'Re: [gentoo-dev] Why masks are being used for security issues instead of GLSA?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    Re: [gentoo-dev] Why masks are being used for security issues instead of GLSA?
From:       Sergey Popov <pinkbyte () gentoo ! org>
Date:       2014-09-30 10:23:01
Message-ID: 542A8485.7060102 () gentoo ! org
[Download RAW message or body]


30.09.2014 14:11, Pacho Ramos пишет:
> El mar, 30-09-2014 a las 13:47 +0400, Sergey Popov escribió:
> [...]
>> I think you are get some things wrong - they are masked not instead of
>> GLSA, but prior to it.
>>
>> Let me explain the process on behalf on my security hat - before
>> releasing GLSA we should rid of all vulnerable versions in tree.
>> However, sometimes it leads to problems with migration on new
>> versions(usually happens with complex packages, for example OpenLDAP).
>> So, to mark that some versions are really not for ordinary users we can
>> security mask them. After that - we do not need to remove them, just
>> keep an eye that they would not be unmasked. The next step for these
>> versions is only to be removed from tree, after all issues with
>> dependant packages will be fixed.
>>
>> And then - we can proceed with making GLSA. Masking of package does not
>> replace making GLSA and never was!
>>
>> If you are claim that GLSA making process is too slow, well... We have
>> vast amount of security issues and not many people who handles them, so
>> - here we are...
>>
>> As for ppp, i masked it, because there are some packages in tree that
>> hardcodes usage for specific versions of ppp and they should be patched
>> BEFORE vulnerable versions of ppp will leave tree.
>>
>> I want to notice, that such practice was established a long time ago,
>> from the very beginning of Gentoo Security team and i do not think that
>> we should change something in it
>>
> 
> Only a question: why GLSAs aren't released until the vulnerable version
> is not dropped? Wouldn't be better for people relying on GLSAs to get
> the glsa as soon as they can install the fixed version (I mean, when
> that version is stabilized)? 
> 
> Thanks for the info :)
> 
> 

That's more like established practice then policy, cause after
publishing glsa we should auto-close all relevant security bugs. And we
can not do this if vulnerable versions are still in tree. So it's better
to mask them to speed up things with publishing GLSA, maintainers can
drop old versions of their later.

-- 
Best regards, Sergey Popov
Gentoo developer
Gentoo Desktop Effects project lead
Gentoo Proxy maintainers project lead


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic