Re: Making Fedora secure - Package exit policy for security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Aug 01, 2018 at 10:40:20AM +0530, Huzaifa Sidhpurwala wrote:
> On 07/31/2018 08:51 PM, Daniel P. Berrangé wrote:
> 
> > 
> > Do we have any analysis showing what would be the fallout if we applied
> > these purge rules today ? ie what packages would be dropped today due
> > to unaddressed CVEs.
> > 
> See reply to my previous email. Also i have attached the list here. I
> did some random analysis and came up with the following conclusion:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1493497
> This one is ftbs on ppc
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1488785
> This one was actually fixed, but the bug did not close
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1487715
> This is iamgemagick so one of many cves which are open against it.

The list of ImageMagick CVEs is horrific - 59 open CVEs - for something
that is often going to be used in a scenario where it is fed untrustworthy
images.  exiv2 is pretty concerning too with 19 open CVEs, again for
something often used with untrustworthy input images :-(

> > Then, from that list of packages, do we have idea of reasons why
> > their CVEs are not getting fixed in Fedora. This could perhaps identify
> > changes to help with the problem(s), rather than jumping straight to
> > the big stick of dropping packages.
> 
> I definitely want to address the core problem here, but i dont want to
> go through tens and even sometimes hundreds of bugs to figure out why
> they have not been fixed. Shouldnt the package maintainer be doing it in
> the first place?

Obviously the responsibility lies with the package maintainer, but look
at what Fedora says their responsibility is:

  https://fedoraproject.org/wiki/Package_maintainer_responsibilities

[quote]
  Manage security issues

  Package maintainer should handle security issues quickly, and if they
  need help they should contact the Security Response Team.
[/quote]

The bugs we file against packages have big boilerplate text, but that's
focused around the mechanics of submitting updates, and again doesn't
give any guidance on how effectively triage the security bugs.

Some maintainers are lucky enough to have experience of dealing with CVEs
from RHEL work, but many/most are not. The reality is much more nuanced
than "should handle security issues quickly". IMPORTANT and CRITICAL rated
security bugs must be handled on very different timeframe from LOW rated
bugs. The latter would be valid to just wait for a rebase in future Fedora
major release and mark CLOSED->UPSTREAM, while the former is something
you'd want to urgently backport fixes for into all existing releases.
MODERATE bugs get into a grey area where its hard to give a clear rule,
as urgency to fix them varies depending on usage context of the package.

So I can't put all blame on the package maintainers for failing to deal
with CVEs appropriately, when we're setting them up to fail by giving
little-to-no guidance on what's really expected in this area.

That's obviously not the entire story here though - even with better docs,
I'm confident we'd still have a significant problem to consider. Some of
this may well be a result of maintainers simply having too many packages
to deal with. With the traditional "single owner" model of Fedora package
maint there's a tendancy to leave the fixing to the officially assigned
owner. For packages that we see a high volume of CVEs against, we perhaps
need to work ensure there are multiple maintainers recorded against the
package to give some redundancy.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/XO2BWQQBYOJGVARM45VUKSWU66NOLRPV/




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux