Hi,
Below the results of checking todays lwn.net's new vulnerabilities against FE. Since no-one seems to be doing it and since the FE security SIG seems to be not getting anywhere (Am I the only one who cares, I though there were some other takers?) I've taken this initiative:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184507 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184509
Regards,
Hans
On Thu, 2006-03-09 at 14:02 +0100, Hans de Goede wrote:
Below the results of checking todays lwn.net's new vulnerabilities against FE. Since no-one seems to be doing it
I do skim the bugtraq and full-disclosure feeds from http://www.djeaux.com/rss/ and report whatever I notice, eg. this a few days ago: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184097
and since the FE security SIG seems to be not getting anywhere (Am I the only one who cares, I though there were some other takers?)
I am interested, and will probably get more involved in the future once I find new owners for a bunch of packages I'd rather no longer maintain in FE (I have too much on my plate at the moment).
BTW, it could be useful to place this link prominently somewhere: https://bugzilla.redhat.com/bugzilla/buglist.cgi?product=Fedora+Extras&r...
BTW #2, would it be possible to set Reply-To for this list to the list address?
On Thu, 2006-03-09 at 18:59 +0200, Ville Skyttä wrote:
BTW #2, would it be possible to set Reply-To for this list to the list address?
Is your client not smart enough to handle 'reply-list' ? List-post headers exist for a reason. In this list, where replying privately to a poster is going to be a common occurrence, I'd MUCH rather see reply-to NOT get munged and create misfires to the list itself. I'm sorry your client doesn't support list-post, perhaps complain upstream?
Jesse Keating wrote:
On Thu, 2006-03-09 at 18:59 +0200, Ville Skyttä wrote:
BTW #2, would it be possible to set Reply-To for this list to the list address?
+1 and I guess this means that a couple of my mails have gone awal.
Is your client not smart enough to handle 'reply-list' ? List-post headers exist for a reason. In this list, where replying privately to a poster is going to be a common occurrence, I'd MUCH rather see reply-to NOT get munged and create misfires to the list itself. I'm sorry your client doesn't support list-post, perhaps complain upstream?
Mine isn't and I'm using thunderbird, which is imho a respectable client, thus assuming that clients handle reply-list is a wrong assumption.
Regards,
Hans
On Thu, 2006-03-09 at 18:32 +0100, Hans de Goede wrote:
Jesse Keating wrote:
Is your client not smart enough to handle 'reply-list' ? List-post headers exist for a reason. In this list, where replying privately to a poster is going to be a common occurrence,
Why is that? I would MUCH prefer if discussions would be kept on-list. Apologies if this was explained earlier, I missed the first few posts here.
I'd MUCH rather see reply-to
NOT get munged and create misfires to the list itself. I'm sorry your client doesn't support list-post, perhaps complain upstream?
Mine isn't and I'm using thunderbird, which is imho a respectable client, thus assuming that clients handle reply-list is a wrong assumption.
The FC4 Evolution I'm using does kind of support it, but the option is not very prominently available in the UI. And because very few lists are configured in a way that I need to take special care to get my replies to go to the list address, the keyboard shortcut doesn't stick very easily in muscle memory.
On Thu, 2006-03-09 at 22:14 +0200, Ville Skyttä wrote:
Why is that? I would MUCH prefer if discussions would be kept on-list. Apologies if this was explained earlier, I missed the first few posts here.
I guess it depends on how we use this list. We may want to ping for somebody to help with a given package, but not want to have a public record of the discussion of sensitive matter until such time as updates are prepared. I don't want to see this list become a place for hackers to listen in on what packages are known to be flawed.
I'd MUCH rather see reply-to
NOT get munged and create misfires to the list itself. I'm sorry your client doesn't support list-post, perhaps complain upstream?
Mine isn't and I'm using thunderbird, which is imho a respectable client, thus assuming that clients handle reply-list is a wrong assumption.
The FC4 Evolution I'm using does kind of support it, but the option is not very prominently available in the UI. And because very few lists are configured in a way that I need to take special care to get my replies to go to the list address, the keyboard shortcut doesn't stick very easily in muscle memory.
It took me VERY little time to get used to <ctrl>l to reply list. I am on a LOT of lists and not all are configured the same. Remembering <ctrl>l for every list will always do the right thing wrt replying to the list. There are other RFE matters against munging the reply-to headers, but that's an exercise for the bored. I've voiced my opinion, others can do the same.
On Thursday 09 March 2006 14:37, Jesse Keating wrote:
On Thu, 2006-03-09 at 22:14 +0200, Ville Skyttä wrote:
Why is that? I would MUCH prefer if discussions would be kept on-list. Apologies if this was explained earlier, I missed the first few posts here.
I guess it depends on how we use this list. We may want to ping for somebody to help with a given package, but not want to have a public record of the discussion of sensitive matter until such time as updates are prepared. I don't want to see this list become a place for hackers to listen in on what packages are known to be flawed.
We definetly do not want this. a private list is probably needed for such things perhaps becoming public after 30 -60 days
It took me VERY little time to get used to <ctrl>l to reply list. I am on a LOT of lists and not all are configured the same. Remembering <ctrl>l for every list will always do the right thing wrt replying to the list. There are other RFE matters against munging the reply-to headers, but that's an exercise for the bored. I've voiced my opinion, others can do the same.
kmail you just hit l to reply to list
Dennis
On Thursday 09 March 2006 14:37, Jesse Keating wrote:
On Thu, 2006-03-09 at 22:14 +0200, Ville Skyttä wrote:
Why is that? I would MUCH prefer if discussions would be kept on-list. Apologies if this was explained earlier, I missed the first few posts here.
I guess it depends on how we use this list. We may want to ping for somebody to help with a given package, but not want to have a public record of the discussion of sensitive matter until such time as updates are prepared. I don't want to see this list become a place for hackers to listen in on what packages are known to be flawed.
We definetly do not want this. a private list is probably needed for such things perhaps becoming public after 30 -60 days
It took me VERY little time to get used to <ctrl>l to reply list. I am on a LOT of lists and not all are configured the same. Remembering <ctrl>l for every list will always do the right thing wrt replying to the list. There are other RFE matters against munging the reply-to headers, but that's an exercise for the bored. I've voiced my opinion, others can do the same.
kmail you just hit l to reply to list
no i just need to make sure i always select the right profile or setup the folder for the list so its done for me :)
Dennis
Ville Skyttä wrote:
On Thu, 2006-03-09 at 14:02 +0100, Hans de Goede wrote:
Below the results of checking todays lwn.net's new vulnerabilities against FE. Since no-one seems to be doing it
I do skim the bugtraq and full-disclosure feeds from http://www.djeaux.com/rss/ and report whatever I notice, eg. this a few days ago: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184097
Excellent!
and since the FE security SIG seems to be not getting anywhere (Am I the only one who cares, I though there were some other takers?)
I am interested, and will probably get more involved in the future once I find new owners for a bunch of packages I'd rather no longer maintain in FE (I have too much on my plate at the moment).
What packages, how much work? Maybe I can take over a few.
BTW, it could be useful to place this link prominently somewhere: https://bugzilla.redhat.com/bugzilla/buglist.cgi?product=Fedora+Extras&r...
There already is a similar link on the security Sig wiki page.
Regards,
Hans
On Thu, 2006-03-09 at 18:33 +0100, Hans de Goede wrote:
Ville Skyttä wrote:
I am interested, and will probably get more involved in the future once I find new owners for a bunch of packages I'd rather no longer maintain in FE (I have too much on my plate at the moment).
What packages, how much work? Maybe I can take over a few.
I haven't really gone through the list yet, but will be posting a summary to the extras list after I do, which will probably be pretty shortly after FC5 is out.
There already is a similar link on the security Sig wiki page.
Um, is that something else than http://fedoraproject.org/wiki/Extras/SIGs/Security ? ("This page is currently obsolete but the Security SIG will move back here once the structure is finalized.")
On Thursday 09 March 2006 07:02, Hans de Goede wrote:
Hi,
Below the results of checking todays lwn.net's new vulnerabilities against FE. Since no-one seems to be doing it and since the FE security SIG seems to be not getting anywhere (Am I the only one who cares, I though there were some other takers?) I've taken this initiative:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184507 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184509
Regards,
Hans
Hey Hans,
I have been checking bugtraq, this week i have been sidetracked with some other issues. But im still in. I Just built new snort packages that fix their venerability.
Dennis
On Thursday 09 March 2006 07:02, Hans de Goede wrote:
Hi,
Below the results of checking todays lwn.net's new vulnerabilities against FE. Since no-one seems to be doing it and since the FE security SIG seems to be not getting anywhere (Am I the only one who cares, I though there were some other takers?) I've taken this initiative:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184507 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184509
Regards,
Hans
Hey Hans,
I have been checking bugtraq, this week i have been sidetracked with some other issues. But im still in. I Just built new snort packages that fix their venerability.
Dennis
On Thu, Mar 09, 2006 at 02:02:55PM +0100, Hans de Goede wrote:
Below the results of checking todays lwn.net's new vulnerabilities against FE. Since no-one seems to be doing it and since the FE security SIG seems to be not getting anywhere (Am I the only one who cares, I though there were some other takers?) I've taken this initiative: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184507 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184509
We (Boston University) care; just are horribly, horribly short on time. Thanks for doing this.
Hi,
Below the results of checking todays lwn.net's new vulnerabilities against FE. Since no-one seems to be doing it and since the FE security SIG seems to be not getting anywhere (Am I the only one who cares, I though there were some other takers?) I've taken this initiative:
I'm hoping we can revive this thread. There seems to be marginal interest in a FE security team. I imagine after LWE and FUDCon, there will be a renewed interest, so this may be a fine time to move forward.
Since the SIG already exists, I'll let them speak up. If there is no longer a SIG, that's fine too. Is anybody working on any of these things?
On Wednesday 05 April 2006 15:26, Josh Bressers wrote:
I'm hoping we can revive this thread. There seems to be marginal interest in a FE security team. I imagine after LWE and FUDCon, there will be a renewed interest, so this may be a fine time to move forward.
Since the SIG already exists, I'll let them speak up. If there is no longer a SIG, that's fine too. Is anybody working on any of these things?
I am very interested in this as well. If nobody steps up, I'll do what it takes, but largely we need to come up with a security process, and I think we need guidance from Red Hat's security team.
Is there a SIG?
Jesse Keating wrote:
On Wednesday 05 April 2006 15:26, Josh Bressers wrote:
I'm hoping we can revive this thread. There seems to be marginal interest in a FE security team. I imagine after LWE and FUDCon, there will be a renewed interest, so this may be a fine time to move forward.
Since the SIG already exists, I'll let them speak up. If there is no longer a SIG, that's fine too. Is anybody working on any of these things?
I am very interested in this as well. If nobody steps up, I'll do what it takes, but largely we need to come up with a security process, and I think we need guidance from Red Hat's security team.
Is there a SIG?
There used to be, it consisted of me, Jason L Tibbitts III and Dennis Gilmore. Both me and Jason are currently (also) active in the Games SIG I must say I like the Games SIG much better as there is a lot more getting done there. In the Security Sig it was just all talk, and I'm not a talker but a do-er. I also very much agree that what we need most is some kinda security process we need: -a wiki/Extras/Security page that tells users what todo and expect when they find a security problem. My suggestion: -user should search in bugzilla (by CVE in summary if there is a CVE) Maybe we can create a special form for by CVE searching? -if its not in bugzilla user should submit it there. -this lists gets auto-cc-ed -the maintainer handles it, asking for help (on this list) as needed To make this work / get some real tracking: -if a maintainer finds a bug or pushes a new version with a bug fixed he/she should put this bug in bugzilla and close it immediatly.
-a place and an easy way to send FE security announcements last time I brought this up I landed in some xml mumbo jumbo jungle, what wrong with a plain email, with a simple plain text template as base for someone wishing todo an announcement to fill in.
Unfortunatly although many maintainers do a great job even on security some don't thus we need: -some kinda rules (FESco action!) when someone can step on a maintainers toes by pushing a fix to CVS and building it because the maintainer is not responding to a security bugzilla entry in a timely fashion. I know that currently anyone can do this if they feel like it, but I for one would like to have a FESco declared policy for this where I can point a maintainer at when he gets pissed (iow I want to be able to hind behind FESco, yes!)
What am I willing todo to help? : -lurk on this list -check the new security bugs page of lwn against FE (I have being doing this for the last few weeks) -help people with security problems in C(++) code -audit C(++) code on request (see my scorched3d work f.e.) -audit / check C(++) security patches
What am I not willing todo to help? -get involved in policy making / procedure forming -other unneeded bureaucracy (the above is needed!) -talk talk talk, just point me to a broken piece of code please.
So in the light of what I like and what I don't like consider this one of my last posts in this thread, but don't mistake this with me being unwilling to help or being uninterested!
Regards,
Hans
p.s.
I still don't like the default reply-to setting of this list, but lets not go there.
On Wednesday 05 April 2006 16:24, Hans de Goede wrote:
-a wiki/Extras/Security page that tells users what todo and expect when they find a security problem. My suggestion: -user should search in bugzilla (by CVE in summary if there is a CVE) Maybe we can create a special form for by CVE searching? -if its not in bugzilla user should submit it there. -this lists gets auto-cc-ed -the maintainer handles it, asking for help (on this list) as needed To make this work / get some real tracking: -if a maintainer finds a bug or pushes a new version with a bug fixed he/she should put this bug in bugzilla and close it immediatly.
This seems very sane. This is how we do Legacy as well.
-a place and an easy way to send FE security announcements last time I brought this up I landed in some xml mumbo jumbo jungle, what wrong with a plain email, with a simple plain text template as base for someone wishing todo an announcement to fill in.
Fedora-announce is a great place. We need to make the Fedora Updates software available for Extras (and Legacy) to use. I've talked to Luke Macken who wrote it and he is very for getting it cleaned up and modularized enough so that we can use it for external projects. We should do this before we get into xml update metadata land. This is a solveable problem.
Unfortunatly although many maintainers do a great job even on security some don't thus we need: -some kinda rules (FESco action!) when someone can step on a maintainers toes by pushing a fix to CVS and building it because the maintainer is not responding to a security bugzilla entry in a timely fashion. I know that currently anyone can do this if they feel like it, but I for one would like to have a FESco declared policy for this where I can point a maintainer at when he gets pissed (iow I want to be able to hind behind FESco, yes!)
So one thing that this SIG can do is come up with and vette a security policy that FESCo will bless and make official. Again, this is a solveable problem. Lets get on it. I proposed a policy, lets start from there.
security@lists.fedoraproject.org
-
Dennis Gilmore -
Dennis Gilmore -
Hans de Goede -
Jesse Keating -
Josh Bressers -
Matthew Miller -
Ville Skyttä