From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D61B41382F6 for ; Wed, 6 Jul 2016 08:04:22 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B20539408A; Wed, 6 Jul 2016 08:04:16 +0000 (UTC) Received: from virtual.dyc.edu (mail.virtual.dyc.edu [67.222.116.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CEDF7141E9 for ; Wed, 6 Jul 2016 08:04:15 +0000 (UTC) Received: from greysprite.dite (cpe-74-77-145-97.buffalo.res.rr.com [74.77.145.97]) by virtual.dyc.edu (Postfix) with ESMTPSA id D4AB67E0040 for ; Wed, 6 Jul 2016 04:04:14 -0400 (EDT) Subject: Re: [gentoo-dev] why is the security team running around p.masking packages To: gentoo-dev@lists.gentoo.org References: <4c319530-3c7c-e8e3-300d-c80c84cf6674@gentoo.org> <20160704234030.32bad9b5b2fb31f9a7d2ce73@gentoo.org> <2de84980-63aa-8654-21f5-cc8d9dfe0bf6@opensource.dyc.edu> <833d0a62-7792-4d86-b9a6-62c6dea62d69@gentoo.org> From: "Anthony G. Basile" Message-ID: <82208db8-c826-62a5-1775-32b83abdfffd@opensource.dyc.edu> Date: Wed, 6 Jul 2016 04:04:14 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <833d0a62-7792-4d86-b9a6-62c6dea62d69@gentoo.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: 8b49450b-4feb-41a5-b773-c31260925d98 X-Archives-Hash: f2785aa42ef9aa5662730092e417fd49 On 7/5/16 10:43 PM, Aaron Bauman wrote: > > That CVE request was not from Ago. It was from the respective OSS ML > referenced in the URL field of the bug report. Not to mention, you as a > maintainer were able to discover another issue with that package and fix > it. > You never bothered to follow that OSS ML link. For others reading this email, here is the link: http://www.openwall.com/lists/oss-security/2013/02/24/5 Here's a copy of that entire email: Date: Sun, 24 Feb 2013 20:00:57 +0100 From: Agostino Sarubbo To: oss-security@...ts.openwall.com Subject: CVE request: monkeyd world-readable logdir Monkeyd, a small, fast, and scalable web server, produces, at least on gentoo a world-readable log. # ls /var/log/monkeyd/master.log -la -rw-r--r-- 1 root root 0 Feb 24 19:56 /var/log/monkeyd/master.log Upstream site: http://www.monkey-project.com/ -- Agostino Sarubbo Gentoo Linux Developer That is what you p.masked on. That's it. Neither you nor Ago really understood the issue with monkeyd's logging. There were no followup emails and no CVE was assigned. Its junk. By both initiating and following through on such low quality bugs, you are damaging the reputation of the security project. >> I personally would like to see only QA oversee any forced p.maskings and >> have the security team pass that task over to QA for review. By forced >> I mean without the cooperation of the maintainer. >> > > Again, no one else has had an issue with this except you. The one who > doesn't want to cooperate. Having people review your work is a good idea, no? So in cases where security wants to touch a packages, why not ping the maintainer first and in case of a dispute or no response, escalate the issue to QA who will review the problem and act. Are you okay with this change in procedure? -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197