 2014 19:19:17 +0100 (CET) Received: from [IPv6:2001:6f8:12e4:0:6267:20ff:fe71:fb00] (unknown [IPv6:2001:6f8:12e4:0:6267:20ff:fe71:fb00]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.a3li.li (Postfix) with ESMTPSA id 27327229BEB; Sat, 18 Jan 2014 19:19:17 +0100 (CET) Message-ID: <52DAC594.20005@gentoo.org> Date: Sat, 18 Jan 2014 19:19:00 +0100 From: Alex Legler User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org CC: security@gentoo.org Subject: Re: [gentoo-dev] Regarding long delays on GLSA generation References: <1390059274.24148.80.camel@belkin5> <52DAA58B.7060402@gentoo.org> <1390062615.24148.87.camel@belkin5> <52DAB93F.50706@gentoo.org> <1390066729.24148.98.camel@belkin5> In-Reply-To: <1390066729.24148.98.camel@belkin5> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: ca242313-4633-48b1-a37f-10cd66b1d03b X-Archives-Hash: f2ec118f23946a164c495d4d4fdbccc0 On 18.01.2014 18:38, Pacho Ramos wrote: > […] > > Then, how are you finally going to fix this? Thank you for finally showing interest in anything we do. Here is how we are 'finally' going to fix this. > Only for knowing, I still > was seeing some delays and, then, I though situation was not improved. > For example, since this year started, I have only seen 8 GLSAs filled: > http://www.gentoo.org/security/en/glsa/ Er, we're 18 days in… You shouldn't look at this purely by the numbers, you should see that we have now again a steady stream of advisories going not. No gaps like from 2013-01 to 2013-07. That is largely the effort of the recently-joined members. > > Then, I thought something was still wrong as that rate didn't seem > enough to me for handling upcoming security issues and the really old > ones. Also, if you that 8 GLSAs, you will see the only one that has been > done in a fast way is the ntp one, the other 7 took months (or years) to > be handled. So you observed correctly there's still plenty of delays. There are three parts to an advisory that take time: - Drafting: Collecting information, linking references, getting package versions done right (slots are a huge pain still). - Reviewing: Our current process asks for two independent positive reviews from other team members before an advisory can be sent. - Sending: The original author gets a .txt to email and have to check in the .xml to CVS. Going through these three steps requires at least three people, and the (group of) people whose action is required shifts twice. That overall process is spot #1 we are planning to improve. The current plan contains requiring only one review and the reviewer sends the advisory directly. So we go from author -> reviewer 1 -> reviewer 2 -> author to just author -> reviewer. Concerning the single steps here are other measures: - Drafting: Implement a new GLSA format to * reduce the amount of editorial text written by us * support slots (makes specifying vulnerable ranges in slotted package much easier) * (cleanup old stuff no longer needed) - Reviewing: Reduced editorial text means less to review. - Sending: We want to improve our tooling to automatically send advisories and push them to a git repository. The new GLSA format was up for review on -security last week. Next up will be getting it specified formally, implemented in our tooling, glsa-check and a new security.g.o frontend. [1] Then, we can adopt the new workflow. > > Then, instead of blaming on how should I have asked for clarification on > this (well, looks like the main topic here is that I have asked about > this in ML instead of the real problem :O), I think you should focus on > explaining how are you fixing this problem. Your original email didn't reflect actual interest in the details. Now that we've established you do care, I hope my explanations helped you out there. > I have been long time wondering about this because: > 1. I usually get lots of bugs from alias I am a member whose we go fast > bumping, calling for stabilization and dropping vulnerable versions and, > the, the bugs get stalled. > 2. Once of the machines I maintain would benefit from being able to use > glsacheck to only update vulnerable packages as not always have enough > time for updating the full world > > > [1] Lots of code to be written here. .py+.rb, help wanted! -- Alex Legler Gentoo Security/Ruby/Infrastructure