headers
Daniel A. Avelino | 26 Aug 2011 19:18
Picon

Re: No GLSA since January?!?

Alex.

May be a call for volunteers more "intense" could improve the manpower. This could be a more
easy start point to address, no?.
I work too in some [smaller] security processes and can figure out what kind of work are you talking about.

As Kauhaus pointed, may be somethings should be automated but again, this is a hard job to
implement and to keep results trustable.

I'd started following this list recently and yet does not know how
work fluxes are performed here but, may be, this could be a good place to start a review of GLSA processes, what
do you think about this?


Regards,


Daniel A. Avelino

I thought its time

On Fri, Aug 26, 2011 at 1:57 PM, JD Horelick <jdhore1 <at> gmail.com> wrote:
On 26 August 2011 12:43, Christoph Jasinski <Krzysiek <at> gmx.net> wrote:
> Dear Christian
>
> Everything is secure. No reason to write GLSAs or to panic. ;)
>
>
> Chris
>
> Am 26.08.2011 um 18:12 schrieb Christian Kauhaus:
>
>> Hi,
>>
>> I'm wondering that may favorite Linux distro hasn't had any security announcements since January. In my opinion this is really problematic. At our company we try to convince prospective customers to host their applications on our Gentoo servers. When asked about security incident handling, I have to say: "They state 'Security is a primary focus' on their website, but they don't inform their users." Not very convincing.
>>
>> So what is the roadblock that hinders GLSA creation? Is there any way to get the GLSAs into working order again?
>>
>> Regards
>>
>> Christian
>>
>> --
>> Dipl.-Inf. Christian Kauhaus <>< · kc <at> gocept.com · systems administration
>> gocept gmbh & co. kg · forsterstraße 29 · 06112 halle (saale) · germany
>> http://gocept.com · tel +49 345 1229889 11 · fax +49 345 1229889 1
>> Zope and Plone consulting and development
>>
>
>
>

I'm sorry, but I disagree with that. I've been an (unofficial) x86
Archtester for only 2 weeks or so and since then, i've seen more than
a few stabilizations needed to address security issues. Also, i've
noticed this same problem of not seeing many/any GLSA's in recent
history. As an example, in the past month, Debian has had 13 security
advisories. I personally doubt that we (Gentoo) don't have to worry
about ANY of those 13 advisories...


Permalink | Reply |
headers
Alex Legler | 26 Aug 2011 19:57
Picon
Favicon

Re: No GLSA since January?!?

On Friday 26 August 2011 14:18:20 Daniel A. Avelino wrote:
> Alex.
> 
> May be a call for volunteers more "intense" could improve the manpower. This
> could be a more
> easy start point to address, no?.

Well, the staffing needs page IS the point for making such calls. It's not 
that we haven't had people contacting us about helping, it's that they usually 
disappear shortly after that again after they've seen the tasks at hand.

> I work too in some [smaller] security processes and can figure out what kind
> of work are you talking about.
> 
> As Kauhaus pointed, may be somethings should be automated but again, this is
> a hard job to
> implement and to keep results trustable.
> 

Automation is a key thing I've been introducing in the new tools and processes 
for sending advisories.
I'd rather not focus on a temporary automated system however, knowing that 
we're about to get back to the/near the status quo.

> I'd started following this list recently and yet does not know how
> work fluxes are performed here but, may be, this could be a good place to
> start a review of GLSA processes, what
> do you think about this?

You can find the relevant info on our websites [1]

The thing is, the basic idea cannot be changed. We will always have a flow 
issue -> bug -> fix -> stabling -> advisory.

Specifically, the current goal is, to have the advisory drafting starting 
earlier and using the information we've already entered into our bugzilla and 
CVE tracker in a much more integrated way. It's a bit hard to explain, you'd 
best see for yourself (by joining us of course! ;)). 

Alex

[1] http://www.gentoo.org/proj/en/security/

--

-- 
Alex Legler <a3li <at> gentoo.org>
Gentoo Security / Ruby
Permalink | Reply |
headers
Daniel A. Avelino | 26 Aug 2011 20:22
Picon

Re: No GLSA since January?!?



On Fri, Aug 26, 2011 at 2:57 PM, Alex Legler <a3li <at> gentoo.org> wrote:
On Friday 26 August 2011 14:18:20 Daniel A. Avelino wrote:
> Alex.
>
> May be a call for volunteers more "intense" could improve the manpower. This
> could be a more
> easy start point to address, no?.

Well, the staffing needs page IS the point for making such calls. It's not
that we haven't had people contacting us about helping, it's that they usually
disappear shortly after that again after they've seen the tasks at hand.

I know how it works!
 
> I work too in some [smaller] security processes and can figure out what kind
> of work are you talking about.
>
> As Kauhaus pointed, may be somethings should be automated but again, this is
> a hard job to
> implement and to keep results trustable.
>

Automation is a key thing I've been introducing in the new tools and processes
for sending advisories.
I'd rather not focus on a temporary automated system however, knowing that
we're about to get back to the/near the status quo.

When I think about automation, I had in mind something that could help developers to find
vulnerabilities in a more fast way [searching and confronting CVE, for example] and  start a
"call for solution" process. I work with solutions of this type for WEB vulnerabilities discover
and some tools are very interesting to reduce the correction time.

By the way, I will start to read about what a Padawan should know instead of
make speculations prematurelly. :D
 
Thank you very much for the explanations.

Daniel A. Avelino
Permalink | Reply |
headers
Alex Legler | 26 Aug 2011 20:44
Picon
Favicon

Re: No GLSA since January?!?

On Friday 26 August 2011 15:22:40 Daniel A. Avelino wrote:
> > When I think about automation, I had in mind something that could help
> 
> developers to find
> vulnerabilities in a more fast way [searching and confronting CVE, for
> example] and  start a
> "call for solution" process. I work with solutions of this type for WEB
> vulnerabilities discover
> and some tools are very interesting to reduce the correction time.
> 

We already use CVE as one of our sources of vulnerability intelligence. 
Finding issues is also not the real issue here.
Also, actual issue correction is not our job, it's the responsibility of the 
package maintainer.

Can you share details about the utilities you are using?

Alex

--

-- 
Alex Legler <a3li <at> gentoo.org>
Gentoo Security / Ruby
Permalink | Reply |
headers
Daniel A. Avelino | 26 Aug 2011 21:27
Picon

Re: No GLSA since January?!?

Alex.

For WEB vulnerability discovering, one of the most important to us is Nessus to
search and confronting against CVE database. Sometimes, Nessus find some
vulnerable packages in our Gentoo boxes and when we go to emerge -UDN this,
there is not the updated version even when the fixes are available [in other distros
for example].

The Core Impact

http://www.coresecurity.com/

do a great job too but we only tested the demo version. [That is great too].

There is other interesting tool [not really WEB related but...] the Secunia PSI

http://secunia.com/vulnerability_scanning/online/

that do a great job in search unupdated packages but Windows only.

Reading your last answer, I had the impression we are talking about different things but I think
I can connect them. My apologies to speculate without read the complete team work documentation
but even if issue correction is not our job as you said, I think we could pressure package maintainers
to update its packages since we (in thesis) have more visibility about packages vulnerabilities that can be fixed but
aren't fixed yet. This could be impact even in GLSA's update for example.

So, if we have a automatic mechanism that searchs into vulnerabilities databases - CVE - for example and find what
packages have issues that was already fixed, we could, for example, label packages
with some flag that tells users and developers that this package needs review to fix some vulnerability.

I thought this is an interesting point to discuss because this could in principle force updates to be more
fast and more Bugzilla-free. I have nothing against Bugzilla but the process as a whole takes too much time
and we could in principle search vulnerabilities databases and provide developers and users with informations
about how their systems security are.

Thanks again.

Daniel

On Fri, Aug 26, 2011 at 3:44 PM, Alex Legler <a3li <at> gentoo.org> wrote:
On Friday 26 August 2011 15:22:40 Daniel A. Avelino wrote:
> > When I think about automation, I had in mind something that could help
>
> developers to find
> vulnerabilities in a more fast way [searching and confronting CVE, for
> example] and  start a
> "call for solution" process. I work with solutions of this type for WEB
> vulnerabilities discover
> and some tools are very interesting to reduce the correction time.
>

We already use CVE as one of our sources of vulnerability intelligence.
Finding issues is also not the real issue here.
Also, actual issue correction is not our job, it's the responsibility of the
package maintainer.

Can you share details about the utilities you are using?

Alex

--
Alex Legler <a3li <at> gentoo.org>
Gentoo Security / Ruby

Permalink | Reply |

Gmane