Bad press again...

classic Classic list List threaded Threaded
97 messages Options
12345
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Florian Weimer
* martin f. krafft:

>> I don't think so.  Joey seems to be satisfied with this situation,
>
> How would you know?

Joey doesn't ignore all mail, only some of it.

> That's because complaints don't actually have any result, so I, for
> instance, have stopped. I've pointed to severe problems with Debian
> stable security

We have problems, sure, but to me, it seems that these mainly come
from the impression that the real package maintainers think security
work has special trust requirements and is restricted to the security
team.

Or are there many packages with backported security patches, ready for
upload, and the security team does not act on them?  I don't think so.
Instead, I frequently encountered maintainers who eagerly closed
security bugs even though they were still unfixed in oldstable or even
stable. [*]

The main shortcoming in the area of the security team is lack of
documentation of bug fixing policies.  Obviously, we don't have full
security support in place for packages that have long abandoned by
upstream for some classes of bugs (BIND 8, for example) or have
principal issues which can't be fixed reliably at reasonable cost
(PHP).  This must be communicated to our users, and this seems to be a
difficult thing to do in the current situation.

> I don't think Joey found it necessary just a single time to
> articulate a position on the issue of e.g. the three week outage in
> the security team throughout June.
>
> The final announcement that was sent was not authored by Joey, but
> by other DDs who were similarly concerned.

I wouldn't read too much into that.  To some extent, the security team
is just a client of Debian's infrastructure.  The lack of transparency
makes it very hard to analyze failures and put blame on certain
individuals or groups of people.

> Now we've had another issue of problems with s.d.o, but we had to
> learn about them from Heise.

Maybe that's because it was a non-issue which didn't affect anyone? 8-)


[*] In the past, this was a side effect of how package uploads
interact with the BTS.  Perhaps version tracking has improved this?


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Florian Weimer
In reply to this post by Petter Reinholdtsen
* Petter Reinholdtsen:

> [Florian Weimer]
>> Correct me if I'm wrong, but the current team doesn't seem to want
>> new members.
>
> I've been told that the current stable security team consist of one
> person doing the work, Martin Schulze.  If this "team" do not want new
> members, something strange is afoot.

As far as I know, this is basically correct.  And I don't understand
what's going on, either.

> And prospective security team members should start working in the
> testing security team.

But this doesn't qualify for interaction with vulnerability sharing
clubs, documenting security policies, or responding to user enquiries.
This seems to be the areas that are particularly lacking right now.
Package maintenance is certainly important, but this has always been
one of Debian's strengths.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

martin f krafft
In reply to this post by Florian Weimer
also sprach Florian Weimer <[hidden email]> [2005.08.28.1154 +0200]:
> Or are there many packages with backported security patches, ready
> for upload, and the security team does not act on them?  I don't
> think so.

This was the case throughout June.

> Maybe that's because it was a non-issue which didn't affect anyone? 8-)

Maybe this s.d.o downtime was, as it appears to have lasted very
shorrtly anyway. However, in June/July, it was the same scenario...
our users found out from the media about lack of security support,
not from us.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"he gave me his card
 he said, 'call me if they die'
 i shook his hand and said goodbye
 ran out to the street
 when a bowling ball came down the road
 and knocked me off my feet"
                                                        -- bob dylan

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Florian Weimer
* martin f. krafft:

> also sprach Florian Weimer <[hidden email]> [2005.08.28.1154 +0200]:
>> Or are there many packages with backported security patches, ready
>> for upload, and the security team does not act on them?  I don't
>> think so.
>
> This was the case throughout June.

AFAIK, you can only blame the security team for lack of communication.
They were ready to upload the packages, but the infrastructure to
process them wasn't working.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Alvin Oga


On Sun, 28 Aug 2005, Florian Weimer wrote:

> AFAIK, you can only blame the security team for lack of communication.

nah ... they're doing fine .. to the extent is needed ??

if it's important... they will post dsa ??

> They were ready to upload the packages, but the infrastructure to
> process them wasn't working.

yup

it sems most of the who/what/when/where/why of the infastructure
is a separate issue from "security"

what i think is needed is an automated script that checks
debian against known exploits or a way to verify that
the exploits/vulnerability does not affect debian

        - both are non-trivial tasks to and lots
        of presumably automated testing and time
 
c ya
alvin


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

martin f krafft
also sprach Alvin Oga <[hidden email]> [2005.08.28.1328 +0200]:
> nah ... they're doing fine .. to the extent is needed ??
> if it's important... they will post dsa ??

Where have you been?

> what i think is needed is an automated script that checks
> debian against known exploits or a way to verify that
> the exploits/vulnerability does not affect debian

This has been done.

  http://spohr.debian.org/~joeyh/stable-security.html
  http://spohr.debian.org/~joeyh/testing-security.html

That doesn't mean the stable security team uses this information.
From what I know, Joey prefers editing text files and expects others
to do the same.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"on the other hand, with the advent of msvc 5, i can claim i use
 emacs because it's smaller and more efficient." :-)"
                                                    -- darin johnson

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Paul Gear
In reply to this post by Alvin Oga
Alvin Oga wrote:

>
> On Sun, 28 Aug 2005, Florian Weimer wrote:
>
>
>>AFAIK, you can only blame the security team for lack of communication.
>
>
> nah ... they're doing fine .. to the extent is needed ??
>
> if it's important... they will post dsa ??
There certainly have been exceptions to that rule.  The maintainer of
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have to convince Joey that it *is* a
vulnerability before he'll issue it.  (I don't understand this - how can
Joey even *try* to understand every security bug?)  Repeated attempts to
communicate this have been met with silence.

--
Paul
<http://paulgear.webhop.net>
--
Did you know?  Email addresses can be forged easily.  This message is
signed with GNU Privacy Guard <http://www.gnupg.org> and Enigmail
<http://enigmail.mozdev.org> so you can be sure it comes from me.

signature.asc (264 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Michael Stone-2
On Mon, Aug 29, 2005 at 07:40:23AM +1000, Paul Gear wrote:
>There certainly have been exceptions to that rule.  The maintainer of
>shorewall has been trying for weeks to get a DSA issued about a
>vulnerability, and it seems we have to convince Joey that it *is* a
>vulnerability before he'll issue it.  (I don't understand this - how can
>Joey even *try* to understand every security bug?)  Repeated attempts to
>communicate this have been met with silence.

I disagree that convincing the security team of the severity of a bug is
unreasonable. I also disagree with the characterization that much effort
has been put into describing the bug.

Mike Stone


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Goswin von Brederlow
In reply to this post by Paul Gear
Paul Gear <[hidden email]> writes:

> Alvin Oga wrote:
>>
>> On Sun, 28 Aug 2005, Florian Weimer wrote:
>>
>>
>>>AFAIK, you can only blame the security team for lack of communication.
>>
>>
>> nah ... they're doing fine .. to the extent is needed ??
>>
>> if it's important... they will post dsa ??
>
> There certainly have been exceptions to that rule.  The maintainer of
> shorewall has been trying for weeks to get a DSA issued about a
> vulnerability, and it seems we have to convince Joey that it *is* a
> vulnerability before he'll issue it.  (I don't understand this - how can
> Joey even *try* to understand every security bug?)  Repeated attempts to
> communicate this have been met with silence.

Think about this: How else can he judge the bug is fixed or not?

MfG
        Goswin


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Jan Luehr-10
In reply to this post by Ralph Katz
Greetings,

Am Freitag, 26. August 2005 01:57 schrieb Ralph Katz:

> On 08/25/2005 06:10 PM, Stefan Fritsch wrote:
> >>> Do they have some monitoring script? Or some monitoring people?
> >>> (Might be interesting to know who: [disgruntled users? the
> >>> competition?])
> >
> > cron-apt will send you a mail.
> >
> > Aug 25 05:16:31 xxx cron-apt: Failed to fetch
> > http://security.debian.org/debian-security/dists/sarge/updates/main/binar
> >y-i386/Packages.gz Could not connect to security.debian.org:80
> > (194.109.137.218),
> > connection timed out
> >
> > Cheers,
> > Stefan
>
> Don't blame the press.
>
> It's not a "bad press" problem.  Rather, as Alvin suggests, the problem
> is closer to home.
I don't blame the press -
Looking from the debian point of view, the press is bad for us.

Keep smiling
yanosz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Florian Weimer
In reply to this post by Paul Gear
* Paul Gear:

> There certainly have been exceptions to that rule.  The maintainer of
> shorewall has been trying for weeks to get a DSA issued about a
> vulnerability, and it seems we have to convince Joey that it *is* a
> vulnerability before he'll issue it.  

Is this #318946?  This one is tagged sarge, but it's been closed by
Joey Hess, but probably for testing only.

> (I don't understand this - how can Joey even *try* to understand
> every security bug?)

Part of "stable" means avoiding unnecessary and potentially harmful
changes.  Clear policies could help to avoid such misunderstandings.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Alvin Oga
In reply to this post by Paul Gear


On Mon, 29 Aug 2005, Paul Gear wrote:

> > if it's important... they will post dsa ??
>
> There certainly have been exceptions to that rule.  The maintainer of

there will always be exceptions ...

> shorewall has been trying for weeks to get a DSA issued about a
> vulnerability, and it seems we have to convince Joey that it *is* a
> vulnerability before he'll issue it.  (I don't understand this - how can
> Joey even *try* to understand every security bug?)  Repeated attempts to
> communicate this have been met with silence.

if the originating authors thought xx was a security problem,
they'd fix it

i doubt security problems is fixed by 3rd parties and released as
patches to the original w/o saying it is a 3rd party patch vs
fixed at the originating source

joey and crew can't possibly examine, review, fix, verify all bugs
no matter how good of an expert security coder they were

----

"(security) bug fix day" is a good way to get the team together to address
bug reports and verify/fix/confirm it

----

if "debian" didn't fix "xxx" to the degree needed, most other people
have created their own distro to address those issue instead
of "pointing fingers" with the expectations of: "please fix this for me"

----

we apply my own patches and methodoloy above/on-top of what debian offers
to keep things up to parr with our "sanity requirement levels"

c ya
alvin



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Paul Gear
In reply to this post by Goswin von Brederlow
Goswin von Brederlow wrote:

> ...
>>There certainly have been exceptions to that rule.  The maintainer of
>>shorewall has been trying for weeks to get a DSA issued about a
>>vulnerability, and it seems we have to convince Joey that it *is* a
>>vulnerability before he'll issue it.  (I don't understand this - how can
>>Joey even *try* to understand every security bug?)  Repeated attempts to
>>communicate this have been met with silence.
>
>
> Think about this: How else can he judge the bug is fixed or not?
My point was that it's impossible for one person to understand every
security bug in Debian and test that each one is indeed fixed.  In my
opinion, questioning whether there really is a vulnerability is both
arrogant and counter-productive.

--
Paul
<http://paulgear.webhop.net>
--
Did you know?  Using HTML email rather than plain text is less
efficient, taking anywhere from 2 to 20 times longer to download, and a
corresponding amount more space on disk.  Learn more about using email
efficiently at <http://www.expita.com/nomime.html>.

signature.asc (264 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Paul Gear
In reply to this post by Alvin Oga
Alvin Oga wrote:

> ...
>>shorewall has been trying for weeks to get a DSA issued about a
>>vulnerability, and it seems we have to convince Joey that it *is* a
>>vulnerability before he'll issue it.  (I don't understand this - how can
>>Joey even *try* to understand every security bug?)  Repeated attempts to
>>communicate this have been met with silence.
>
>
> if the originating authors thought xx was a security problem,
> they'd fix it
We did, and issued new stable versions in three different stable
branches.  And put news on the web page.  And notified all of our users.
 And notified the developers who work on the distribution packages.  And
worked with the Debian maintainer to get the Debian security team
informed about it.

> i doubt security problems is fixed by 3rd parties and released as
> patches to the original w/o saying it is a 3rd party patch vs
> fixed at the originating source

What makes you think that this didn't occur?

> joey and crew can't possibly examine, review, fix, verify all bugs
> no matter how good of an expert security coder they were

My point exactly.  Which is why i can't understand why he'd even bother
to question whether there was a vulnerability.

--
Paul
<http://paulgear.webhop.net>
--
Did you know?  Email addresses can be forged easily.  This message is
signed with GNU Privacy Guard <http://www.gnupg.org> and Enigmail
<http://enigmail.mozdev.org> so you can be sure it comes from me.

signature.asc (264 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Paul Gear
In reply to this post by Florian Weimer
Florian Weimer wrote:

> * Paul Gear:
>
>
>>There certainly have been exceptions to that rule.  The maintainer of
>>shorewall has been trying for weeks to get a DSA issued about a
>>vulnerability, and it seems we have to convince Joey that it *is* a
>>vulnerability before he'll issue it.  
>
>
> Is this #318946?
Correct.

> This one is tagged sarge, but it's been closed by
> Joey Hess, but probably for testing only.

It seems so.  We're not talking about that Joey, though.

I'm not fully aware of the process that needs to be followed with
respect to the BTS.  Is there something more that we need to do to get
the security team to action this bug for sarge?

>>(I don't understand this - how can Joey even *try* to understand
>>every security bug?)
>
>
> Part of "stable" means avoiding unnecessary and potentially harmful
> changes.  Clear policies could help to avoid such misunderstandings.

I don't understand what you mean by that, in the context of this bug and
the lack of a DSA for shorewall.

--
Paul
<http://paulgear.webhop.net>
--
Did you know?  Most email-borne viruses use a false sender address, so
you cannot track down the sender using that address.  Instead, keep your
virus scanning software up-to-date and just delete any suspicious emails
you receive.

signature.asc (264 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Paul Gear
In reply to this post by Michael Stone-2
Michael Stone wrote:
> ...
>> There certainly have been exceptions to that rule.  The maintainer of
>> shorewall has been trying for weeks to get a DSA issued about a
>> vulnerability, and it seems we have to convince Joey that it *is* a
>> vulnerability before he'll issue it.
> ...
>
> I disagree that convincing the security team of the severity of a bug is
> unreasonable.

I didn't suggest that it was a severe bug (although those who actually
use MAC lists with their firewall might disagree with me there).

Are you suggesting that because it's not a high risk security flaw, it's
still on the "to do" list of the security team, just at lower priority?

> I also disagree with the characterization that much effort
> has been put into describing the bug.

I don't know upon what you're basing your characterization, but i'm
party to at least 3 emails to Joey describing the nature of the bug in
sufficient detail to understand it as a security flaw.  It is not
present in the default configuration of the product, and it doesn't
apply if you don't use MAC lists, but it's still a security vulnerability.

--
Paul
<http://paulgear.webhop.net>
--
Did you know?  Email addresses can be forged easily.  This message is
signed with GNU Privacy Guard <http://www.gnupg.org> and Enigmail
<http://enigmail.mozdev.org> so you can be sure it comes from me.

signature.asc (264 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Florian Weimer
In reply to this post by Paul Gear
* Paul Gear:

>>>There certainly have been exceptions to that rule.  The maintainer of
>>>shorewall has been trying for weeks to get a DSA issued about a
>>>vulnerability, and it seems we have to convince Joey that it *is* a
>>>vulnerability before he'll issue it.  
>>
>>
>> Is this #318946?
>
> Correct.

There is very little discussion in the bug report.  If this is a
Debian packaging bug, and not an upstream issue, the report should say
so.  If it is an upstream issue, upstream's response should be
included or referenced.

>> This one is tagged sarge, but it's been closed by
>> Joey Hess, but probably for testing only.
>
> It seems so.  We're not talking about that Joey, though.

(I know.)

> I'm not fully aware of the process that needs to be followed with
> respect to the BTS.  Is there something more that we need to do to get
> the security team to action this bug for sarge?

It should remain open while it is under investigation.  You should
send the command "found 318946 2.2.3-1" to <[hidden email]>,
along with anq explanation, to keep it open for the sarge version.

>> Part of "stable" means avoiding unnecessary and potentially harmful
>> changes.  Clear policies could help to avoid such misunderstandings.
>
> I don't understand what you mean by that, in the context of this bug
> and the lack of a DSA for shorewall.

As far as I can see, the bug is an unexpected property of a component
which is used to enforce a user-configured security policy.  Maybe
this is the intended behavior, and only the documentation has to be
updated.  IMHO, something should be done about it, probably in the
form of a DSA, but I'm not sure what it should look like.

It is hard to come up with a uniform policy for such cases, but a few
general rules should be stated nevertheless.  For example, I don't
think it's a good idea to add additional safety belts to Debian
packages which aren't integrated upstream because our users might get
used to them and assume that they are available everywhere.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Michael Stone-2
In reply to this post by Paul Gear
On Mon, Aug 29, 2005 at 09:53:15PM +1000, Paul Gear wrote:
>Michael Stone wrote:
>> I also disagree with the characterization that much effort
>> has been put into describing the bug.
>
>I don't know upon what you're basing your characterization

I reviewed the security team mail before I responded.

Mike Stone



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again...

Florian Weimer
In reply to this post by Paul Gear
* Paul Gear:

> I don't know upon what you're basing your characterization, but i'm
> party to at least 3 emails to Joey describing the nature of the bug
> in sufficient detail to understand it as a security flaw.

Was this pre- or post-disclosure?  In the latter case, such discussion
should be Cc:ed to the bug report, IMHO.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad press again... decisions

Alvin Oga
In reply to this post by Paul Gear

On Mon, 29 Aug 2005, Paul Gear wrote:

... [ prev procss/proceedure snipped ]
 
> What makes you think that this didn't occur?

sounds like a normal thing .. good

> > joey and crew can't possibly examine, review, fix, verify all bugs
> > no matter how good of an expert security coder they were
>
> My point exactly.  Which is why i can't understand why he'd even bother
> to question whether there was a vulnerability.

what one person or a group might consider high-priority vulnerability may
not be a high-priority vulnerability to another

coders get tons of bug reports from tons of people ..
        - you have to have a process to filter thru all the reports
        and work on them in a productive way ...

eg.... personally, ( it's just me ), i'd throw out all local exploits
        simply because to me, that is a very low priority

        - the most "trivial local exploit" is pull the power cord
        (or the ethernet cable) which is very very common problem and
        occurance

        - when the secretary/ceo/cfo comes in at 8am, and find out
        their pc doesnt work, i dont want that "8am" phone call
        that their pc died overnight ( due to the janitor )
        which is more likely to happen than an outside cracker
        breaking in to become root ( which already is aproblem,
        regardless of they can become root once they are in,
        the fact that they got in is the problem... not the escalation )

        - it's my view of how to deal with "local exploits" vs
        other security issues, policy, proceedures, process,
        verification, bug fixes, manpower, budgets, etc, etc, etc

        - security to me is: "can the cfo/ceo/theBoss keep working"
        while the security crew is sleeping or in meetings

- there's probably 1,000 reported pending vulnerabilities eacn day...
        ( wild guess at some crazy numbers to deal with daily )

        - prioritize it somehow, and unfortunately, some prioritization
        will include how thorough the vulnerability and example
        exploit code is and who reported it

- none of this is a "debian security issue" or "joey-n-crew"

c ya
alvin


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

12345