Security release criterion proposal
tmraz at redhat.com
Wed May 18 18:35:22 UTC 2011
On Wed, 2011-05-18 at 08:57 -0700, Adam Williamson wrote:
> Hey, all. The topic of whether and which security issues should block
> releases has come up several times before. While we haven't actually had
> many really serious security issues to worry about since the
> introduction of the current release criteria system, I think it's
> certainly something we should take into account. At the same time, it's
> fairly established in practice that we don't just consider anything
> worth issuing a CVE for as a release-blocking bug. So, to capture what I
> believe would be the intent of the project, I propose this as an Alpha
> release criterion for F16 onwards. (For those on devel and security
> lists who may not be completely familiar with the release criteria /
> blocker system, this would mean that any bug for an issue which breached
> the criterion should be considered a release blocker for any Alpha, Beta
> or Final release).
> # There must be no known remote code execution vulnerability which could
> be exploited during installation or during use of a live image shipped
> with the release
I mostly agree with this criterion with one exception below.
> Points to consider:
> * Possible variants to the type of vulnerability covered...do we also
> want to make local privesc vulns blocking? Conversely, do we want to
> make only remote *root* execution vulns blocking? I don't know if anyone
> would want to go as far as making DoS vulns release blocking, but speak
> up if you would! (Of course there is again the local/remote distinction
> to consider there: 'all DoS vulns' would be a much tighter standard than
> 'remote DoS vulns').
> * The caveat about where the issue is exploitable is important because
> if you can't exploit it from the installer or a live image, it becomes
> less relevant whether we ship with it or not, because you would be safe
> with the first post-install update assuming we submitted an update for
> the issue promptly. But it may be the case that we want to broaden it
> out to also cover issues that can be exploited from a default DVD
> install, if we consider the window between install and first update (if
> updates repos aren't used during installation) to be unacceptable.
I would vote for this slight broadening - that is to make also remotely
exploitable issue in the default DVD install a release blocker.
No matter how far down the wrong road you've gone, turn back.
More information about the security