From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QxHmV-0003o7-J0 for garchives@archives.gentoo.org; Sat, 27 Aug 2011 12:14:35 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 75BEE21C121; Sat, 27 Aug 2011 12:14:22 +0000 (UTC) Received: from mail-fx0-f53.google.com (mail-fx0-f53.google.com [209.85.161.53]) by pigeon.gentoo.org (Postfix) with ESMTP id CECF921C0B4 for ; Sat, 27 Aug 2011 12:13:03 +0000 (UTC) Received: by fxd23 with SMTP id 23so3817981fxd.40 for ; Sat, 27 Aug 2011 05:13:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=GNq3y/bfTgBFthH5P24zNRDkDccVIGwLhN7bgdvyrBk=; b=WGINn4XRz5DOOGAqKS+aKGwdAGmsHJgaUnfwV+qHqzVW2S3NHuus3SajSu890WFqgI dXuklSz28rAOXU77iQ718tIxVKmf63nycb4DXJvudGOUgbge9Dz8RahYKq3GVUmY7wII xtM05kFL8Pwgw0Vq1RGH/o+pKAfoISUJo8yjo= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@lists.gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 Received: by 10.223.100.145 with SMTP id y17mr3464135fan.32.1314447183017; Sat, 27 Aug 2011 05:13:03 -0700 (PDT) Sender: freemanrich@gmail.com Received: by 10.223.112.133 with HTTP; Sat, 27 Aug 2011 05:13:02 -0700 (PDT) In-Reply-To: <4E58AF85.4020908@gocept.com> References: <4E57C5D0.8090004@gocept.com> <2687862.MvHKRGueIZ@neon> <4E57D29B.5070603@gocept.com> <20110826180838.GA21426@zen.cs.uri.edu> <4E58AF85.4020908@gocept.com> Date: Sat, 27 Aug 2011 08:13:02 -0400 X-Google-Sender-Auth: HcGn-nUkeZ-4ZeGn1LgGhE5EowU Message-ID: Subject: Re: [gentoo-security] No GLSA since January?!? From: Rich Freeman To: gentoo-security@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: X-Archives-Hash: de44e13000cb06c8ca686a95ed9dc538 On Sat, Aug 27, 2011 at 4:49 AM, Christian Kauhaus wrote: > So in consequence I would appreciate to have both mechanisms: a timely > up-front notification via GLSAs (probably more brief than the past ones) and > some sort of security masking. The current GLSA mechanism already provides both of these. There are the email notifications, and there is an xml file that provides the masking information (which the glsa-checker tool and some package managers use). >From what I've seen (from a distance), the problem seems to be that both of these are created using a software tool which is apparently very cumbersome to use. However, both are just text files. Part of me wonders if a workflow like this would help solve the problem: 1. Some contributor posts a GLSA email and xml file to a security bug. This could be anybody. The content would be trimmed down a bit - perhaps just a CVE reference, and then the information on vulnerable and non-vulnerable versions. 2. Somebody on staff with commit access to the xml tree and the mailing list would review and send out the advisory, and mark this as done in the bug. I also wonder if there would be in value in sending out the notice after the fixed version is in the tree but before it is stable. Right now advisories wait until the last security-supported arch stabilizes the package. I would think that earlier notice would be useful - even if sysadmins want to wait for a package to become stable they'll know something is coming, and the delay on the major arches tends to be hours to days. Plus, if somebody can't wait they can test/install on their own, and perhaps even post feedback on the bug. Obviously notices would have to wait until after any blackout period ends. Note that I'm basically advocating ditching the tool. A tool is good when it improves productivity. However, right now it appears that the tool is keeping people from contributing who want to contribute. Certainly things couldn't get worse without the tool. If a user just edits an xml template and email template and posts it on the bug, then very little work should be required to review the files before posting them. Contributors wouldn't need any special access either - freeing up devs to provide more of a QA role. Ditching the tool would also simplify fixes to GLSAs. I haven't run it in a while, but took glsa-checker out of my cron ages ago when it would just report packages with vulnerabilities that had none. I did log bugs, but apparently adding one line to the xml files requires as much pain as sending out the original notice. Bottom line, however, is I don't think that we can't consider ourselves as a serious distro if we don't provide timely security advisories. All that said, I would say that from what I've seen in bugzilla, if you're on x86 or amd64 and running an updated stable tree, you shouldn't have longstanding security vulnerabilities. A new security bug pops up almost weekly, and packages are updated fairly quickly on those arches. The problem is just that we never tell anybody that we're doing it. Rich