Bad press again...

classic Classic list List threaded Threaded
97 messages Options
12345
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Martin-35
On Sat, Aug 27, 2005 at 11:07:21AM +0200, Florian Weimer wrote:
> apart from unanswered email messages to <[hidden email]>, there
> are few complaints, AFAIK.  The email part is very unfortunate indeed,

I'm not entirely happy with the lack of redundance.

Given the (not only commercial) significance of Debian, the size
of the distribution, and the complexity of todays software
combined with the openness of the net, a team of at least five,
maybe ten people might not be unjustifiable.
(testing security team: 19 people, right?)

Cheers, WB


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Florian Weimer
In reply to this post by Henrique de Moraes Holschuh
* Henrique de Moraes Holschuh:

> On Sat, 27 Aug 2005, Florian Weimer wrote:
>> I don't think so.  Joey seems to be satisfied with this situation, and
>> apart from unanswered email messages to <[hidden email]>, there
>> are few complaints, AFAIK.  The email part is very unfortunate indeed,
>> but it probably doesn't warrant drastic measures.
>
> Since when increasing the stable security team (i.e. adding more
> people) is a drastic measure?

Correct me if I'm wrong, but the current team doesn't seem to want new
members.  If you nevertheless force new members upon them, you are in
fact looking for a complete replacement.  This is what I call
"drastic".


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Rudolf.Lohner (Bugzilla)
In reply to this post by martin f krafft
Am Samstag, 27. August 2005 15:44 schrieb martin f krafft:
> No. Imagine exim gets a root exploit and I spoof the DNS to some
> mirror of s.d.o. That mirror will be consistent wrt secure APT, but
> it won't get updates, so admins who don't follow DSAs and run
> apt-get upgrade consciously and carefully are going to be left in
> the naive belief that they are safe because s.d.o doesn't have any
> new stuff.

This scenario could be avoided if s.d.o would authenticate itself.
Is authentication of the server something which has been considered
with secure apt? Even if you mirror all of s.d.o you still do not
have it's certificates.

--
Rudolf Lohner  -  Universitaet Karlsruhe (TH)
Rechenzentrum,  Zirkel 2,   D-76128 Karlsruhe
Phone: +49-721-608-6958,   Fax: +49-721-32550
E-Mail:     [hidden email]
http://www.rz.uni-karlsruhe.de/~Rudolf.Lohner


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

martin f krafft
also sprach Rudolf Lohner <[hidden email]> [2005.08.27.1651 +0200]:
> This scenario could be avoided if s.d.o would authenticate itself.
> Is authentication of the server something which has been considered
> with secure apt?

I'v suggested this before but never had the time to implement it.
Patches are welcome. :)

Of course you'll have to add SSL support to security.debian.org as
well, which may be the actual show stopper.

FWIW, Florian sent me this interesting link:
  http://www.cs.berkeley.edu/~nweaver/0wn2.html

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"we all know linux is great...
 it does infinite loops in 5 seconds."
                                                     -- linus torvalds

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Florian Weimer
In reply to this post by Petter Reinholdtsen
* Petter Reinholdtsen:

> The count of open security issues in stable and oldstable is probably
> a better measuring meter, and it does not look too good.

Security support is a task for Debian as a whole, not just the
security team.  IMHO, the main role of the security team is
information sharing, risk assessment, and quality assurance for
security updates.  The team should act as a trusted point of contact,
forward information from external sources to the relevant developers
(in many cases this is possible, even if the information is considered
sensitive), and respond to security-related questions, both from
inside the project and external entities.  The team should have the
final say in what can go into the archive as a security update, after
it has weighed the security threat against the general risk of any
change to the stable distribution.  It's also necessary for the team
to review all security updates, to deal with the Single Point of
Ownership problem.  Even if all Debian developers are trustworthy,
some of their machines might be compromised, or they simply make
mistakes.

The security has access to the privileged information which might be
helpful while preparing security updates, true, but in most cases,
after the issue has been disclosed to some extent (because upstream
has issued an update, for example), their head start is gone.
Nevertheless, there seems a general tendency among Debian developers
that security updates for stable are the job of the security team.  In
my eyes, this is the root of the problem.  The security team shouldn't
spend their time on package maintenance, that's what maintainers are
for.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Florian Weimer
In reply to this post by Henrique de Moraes Holschuh
* Henrique de Moraes Holschuh:

> On Sat, 27 Aug 2005, Florian Weimer wrote:
>> * martin f. krafft:
>> > I think Alvin was alluding to how it *should* be solved. As in: we
>> > should have more than one security server, globally spaced.
>>
>> security.debian.org already is a Single Point of Ownership.  I don't
>> think we need multiple ones, so this is definitely a post-etch thing.
>
> Irrelevant if secure apt is deployed correctly.

Yes, that's why it is a post-etch thing, realistically speaking.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Florian Weimer
In reply to this post by martin f krafft
* martin f. krafft:

> also sprach Henrique de Moraes Holschuh <[hidden email]> [2005.08.27.1540 +0200]:
>> > security.debian.org already is a Single Point of Ownership.  I don't
>> > think we need multiple ones, so this is definitely a post-etch thing.
>>
>> Irrelevant if secure apt is deployed correctly.
>
> No. Imagine exim gets a root exploit and I spoof the DNS to some
> mirror of s.d.o. That mirror will be consistent wrt secure APT, but
> it won't get updates, so admins who don't follow DSAs and run
> apt-get upgrade consciously and carefully are going to be left in
> the naive belief that they are safe because s.d.o doesn't have any
> new stuff.

You can address this with timestamp signatures, but I doubt it is
worth the complexity.  A prerequisite would be replacing pool.ntp.org
and providing our own secure time source, and this is probably not
something we want to do.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Henrique de Moraes Holschuh
In reply to this post by martin f krafft
Hi martin!

On Sat, 27 Aug 2005, martin f krafft wrote:

> also sprach Henrique de Moraes Holschuh <[hidden email]> [2005.08.27.1540 +0200]:
> > > security.debian.org already is a Single Point of Ownership.  I don't
> > > think we need multiple ones, so this is definitely a post-etch thing.
> >
> > Irrelevant if secure apt is deployed correctly.
>
> No. Imagine exim gets a root exploit and I spoof the DNS to some

Yes. Deployed correctly means you require time stamping, and you check it
for undue values. Anyone who can connect to mirrors can connect to SNTP
servers, so "what aboud people with bad clocks" doesn't hold as an excuse.

No, apt does not have all this functionality yet, but it is not difficult to
add it for etch.

For this to work, you need a master s.d.o mirror, and automatic signing (so
that you can keep the timestamping as low as a few hours).  This gives you a
mirror network, with the same single "owning" point of failure we have right
now.

--
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Florian Weimer
In reply to this post by martin f krafft
* martin f. krafft:

> FWIW, Florian sent me this interesting link:
>   http://www.cs.berkeley.edu/~nweaver/0wn2.html

This is was only intended as an explanation of the term "single point
of ownership".  I don't agree with Nicholas Weaver's analysis.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

martin f krafft
In reply to this post by Florian Weimer
also sprach Florian Weimer <[hidden email]> [2005.08.27.1648 +0200]:
> Correct me if I'm wrong, but the current team doesn't seem to want
> new members.  If you nevertheless force new members upon them, you
> are in fact looking for a complete replacement.  This is what
> I call "drastic".

When a bottleneck arises, you either widen the neck or remove that
which clogs the passage. Neither is more drastic than the other for
they are not alternatives; each is a solution to its own set of
problems, and if the current team blocks new members and yet does
not meet the general expectations of our users, it's essentially
more of a clog than a bottleneck.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
gentoo: the performance placebo.

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Henrique de Moraes Holschuh
In reply to this post by Henrique de Moraes Holschuh
On Sat, 27 Aug 2005, Henrique de Moraes Holschuh wrote:
> For this to work, you need a master s.d.o mirror, and automatic signing (so
> that you can keep the timestamping as low as a few hours).  This gives you a
> mirror network, with the same single "owning" point of failure we have right
> now.

Add to it requiring messages to have more than one signature, so that the
sec. team remains the single one point of failure for .deb injection.

The point about secure time keeping is a good one, and the perfect solution
(an authenticated ntp server) ain't doable.  So, we'd have to rely on the
user being capable of keeping his clock accurate and noticing if it is off
by too much with some prompting by apt.  Not a perfect solution at all :(

--
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Henrique de Moraes Holschuh
In reply to this post by Florian Weimer
On Sat, 27 Aug 2005, Florian Weimer wrote:

> * Henrique de Moraes Holschuh:
> > On Sat, 27 Aug 2005, Florian Weimer wrote:
> >> I don't think so.  Joey seems to be satisfied with this situation, and
> >> apart from unanswered email messages to <[hidden email]>, there
> >> are few complaints, AFAIK.  The email part is very unfortunate indeed,
> >> but it probably doesn't warrant drastic measures.
> >
> > Since when increasing the stable security team (i.e. adding more
> > people) is a drastic measure?
>
> Correct me if I'm wrong, but the current team doesn't seem to want new
> members.  If you nevertheless force new members upon them, you are in

Huh? They probably do, for all I know. Whether they have people they trust
for the job right now is something else, though.  We can probably expect
that some people will be promoted from the testing security team to the
stable one in a reasonable timeframe (some months) without much fuss.

As for doing it over the current stable security team's wishes, I am not
advocating that AT ALL.  That would be a drastic measure indeed.

--
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

martin f krafft
also sprach Henrique de Moraes Holschuh <[hidden email]> [2005.08.27.1720 +0200]:
> Huh? They probably do, for all I know. Whether they have people
> they trust for the job right now is something else, though.  We
> can probably expect

It's hard to tell for the requirements are not publicly available.
This means that it's impossible for anyone to actually work towards
the goal of helping the stable security team.

> that some people will be promoted from the testing security team
> to the stable one in a reasonable timeframe (some months) without
> much fuss.

Some months is not a reasonable time frame for something like
security; ever additional day hurts the project reputation severely,
at least here in Germany and Switzerland. I have clients (one of
which is a major German bank) voicing their concerns and considering
switching away from Debian to Solaris because of the security
fiascos.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
there are only 10 types of people in the world:
those who understand binary and those who don't.

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Henrique de Moraes Holschuh
On Sat, 27 Aug 2005, martin f krafft wrote:
> security; ever additional day hurts the project reputation severely,
> at least here in Germany and Switzerland. I have clients (one of
> which is a major German bank) voicing their concerns and considering
> switching away from Debian to Solaris because of the security
> fiascos.

Show how much they know about Solaris security.  Still, why don't you drop
by IRC and try to talk to Branden and Joey?

--
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

martin f krafft
also sprach Henrique de Moraes Holschuh <[hidden email]> [2005.08.27.2019 +0200]:
> Show how much they know about Solaris security.  Still, why don't you drop
> by IRC and try to talk to Branden and Joey?

Branden is offline, and Joey can't be bothered to talk about this
stuff with me, it seems. He's never replied to mails or pings from
me about this stuff.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
/.ing an issue is like asking an infinite number of monkeys for advice
                                                   -- in #debian-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

martin f krafft
In reply to this post by Florian Weimer
also sprach Florian Weimer <[hidden email]> [2005.08.27.1107 +0200]:
> > Do we have a security team for stable?  I know, that we have a
> > security team for testing consisting of nine DDs and ten
> > non-DDs, but it seems to me, that stable is handled by Joey
> > alone.  Has this changed since the havoc a few months ago?
>
> I don't think so.  Joey seems to be satisfied with this situation,

How would you know?
And I don't think the question is whether Joey is satisfied, it's
more whether our users are satisfied, and that includes all of us.

> and apart from unanswered email messages to <[hidden email]>,
> there are few complaints, AFAIK.

That's because complaints don't actually have any result, so I, for
instance, have stopped. I've pointed to severe problems with Debian
stable security several times before and usually got around 30
private messages a day thanking me for raising these issues and for
staying on track. I don't think Joey found it necessary just
a single time to articulate a position on the issue of e.g. the
three week outage in the security team throughout June.

The final announcement that was sent was not authored by Joey, but
by other DDs who were similarly concerned.

Now we've had another issue of problems with s.d.o, but we had to
learn about them from Heise.

Following the debate around LinuxTag, Branden put a trusted and very
active and skilled developer on the task to research the security
problems. Unfortunately, he has not been able to get far with this
job yet, probably due to numerous reasons. If Branden reads this
(and he should as it's CC'd), I hope he does something about the
situation, not by putting pressure on the researcher, but by
actually causing some change.

> The email part is very unfortunate indeed, but it probably doesn't
> warrant drastic measures.

Not if we want Debian to become known as an amateur club and lose
value among professionals. And yeah, client switching to Solaris may
tell something about their understanding of security... but then
isn't it all the more important for Debian to get it right and help
protect those that don't know better?

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
will kill for oil!

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Petter Reinholdtsen
In reply to this post by Florian Weimer

[Florian Weimer]
> Correct me if I'm wrong, but the current team doesn't seem to want
> new members.

I've been told that the current stable security team consist of one
person doing the work, Martin Schulze.  If this "team" do not want new
members, something strange is afoot.

And prospective security team members should start working in the
testing security team.  There are no need to keep secrets (all is done
in public), and enough work for several people (just check out
<URL:http://spohr.debian.org/~joeyh/testing-security.html> :), and it
is a good place to demonstrate ones capacity in this area. :)

  Total holes unfixed: 93
  Total holes fixed in unstable but not testing: 135 (+3 on some arches)
  Total number of kernel image packages not up to date: 0
  Number of TODO lines in records: 153


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

martin f krafft
also sprach Petter Reinholdtsen <[hidden email]> [2005.08.27.2255 +0200]:
> I've been told that the current stable security team consist of one
> person doing the work, Martin Schulze.  If this "team" do not want new
> members, something strange is afoot.

At least one other member is working actively. However, uploads and
announcements still have to go through Joey, and from what I learnt,
the workflow processes in the team are archaic yet Joey doesn't want
to divert from them.

Note: this is all hearsay and may well be wrong. I'd love for Joey
to step in and give us the complete picture.

> And prospective security team members should start working in the
> testing security team.  There are no need to keep secrets (all is done
> in public),

Which doesn't address the problem that embargoed bugs are possibly
handled suboptimally in Debian.

And it does not address the problem that our security infrastructure
went down for a while and we found out about it from a German news
magazine.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"be the change you want to see in the world"
                                                     -- mahatma gandhi

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Petter Reinholdtsen

[Martin F Krafft]

>> And prospective security team members should start working in the
>> testing security team.  There are no need to keep secrets (all is done
>> in public),
>
> Which doesn't address the problem that embargoed bugs are possibly
> handled suboptimally in Debian.
>
> And it does not address the problem that our security infrastructure
> went down for a while and we found out about it from a German news
> magazine.

True, it does not address those problems, and we should try to address
them.  But it does address other related problems, and we will be a
lot better of if all the _public_ security issues in debian were
solved, and having a proven security framework for testing and
unstable might make it easier to adjust the framework used for stable
to make it better.  If all the public issues are solved, I believe it
is easier to address the handling of non-public ones.

In short, I see no downsides to helping out the testing security team
while we at the same time try to address the issues with stable
security work.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

martin f krafft
also sprach Petter Reinholdtsen <[hidden email]> [2005.08.28.0025 +0200]:
> In short, I see no downsides to helping out the testing security team
> while we at the same time try to address the issues with stable
> security work.

I was not trying to suggest so. The testing security team is a true
asset and a keystone in the future of Debian security.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"if you are going to run a rinky-dink distro made by a couple of
 volunteers, why not run a rinky-dink distro made by a lot of
 volunteers?"
                                                    -- jaldhar h. vyas

signature.asc (196 bytes) Download Attachment
12345