25.09.2014 16:42, Andrew Savchenko пишет: > Hello, > > many packages in tree are masked due to security issues instead of > issuing GLSA for them. Why? At this moment I counted 56 such > packages in package.mask. > > Some of these packages have GLSAs issued (e.g. nethack and friends) > and have no fixes, so this is understandable. But most packages are > just masked "due to security bugs", I recently stumbled upon: > ppp, mariadb, mysql, vlc... > > Why such masking is bad? Because it undermines the whole idea of > GLSA as a sole security provider for Gentoo users. > > I manage about 50 Gentoo boxes (with more than 10 unique setups) > and I'm not an update monkey to update them weekly. My usual > workflow is to emerge all world somewhere within 6 month and 1 > year, but to install security updates regularly and critical ones > ASAP. GLSA serves this purpose well (Yes, I understood that > security team can't embrace all issues so some extra lookup for > CVEs is needed as well). But security-masked packages undermine > such approach, because they're not listed in glsa-check -l affected > and message about masked packages doesn't appear in elog, only on > top of build log, which is likely to be lost.
I think you are get some things wrong - they are masked not instead of GLSA, but prior to it. Let me explain the process on behalf on my security hat - before releasing GLSA we should rid of all vulnerable versions in tree. However, sometimes it leads to problems with migration on new versions(usually happens with complex packages, for example OpenLDAP). So, to mark that some versions are really not for ordinary users we can security mask them. After that - we do not need to remove them, just keep an eye that they would not be unmasked. The next step for these versions is only to be removed from tree, after all issues with dependant packages will be fixed. And then - we can proceed with making GLSA. Masking of package does not replace making GLSA and never was! If you are claim that GLSA making process is too slow, well... We have vast amount of security issues and not many people who handles them, so - here we are... As for ppp, i masked it, because there are some packages in tree that hardcodes usage for specific versions of ppp and they should be patched BEFORE vulnerable versions of ppp will leave tree. I want to notice, that such practice was established a long time ago, from the very beginning of Gentoo Security team and i do not think that we should change something in it -- Best regards, Sergey Popov Gentoo developer Gentoo Desktop Effects project lead Gentoo Proxy maintainers project lead
signature.asc
Description: OpenPGP digital signature
