Security Response Team / EOL

Michael Schwendt bugs.michael at gmx.net
Fri Apr 28 16:48:05 UTC 2006 

On Fri, 28 Apr 2006 17:50:36 +0200, Ralf Corsepius wrote:

> On Fri, 2006-04-28 at 17:12 +0200, Michael Schwendt wrote:
> > On Fri, 28 Apr 2006 14:29:49 +0200, Ralf Corsepius wrote:
> > 
> > > Or to put it differently: I think you are mixing 2 completely
> > > independent issues:
> > > * Regular maintenance of "legacy" packages the "nominal maintainer" in
> > > current has abandoned to actively maintain.
> > > * Security response. 
> > 
> > Well, I tried to separate these two. But others didn't like the idea of
> > a "Fedora Extras Legacy Team" (= the combined set of Fedora Extras
> > Contributors who still support old legacy branches). Currently I still
> > don't _who_ would maintain old legacy packages, if not the Fedora Extras
> > Security Response Team.
> 
> I think we are still talking pass each other.

I don't think so. ;)

> Let me try to give an
> (worst case) example of what I am talking about:
> 
> "Maintainer" once submitted a package when FC3 was "devel", The package
> had been build for FC2, too. Meanwhile, FC5 is out, devel is future FC6.
> "Maintainer" has switched to actively using FC5 and therefore is not
> actively using Fedora < 5 anymore.

This is not a worst case, this is pretty normal. IMO. Scenario: "FC5 has
just been released. Packager's primary machine is upgraded to FC5. FC4 is
abandoned. FC3 even more." I'm aware that some packagers use mock to
test-build their packages for older dists. I'm also aware that some use
multi-boot environments or virtual machines to do run-time tests. But
often, overall package quality suffers when package maintainers no longer
use the old distributions regularly.
 
> He therefore releases upgrades for "FC5" and "devel", but skips anything
> older than FC4. Now he has a sudden accident sending him to hospital for
> 2 months - Nobody notices.

Which is what we've experienced several times before. Not in form of an
accident, but packagers "dropping off" silently, leaving behind open
bugzilla tickets and orphaned packages.
 
> Now, somebody (outside of Fedora) finds a severe exploit with this
> package, affecting all versions from FE2 through "devel".

... and submits a bug report which goes unnoticed unless some of us skim
over all new reports (or at least try to, which is very difficult, since
_old_ reports moved from one Product to another may be missed) and add
these to the tracker bugs.
 
> Questions: What will happen next, and who will perform which kind of
> action?

We needed policies, so either

a) an official team inside Fedora Extras gets the power (= the privileges)
to intervene,

or

b) arbitrary FE Contributors can intervene in accordance with
policies.

This is not just about security vulnerabilities. It can also happen that a
critical bug in a popular package doesn't get fixed, because the package
owner seems to be unavailable (or is known to be unavailable).
 
> First of all, somebody in Fedora will has got to know about this
> exploit. As you can't expect packagers to follow all potential security
> list, and given the fact security issues often a kept secret, getting to
> know about security issues isn't necessarily easy.
> 
> Then, somebody will have to implement a fix, and to apply it. In some
> case, such fixes will be available from external sources, in some cases
> the packager will be able do develop a fix himself, but one can't rely
> on either of these possibilities.
> 
> At this point the question of "Who does what?", i.e. coordination and
> responsibilities, comes into play. ATM, Legacy should fix FE2, the
> packager would fix FE5 and devel, may-be he would try to fix FE4 - FE3
> would stay vulnerable.

Yes, this is why this needs coordination and monitoring. Best performed
by people who focus on these things. Instead of random contributors
who notice a bug report and only fix "part of the mess".
 
> As he had an accident, probably nothing would happen, until somebody
> starts shouting loudly.
> 
> Therefore, I say: We need a "Security Task force", monitoring security
> lists, assisting in providing fixes, taking actual action regardless of
> package ownership, when necessary.
> 
> If one brings this thought to an end, you'll notice that the situation
> becomes even more difficult, when considering packagers outside of FE,
> such as Core or Legacy - In my opinion, it substantially questions this
> split.

Have you seen my earlier posting?
(Date: Fri, 28 Apr 2006 11:31:33 +0200)
No reply to it yet.

More information about the fedora-extras-list mailing list