Brian G. Peterson wrote:
> This list is for 'security discussion', not 'security notification'. Also
> Simple. Posting, positing, and discussing known or potential vulnerabilities
> here is perfectly within bounds.
> [...]
> If you want *notification* to monitor the security of Gentoo, monitor
> Bugzilla's 'security' component. Simple. There, the answer is in the open.
Thanks for summing it up, Brian.
I'll try to address the concerns raised by this thread, which is mostly
about users information. Some of you feel that they are not correctly
informed about security issues. We follow a policy that was presented
here on this ML for comments about 6 months ago, and noone made a single
comment about it. Some of you have now have issues with it, I'll try to
answer to them.
1/ Major security issues (like the recent local root) should be posted
on this ML because gentoo-security subscribers deserve to know
Why not. You can post it here if you want. But what we really need is
that people post it in Bugzilla, because it's our workflow tool. Posting
it here will raise awareness, but it won't speed up resolution. That was
the idea of the first answers (Mike Frysinger, although not a member of
the security team, is not a very subtle guy and goes straight to the point).
2/ Gentoo has the duty of informing us of vulnerabilities when they are
known, not when they are fixed.
Look around and you will find that Gentoo has the most open security
resolution process of ALL Linux distributions. Security bugs are in
public bugzilla, we discuss those bugs in a public IRC channel
(#gentoo-security). The information is out there, but you want the
Gentoo Security Team to push it to you. Sorry, we won't do that. We are
completely overloaded already by just trying to handle all those
vulnerabilities and publish Security Advisories when they are fixed. The
GLSA Coordinators team is just 4 guys with day jobs, and we still manage
to do as much (and sometimes better) than commercial distributions with
full-staffed security teams. No distribution does what you're asking
for. Even if you pay RedHat for it, they still won't push information to
you about still unfixed vulnerabilities. Furthermore, information IS out
there. Go pick it up...
3/ Information on kernel vulnerabilities is not good
Every time this particular flamewar explodes on this list, it's about a
kernel vulnerability. I didn't see (yet) one about a root exploit in
mit-krb5 or any other package, which as MUCH MORE impact than a barelay
exploitable local root. There is a reason for that. Kernel
vulnerabilities take longer to fix (for all sources) and GLSAs about
kernel vulnerabilities are always overdue. Our organisation and the
rules we follow are good for packages but not for kernels. We are
working on improving that. We feel you should be better informed about
kernel vulnerabilities, as soon as they are detected and as soon as a
particular sources set is fixed, to be able to know when to upgrade
kernels and planify everything. We'll stop issuing GLSAs about kernel
issues and replace them by a kernel security information webpage. This
is a project under way and you should see progress about it very soon.
4/ The Gentoo developers are a bunch of lazy asses that can't suffer
constructive comments and want to keep everything for themselves
I am fed up with this crap. As an operational manager for the Security
Team, I spend most of my free time wrangling security bugs, pushing the
other developers to provide fixed packages, drafting GLSAs, sending
them, scouting multiple security mailing-lists so that YOU, the user,
can be protected. You may think we are a closed group which does funny
stuff and keep you away from it. Hear this : this job is not funny. I
would like there to be more people in the security team so that I can
handle more of the things I like in Gentoo (like embedded). But I can't.
I asked for help here a few times but nobody steps up. When they do,
they quickly realize this work is NOT fun and they disappear. If
sometime in the future there isn't anyone watching, fixing and
publishing security advisories in Gentoo, maybe you'll look back at this
this kind of thread and see the reason.
I will reiterate my call for help here. We need dedicated people, which
will spend a few hours per day handling security bugs (yes, the "Full of
Shit" Bugzilla has to be sorted out). You won't be paid, except by acid
remarks on this ML telling you should do more. Candidates ?
http://www.gentoo.org/proj/en/security/ http://www.gentoo.org/security/en/padawans.xml --
Thierry Carrez (Koon)
Operational Manager, Gentoo Linux Security