# what's the matter with GLSA?

## palettentreter

Has there really been only one security advisory in almost two months now? When I take a look at e.g. http://www.us-cert.gov/cas/techalerts/index.html or http://web.nvd.nist.gov/view/vuln/search-results?cid=2 it looks like there's at least three (after a quick skim) issues that affect current stable Gentoo: <nano-2.2.4, <=sudo-1.7.2p5 and <=acroread-9.3.1 (the ebuild for which isn't even in portage). I don't really bother about crappy acrobat reader, but nano and sudo? Am I getting something totally wrong or do we actually need a big fat warning above http://www.gentoo.org/security/en/glsa/index.xml?

----------

## kukibl

Very interesting question and to be frank - I'm quite surprised that still there is no answer.  :Confused: 

----------

## wthrowe

They aren't fixed yet.

nano: bug 315355

acroread: bug 313343

(Can't find a bug for sudo.)

The GLSA policy states that there must be a stable fix on most arches (see the link for the list) before a GLSA is issued.

----------

## palettentreter

ok, but now what? The bugs have been fixed, and still no GLSA: http://www.gentoo.org/security/en/  :Sad: 

----------

## hkmaly

I've actually asked at the nano bug and Tobias Heinlein said they "have a huge backlog". Backlog of what? It doesn't seem it would be backlog of glsa's as there are no other glsa posted ...

What happened? Did someone go on vacation and forgot to mention it in advance?

----------

## a3li

These advisories don't write themselves. Backlog means that there are lots of advisories to be drafted.

At the same time we're working on better tools to make advisory drafting easier and faster.

As we could need more help with that, there is a staffing need post at http://www.gentoo.org/proj/en/devrel/staffing-needs/

----------

## gerdesj

I am another concerned user but ...

Gentoo is a volunteer effort

Security is _your_ personal responsibility - Gentoo is a source based set up and the GLSAs should be considered a subset of potential problems.

Look into (in no particular order):

Trust of your local users

OSSEC, Fail2ban etc

SELINUX

Snort (NIDS)

ClamAV (AV stuff)

Filesystem rights

Log files!

Firewall

Personally speaking, I'm glad that someone takes the trouble to generate the GLSAs but I have to temper that with the fact that they are not omnipotant.

Cheers

Jon

----------

## Santiago_de_Mayo

Although I can appreciate the hard work that goes into glsa updates there are two reasons why "patch it yourself; it's your responsibility" "and "it's a volunteer effort" are not acceptable responses.

You can't provide something and just snatch it away without notification.  There has been developed an expectation of glsa updates for the past several years.  To suddenly drop them, fall behind, or throw up your hands and say, tough, is reprehensible.  If there was notification, I didn't see it on the security mailing list, which seems to be basically dead.

Being a volunteer doesn't mean you get to quit when you feel like it.  Part of the responsibility of accepting a role means that you shepard that role through transition to a new maintainer.  It is your responsibility to look for replacements when you no longer have the inclination/time to comply with your commitment.  A volunteer is not a "at your leisure" job.  Once you accept it, there are duties and responsibilities that go with it, and part of that is the job of succession once you can no longer comply with your commitment.

Throwing up your hands and saying:  Patch it your self, and what do you expect, it's a volunteer organization are NOT acceptable and the security team should be ashamed of itself.

----------

## hkmaly

What worries me most is that even from information in this forum it is not clear what we should do or what state the glsa project is in. Not posting ANY glsa is not only "falling behind". Do anyone from security team have at least some plan (time estimate) when we can expect new glsa?

----------

## hkmaly

New GLSAs appeared! Thanks, security team. I hope it means their returning to normal ...

----------

## hkmaly

 *hkmaly wrote:*   

> New GLSAs appeared! Thanks, security team. I hope it means their returning to normal ...

 

... seems like it doesn't ...

----------

## johnmdesmond

 *hkmaly wrote:*   

>  *hkmaly wrote:*   New GLSAs appeared! Thanks, security team. I hope it means their returning to normal ... 
> 
> ... seems like it doesn't ...

 

So what can we lusers do on our own? I thought maybe I could google the security vulnerability sites and find critical stuff on my own. It's like trying to cross-reference Dewey to LoC!

Has anybody written a script to compare your world file to a security site's db (do any of them have an API to do this?) to create a vulnerability list for your system? At least then I'd know which packages are a problem, avoid risky behavior until it's fixed, and install just the changes I need. The updates often show up in portage (thanks maintainers!) without a hint that you really, really should apply this. I've successfully backed off of my 'emerge -uDN world' addiction, mainly because 'change=broken_system'. I want to apply only security updates. 

BTW, I've recently been installing Ubuntu for a lot of people and noticed that the security updates are there before I even find out about them from elsewhere. On Ubuntu I would be able to install *only* security updates and be pretty sure I'm getting them with a short lag time. I've been using Gentoo since at lease 2003 and this is the first time I've felt a tug to go elsewhere.

-jmd

----------

## L. Vmbrius

Hello!

Latest GLSA list record issued is 201101-09. Does that mean there have

been no serious security issues since January 2011?

----------

## tomk

Merged previous post.

----------

## johnmdesmond

 *L. Vmbrius wrote:*   

> Hello!
> 
> Latest GLSA list record issued is 201101-09. Does that mean there have
> 
> been no serious security issues since January 2011?

 

I think it means the security team hasn't had the time to write them up. There are also some technical reasons why a GLSA wouldn't be generated, but there have been plenty of portage updates over the last few months that, ideally, would have been accompanied by a GLSA. Until the GLSA system picks up the ball again, it's best to update often, just to ensure that unidentified security updates get incorporated into your system.

----------

## hkmaly

 *johnmdesmond wrote:*   

>  *L. Vmbrius wrote:*   Hello!
> 
> Latest GLSA list record issued is 201101-09. Does that mean there have
> 
> been no serious security issues since January 2011? 
> ...

 

Update what - everything? That's sure way to end with broken system. I've tried to create a search in gentoo bugzilla for glsa pending but hard to say if THOSE are updated reliably ...

----------

## Hu

 *hkmaly wrote:*   

>  *johnmdesmond wrote:*   Until the GLSA system picks up the ball again, it's best to update often, just to ensure that unidentified security updates get incorporated into your system. Update what - everything?

 No, you only need to update those packages that come into contact with untrusted input.  Even so, updating the whole system seems to work most of the time.  For those times when it does not, that is why you have a test box before you upgrade the production system.

----------

## hkmaly

 *Hu wrote:*   

>  *hkmaly wrote:*    *johnmdesmond wrote:*   Until the GLSA system picks up the ball again, it's best to update often, just to ensure that unidentified security updates get incorporated into your system. Update what - everything? No, you only need to update those packages that come into contact with untrusted input.  Even so, updating the whole system seems to work most of the time.  For those times when it does not, that is why you have a test box before you upgrade the production system.

 

Test box, production system ... I use gentoo for desktop. We have debian at production system and it was obviously good decision because debian only needs to be upgraded in a way which may broke something (and therefore needs lenghty testing) once in two years. I used to think gentoo is better, like for example gentoo will not force you to install X server because of dependencies, but with current situation in glsa I've changed my opinion.

Why doesn't exists system using debian source packages with gentoo USE-flag type of dependencies ... like, the often updates of gentoo sounds good but only ARE good when tested enough which gentoo lack manpower to do (also, it would need more levels of stability that current "stable" and "unstable").

----------

## gus.j.power

I just had a look at the GLSA page (16 June 2011) and I see that there haven't been any updates since January.

glsa-check lists the last entry as 

```
201101-09 [U] Adobe Flash Player: Multiple vulnerabilities ( www-plugins/adobe-flash )
```

Does anyone know if the GLSA process has become obsolete? Is there another way to see security-related updates?

----------

## phajdan.jr

You can watch security@gentoo.org user at Gentoo Bugzilla (https://bugs.gentoo.org). You have to create an account there, then click "Preferences", "Email Preferences", and "Add users to my watch list (comma separated list)" then click "Submit Changes". Watch out - the e-mail volume may be medium/high.

----------

## gus.j.power

Thanks for the info. I've setup the email watch and will see how it goes. 

I'm curious as to why the GLSA mechanism has fallen out of use and whether there is any intention of picking it back up again.

----------

## phajdan.jr

 *gus.j.power wrote:*   

> I'm curious as to why the GLSA mechanism has fallen out of use

 

Drafting good GLSAs requires quite a lot of work. Obviously just gathering info about vulnerabilities and patching them (stabilizing packages) has higher priority.

 *gus.j.power wrote:*   

> and whether there is any intention of picking it back up again.

 

I think there are some better tools in development that should make the process much easier - not just handling GLSAs, but handling security bugs in general. Please stay tuned. If you're very interested, it may be possible to join the development project.

----------

## gus.j.power

sounds good. how do I get involved?

----------

## phajdan.jr

 *gus.j.power wrote:*   

> sounds good. how do I get involved?

 

Contact the Gentoo Security team. Assuming we're talking about development here, you should be able to find their web page and so on.   :Wink: 

----------

