Mailing List Archive

On Monday 07 August 2006 13:42, Wolfram Schlich wrote:
> Hi,
>
> I just stumbled over an article from SearchSecurity.com which was linked to
> in a heise newsticker posting that tries to analyze how fast distributions
> react to security vulnerabilities:
>
> http://tinyurl.com/lplfb
>
> Quick chart:
>
> Rank Distro Points/100
> ---- ------------------------- ----------
> 1. Ubuntu 76
> 2. Fedora Core 70
> 3. Red Hat Enterprise Linux 63
> 4. Debian GNU/Linux 61
> 5. Mandriva Linux 54
> 6. Gentoo Linux 39
> 7. Trustix Secure Linux 32
> 8. SUSE Linux Enterprise 32
> 9. Slackware Linux 30
>
> Rank 6 out of 10 is not a great result -- at least we beat SUSE ;)
>
> Any comments or thoughts about this?
> Can we become better?
> Are we maybe better than the author pretends?
> Does the security team currently face serious problems that need to be
> solved, be it inside or outside the security team?

comment?
yes.

I would like to know, if they counted until the patch/fix was announced or
until it was available?

If you are using unstable (~arch) you will get a lot of fixes BEFORE they are
announced. So when the nice 'packet FOO is vulnerable, upgrade to FOO+1'
arrives, you think 'gee.. I updated to FOO+1 two nights ago....'.

So there is a difference between: fix is available for unstable, fix is
available for stable, fix is announced.

And I would like to know, which of the three got into that 'statistic'.
--
gentoo-security@gentoo.org mailing list

2006/8/7, Wolfram Schlich <lists@wolfram.schlich.org>:
> Hi,
>
> I just stumbled over an article from SearchSecurity.com which was linked to
> in a heise newsticker posting that tries to analyze how fast distributions
> react to security vulnerabilities:
>
> http://tinyurl.com/lplfb
>
> Quick chart:
>
> Rank Distro Points/100
> ---- ------------------------- ----------
> 1. Ubuntu 76
> 2. Fedora Core 70
> 3. Red Hat Enterprise Linux 63
> 4. Debian GNU/Linux 61
> 5. Mandriva Linux 54
> 6. Gentoo Linux 39
> 7. Trustix Secure Linux 32
> 8. SUSE Linux Enterprise 32
> 9. Slackware Linux 30
>
> Rank 6 out of 10 is not a great result -- at least we beat SUSE ;)
>
> Any comments or thoughts about this?
> Can we become better?
> Are we maybe better than the author pretends?
> Does the security team currently face serious problems that need to be
> solved, be it inside or outside the security team?

Working with many distros - I have noticed only one minus of gentoo -
emerge system. That's why gentoo is placed 6th...

--
Wojciech Ziniewicz | jid:zeth@chrome.pl
http://silenceproject.org | http://zetho.wordpress.com
--
gentoo-security@gentoo.org mailing list

Hi there,

On Monday 07 August 2006 13:42, Wolfram Schlich wrote:
> Any comments or thoughts about this?
> Can we become better?
> Are we maybe better than the author pretends?
> Does the security team currently face serious problems that need to be
> solved, be it inside or outside the security team?
>
> I am just curious and would be glad to get some feedback :)
I saw the article a few days back and here is a short summary of what I think
about it:

- I'm a bit disappointed with the result.

- The Security Team is short on staff so we're not as speedy as we once
was :-/

- The scores are not weighted to take severity into account.

- No exact references are given to the vulnerabilities in question making it
hard to check.

- Secunia release dates are not the same as Gentoo release dates as Secunia
seldom work during weekends.

- Unstable uses usually get the fix hours or even days before the GLSA is
issued.

- My own non-scientific research indicates that we're not that bad compared to
other community distributions like Debian (at least when you compare the
latest GLSAs with the high severity rating).

If you want to help out the Security Team and have some relevant skills please
consult the link in my signature or send me a private email.

--
Sune Kloppenborg Jeppesen (Jaervosz)
Operational Manager
Gentoo Linux Security Team
http://security.gentoo.org

If you see a GLSA somewhere else than from Gentoo first, then you are doing
something wrong :)

Whatever I say here, this probobly being interpreted like crying, so I will
keep it to a minimum: But I doubt that this study is anywhere close to
representative. (For example, we never issued a GLSA for libmms, because we
never had to according to our policy since it was unstable. So, did we get 0
points for this?). And please note that security cant do a shit about
missing maintainers and so on. In fact, security is only a relatively small
member of the whole security related chain, altough this may be surprising
at first.

All I can say is, that I hope that they will continue the "study", because
we will kick ass next time. We are already #2 of the community only distris
(= no commercial background).

Kind regards,

Stefan

Hi,

Right: The big minus is the "emerge -vuND system". And this is due the (bad) release management. Let me point out more detailed, what I mean:

GOOD:
- The idea of the ebuilds is very good. In my opinion the bashcode is good enough, too. This is the first possibility to build your own linux controlled via some parameter-file (make.conf /etc/portage/...)

BAD:
- The ebuilds have external mirror references. So if you mirror a common gentoo mirror and try to install offline, this won't work. As I'm currently working at a university, there is due this problem also no possibility to install gentoo on a bigger cluster (I know about these specialized scripts for doing this, but they are the wrong way).
- Some updates are "forced". Why should one mask X-6.9 "hard" and force the people to use X-7? X-6.9 works fine with all of my pcs so far (even with DRI)! And X-7 works only without DRI (I know how to configure it; the drivers for the common i810, radeon2500, nvidia cards are not working properly).

Best regards: Gerolf


> -----Ursprüngliche Nachricht-----
> Von: gentoo-security@lists.gentoo.org
> Gesendet: 07.08.06 20:49:26
> An: gentoo-dev@lists.gentoo.org
> Betreff: Re: [gentoo-security] SearchSecurity.com: "Linux patch problems: Your distro may vary"


> 2006/8/7, Wolfram Schlich <lists@wolfram.schlich.org>:
> > Hi,
> >
> > I just stumbled over an article from SearchSecurity.com which was linked to
> > in a heise newsticker posting that tries to analyze how fast distributions
> > react to security vulnerabilities:
> >
> > http://tinyurl.com/lplfb
> >
> > Quick chart:
> >
> > Rank Distro Points/100
> > ---- ------------------------- ----------
> > 1. Ubuntu 76
> > 2. Fedora Core 70
> > 3. Red Hat Enterprise Linux 63
> > 4. Debian GNU/Linux 61
> > 5. Mandriva Linux 54
> > 6. Gentoo Linux 39
> > 7. Trustix Secure Linux 32
> > 8. SUSE Linux Enterprise 32
> > 9. Slackware Linux 30
> >
> > Rank 6 out of 10 is not a great result -- at least we beat SUSE ;)
> >
> > Any comments or thoughts about this?
> > Can we become better?
> > Are we maybe better than the author pretends?
> > Does the security team currently face serious problems that need to be
> > solved, be it inside or outside the security team?
>
> Working with many distros - I have noticed only one minus of gentoo -
> emerge system. That's why gentoo is placed 6th...
>
> --
> Wojciech Ziniewicz | jid:zeth@chrome.pl
> http://silenceproject.org | http://zetho.wordpress.com
> --
> gentoo-security@gentoo.org mailing list
>

--

***
Dipl. Phys. Gerolf Ziegenhain
Address: Klopstockstrasse 21 - 65187 Wiesbaden
Address (KL): Gerhart-Hauptmann-Strasse 16 - 67663 Kaiserslautern
Mobile: +49 - 170 - 4184453
Home: +49 - 631 - 41552905
VoIP: +49 - 2222 - 948730645 (no answering machine)
Fax: +49 - 1212 - 511029841
Email: mail.gerolf@ziegenhain.com
Web: http://gerolf.ziegenhain.com
ICQ: 267673380

Hi!

On Mon, Aug 07, 2006 at 10:11:23PM +0200, Sune Kloppenborg Jeppesen wrote:
> - Unstable uses usually get the fix hours or even days before the GLSA is
> issued.

Why? I think security is important enough to force at least SOME admins to
upgrade packet from current "stable, with security hole" to "unstable, without
security hole"... but for this admins must know about this security hole
as soon as fix for it become available, no matter in x86 or ~x86.

--
WBR, Alex.

On 8/8/06, Alex Efros <powerman@powerman.asdfgroup.com> wrote:
>
> Hi!
>
> On Mon, Aug 07, 2006 at 10:11:23PM +0200, Sune Kloppenborg Jeppesen wrote:
> > - Unstable uses usually get the fix hours or even days before the GLSA
> is
> > issued.
>
> Why? I think security is important enough to force at least SOME admins to
> upgrade packet from current "stable, with security hole" to "unstable,
> without
> security hole"... but for this admins must know about this security hole
> as soon as fix for it become available, no matter in x86 or ~x86.
>

The maintainer provides a new ebuild, but (s)he is not allowed to stable of
for any architecture, unless (s)he is a member of that architecture team. So
often you have a fixed ebuild within the first day, but testing and stabling
takes some time. (But sometime, you also have to wait weeks for a patch. But
that is another story).

If this is update is so important to admins, they are welcome to monitor our
bugzilla activity to get 0-sec announcements of fixed ebuilds.

"Stefan Cornelius" <stefan.cornelius@gmail.com> writes:

> The maintainer provides a new ebuild, but (s)he is not allowed to
> stable of for any architecture, unless (s)he is a member of that
> architecture team. So often you have a fixed ebuild within the first
> day, but testing and stabling takes some time. (But sometime, you
> also have to wait weeks for a patch. But that is another story).
>
> If this is update is so important to admins, they are welcome to
> monitor our bugzilla activity to get 0-sec announcements of fixed
> ebuilds.

Another possibility is that the version in ~arch already has the fix,
so that there might not be a new ebuild. There might be other reasons,
such as dependencies on other ~arch packages, for a delay in
stabilising the version with the fix. In these cases it would be
useful to have a security announcement stating the ~arch version is
not vulnerable and giving the reasons why the package cannot be made
stable in a timely manner. This would give the administrators enough
information to make their own risk assessment as to whether to upgrade to
the ~arch version (and all it dependencies) or keep running the
vulnerable version until the fix is put into stable.
--
gentoo-security@gentoo.org mailing list

On Tuesday 08 August 2006 09:03, Stefan Cornelius wrote:
> If you see a GLSA somewhere else than from Gentoo first, then you are doing
> something wrong :)

no, I did not say that.

What I meant was:

day X. Update for libFOO in unstable (~arch).

day X+2 GLSA about libFOO.

me:'oh, that is why there was that update two days ago. Well, good thing I
already did it'

--
gentoo-security@gentoo.org mailing list

On Tuesday 08 August 2006 13:27, Hemmann, Volker Armin wrote:
> me:'oh, that is why there was that update two days ago. Well, good thing I
> already did it'

A GLSA gets issued when all security-wise supported architectures are marked
stable and the security team is conviced that it is necessary. There are no
GLSAs for ~arch stuff, since ~arch, security-wise, isn't supported. The
updates happen, but you're responsible, if you don't really live on the
bleeding edge, that ~arch is. Or to say it another way: If using ~arch, do
always --deep updates.


Carsten

Gerolf Ziegenhain <mail.gerolf@ziegenhain.com> wrote on Tue, Aug 08, 2006 at 10:02:57AM +0200:

> BAD:
> - Some updates are "forced". Why should one mask X-6.9 "hard" and force the people to use X-7? X-6.9 works fine with all of my pcs so far (even with DRI)! And X-7 works only without DRI (I know how to configure it; the drivers for the common i810, radeon2500, nvidia cards are not working properly).

Hi Gerolf,

Gentoo has no long term support, by that I mean it's not a release
distro that keeps "old" stuff and fixes it for a certain amount of time.
Gentoo just moves on.

It's not a technical problem, allthough this approach has its downsides
as you already pointed out. But it is Gentoo's philosophy.

Sebastian
--
gentoo-security@gentoo.org mailing list

Sebastian Kemper <sebastian_ml@gmx.net> wrote on Tue, Aug 08, 2006 at 01:59:55PM +0200:

> > - Some updates are "forced". Why should one mask X-6.9 "hard" and force the people to use X-7? X-6.9 works fine with all of my pcs so far (even with DRI)! And X-7 works only without DRI (I know how to configure it; the drivers for the common i810, radeon2500, nvidia cards are not working properly).

Oha, I thought you're writing about X.org 6.8. Sorry, my mistake.
Nevermind then ;-)

Sebastian
--
gentoo-security@gentoo.org mailing list