From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1IbtE5-0003MN-1R for garchives@archives.gentoo.org; Sun, 30 Sep 2007 07:28:29 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.1/8.14.0) with SMTP id l8U7JHL6008596; Sun, 30 Sep 2007 07:19:17 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.14.1/8.14.0) with ESMTP id l8U7JG0H008567 for ; Sun, 30 Sep 2007 07:19:16 GMT Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 078D86593B for ; Sun, 30 Sep 2007 07:19:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: 2.212 X-Spam-Level: ** X-Spam-Status: No, score=2.212 required=5.5 tests=[AWL=-1.691, BAYES_50=0.001, DNS_FROM_DOB=0.732, RCVD_IN_DOB=1.103, RCVD_NUMERIC_HELO=2.067] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMtjcUzGs0Xc for ; Sun, 30 Sep 2007 07:19:09 +0000 (UTC) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id DC84C650EC for ; Sun, 30 Sep 2007 07:19:07 +0000 (UTC) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1Ibt4w-0005aU-LB for gentoo-project@gentoo.org; Sun, 30 Sep 2007 07:19:02 +0000 Received: from 82.153.13.165 ([82.153.13.165]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 30 Sep 2007 07:19:02 +0000 Received: from slong by 82.153.13.165 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 30 Sep 2007 07:19:02 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-project@lists.gentoo.org From: Steve Long Subject: [gentoo-project] Re: gentoo security and packages.gentoo.org Date: Sun, 30 Sep 2007 08:22:13 +0100 Message-ID: References: <200709232052.55608.arturo.g.arturo@gmail.com> <200709241531.22044.arturo.g.arturo@gmail.com> <200709280902.40733.arturo.g.arturo@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: 82.153.13.165 User-Agent: KNode/0.10.4 Sender: news X-Archives-Salt: 0b415a1f-aa07-4714-b302-c1e1d0f2f9f1 X-Archives-Hash: b627f54f94405b881cb6dfa2e7cdc9e9 Arturo Garcia wrote: > On Thursday 27 Sep 2007, Steve Long wrote: >> No the point, as I see it, is that a security _audit_ of the code is now >> being carried out. Not a fix to one bug. > As I said, fine with me, but *do* it and then close the bug. Open new > ones, assign them and link them to the original bug if you wish. We act > on them and we close them as well. > Er the point was that the audit *is* being carried out as we speak. How long it takes depends on 1) how much time taviso has spare and 2) how much real help he gets with it. We're getting a bit mixed up in terms of what is tracked as a bug on bugzilla and the actual initial problem (the command injection.) While the bug on bugzilla is about the injection problem, I personally wouldn't close it til the audit has been completed and the service is back on-line. >> That's why it would be great if the report were submitted. Or do you >> think it wise to bring the service back up with known flaws? > What report?!? Onkobu offered help in auditing any future patches if > anybody required so. Nothing more. Unfortunately, he got angry (no wonder) > and pulled out. Maybe he is now running another distro... I haven't been > in touch with him. > Well it read more like there were other flaws which he had spotted (in the bit I quoted at least.) So: /that/ report of all the flaws you or anyone else can find. If you've found the flaw you should know how to fix it, so attach a patch. > Regarding the flaws, as I said, look at the code and find for yourself. Er why should I? I'm not a dev, nor am I that bothered. You on the other hand seem quite concerned about this, yet reluctant to do anything. > As far as I know, Tavis *has* reviewed the patch and the code. All what > is outstanding is for the site to be tested. If he opens new bugs, then > we will patch and close them. > One patch to one flaw, when you concede that there are others. Fine, if it's been patched then close it and make a tracker for other flaws: it won't lead to the service being back quicker, in fact it'll probably take longer since additional bugs would be filed. To my mind, once he's found another flaw, it's a lot less time to fix it: why then would it be useful to file a bug about it? >> I didn't write the lines about the whole service needing reworking >> either. I'm just trying to explain why I think the process is being >> carried out properly. > ?_? again. I don't understand what are you trying to say?!? I don't see > the correlation between this and your (or my) first post. Sorry. > OK. My point is, and was, that an audit covers the whole codebase. IOW he literally has to scan every single line. This process is being carried out properly IMO, since to only patch one flaw and put the service back on-line would be irresponsible at best. > As a summary, the next step now is for security@gentoo.org to their work > (as Infra has *repeatedly* said and requested). If someone can poke them > to do so please, it will be highly appreciated. If they audit, test, or > jump on one foot while holding raw eggs on their head I don't care. It's > their job. Er they're not paid for it, so it's not a job in the sense that you imply. How exactly do you want "them" to be poked? As stated there's only one dev assigned to it and he's busy starting Uni. While I agree this is unfortunate, I imagine there simply aren't that many security devs. > Bug please test and come back to us. Thanks. > FWIW I totally agree that p.g.o should be back online as a matter of priority. If you want that done, help with the audit: get a report together of all the flaws (and fixes) that you can find. If not, stop whinging that no one else is doing it (and more importantly stop telling me to do it), when a volunteer has already been assigned. It'll take him as long as it takes him. "With Free software you either do, or you wait." Pick one. -- gentoo-project@gentoo.org mailing list