From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 07DDC15808B for ; Fri, 15 Apr 2022 01:38:47 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3942D2BC001; Fri, 15 Apr 2022 01:38:38 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CB69EE0A10 for ; Fri, 15 Apr 2022 01:38:35 +0000 (UTC) Date: Thu, 14 Apr 2022 20:38:31 -0500 From: John Helmert III To: gentoo-dev@lists.gentoo.org Cc: security@gentoo.org Subject: [gentoo-dev] [RFC] Security Bug Assignment Change Message-ID: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="LQp+SatD9yzpPOWe" Content-Disposition: inline X-Archives-Salt: 3473d30a-82bb-4216-ab97-5df4472106f2 X-Archives-Hash: 868d90288e33f8ccc77b30a66421c3b5 --LQp+SatD9yzpPOWe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi all! Currently all security bugs are assigned to security@g.o, always. This can easily lead to some confusion about who needs to do something about a given bug; right now this is generally tracked by whiteboard magic strings that probably not many people outside of the Security Project understand [1] and this has been a source of confusion around security bugs for a long time. To make it abundantly clear who needs to take action for a given bug, I propose we move away from the dogma of security@ always being assigned to security bugs, and instead assign bugs to whoever needs to take action for the bug. For example, on security bugs that need a package bumped or cleaned up, the package maintainer would be assigned. For bugs needing a GLSA, security@ would be assigned. As a nice side effect, this would be a step towards making security bug state discernable outside of the human-maintained and oft-stale whiteboard. In the long term, a maintainer's security bugs could be more easily tracked via things like packages.g.o. As far as bug handling goes, I see two obvious (though rathor minor) sticky points: - Who do we assign bugs to when a bug is in stabilization state? The stabilization bug will always be assigned to the maintainer, but the security bug will be neither actionable by the maintainer nor security@ until the stabilization is finished. - Rarely, we have a security bug that affects multiple packages with different maintainers (e.g. a package and its -bin variant). Under this scheme, we would have to always separate bugs by package maintainer. I'm not proposing any change to the Bugzilla product or component, so security bugs will still be able to be exhaustively enumerated this way, but any tooling that relies on security bugs always being assigned to security@ would have to be changed. What do you all think? [1] https://www.gentoo.org/support/security/vulnerability-treatment-policy.html "Severity Level" section --LQp+SatD9yzpPOWe Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEElFuPenBj6NvNLoABXP0dAeB+IzgFAmJYzIsACgkQXP0dAeB+ IzhE2A//dN66liaaUI3AryDDYsCV2yqz9Y9V126QAtBIefjeMF2tSGPk4STac970 X7dPq7IUxi37gZt6Ol8/vgDhH8U6s5U3upUmgda9adJ4FJkNfv2SHS5hEwIHXT1h e5+f04wH5cAF0s+nofjin5gKCSbQHGZQdHmHhWGf2Ape7TkIkwBYsKU5Y0KbDBi7 HGJ8ZgnVQEYFDcdpls/7T9XjFQv5ZVVr5IdjyVMuffLRQiStk7fdk+KCs9k5IWSC d2fGEzOG8wtl3X4CT8DVpaaPvKyGXCC3OQxCWaSz5KNrQ/h6cnbUwDNezA7w/dON vQwDqnKzQmGHQeDDuPKkSlla9LhYHDRnNF6BJrIsZ8LhtbaGN1V5CW7KzRpPMB72 8Oo2avqvOes7ZbMZKseGemydAz0MGQDWtKW02lh2cWInr+46g/Dw1t30eymDnsa8 AgmSdTcxtNSwfCEAn7v7E7BTLmxOe3ebXIJG5vTmZNBf8pJd9tr/yqE2DDgv0xSc Vp58ebdWPw3p2uWfjN0SOM7B5iVYkF+iSjIH7hgnMgOuTvEq1aYbiXOWx/IdIk7R EgX9G34VDCtdXkau84M3NJDdrzOdk1Zk7lV0b6orcDL2U9eGDo8ABnTBMvqG5Jk+ WdM+RWmnkLc92cR8rgHp3DciYg+TiwTWvvHdERYL/vGTdJQs38A= =UhzV -----END PGP SIGNATURE----- --LQp+SatD9yzpPOWe--