* how does one stay on top of YP security alerts? @ 2017-01-07 15:29 Robert P. J. Day 2017-01-09 13:08 ` Alexander Kanavin 0 siblings, 1 reply; 10+ messages in thread From: Robert P. J. Day @ 2017-01-07 15:29 UTC (permalink / raw) To: Yocto discussion list colleague wants to know how one stays up to date with security alerts related to YP releases, i checked out the yocto-security mailing list: https://lists.yoctoproject.org/pipermail/yocto-security/ but that looks like a very dead mailing list. are there other options? rday -- ======================================================================== Robert P. J. Day Ottawa, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday ======================================================================== ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how does one stay on top of YP security alerts? 2017-01-07 15:29 how does one stay on top of YP security alerts? Robert P. J. Day @ 2017-01-09 13:08 ` Alexander Kanavin 2017-01-10 10:01 ` Bent Bisballe Nyeng 0 siblings, 1 reply; 10+ messages in thread From: Alexander Kanavin @ 2017-01-09 13:08 UTC (permalink / raw) To: yocto On 01/07/2017 05:29 PM, Robert P. J. Day wrote: > > colleague wants to know how one stays up to date with security > alerts related to YP releases, i checked out the yocto-security > mailing list: > > https://lists.yoctoproject.org/pipermail/yocto-security/ > > but that looks like a very dead mailing list. are there other options? You can subscribe to yocto-announce list and follow the announcements for stable point releases, or simply pull from release branches as often as possible, and make some form of 'git log' your personal security alert. Alex ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how does one stay on top of YP security alerts? 2017-01-09 13:08 ` Alexander Kanavin @ 2017-01-10 10:01 ` Bent Bisballe Nyeng 2017-01-10 10:29 ` Burton, Ross 0 siblings, 1 reply; 10+ messages in thread From: Bent Bisballe Nyeng @ 2017-01-10 10:01 UTC (permalink / raw) To: yocto On 01/09/2017 02:12 PM, Alexander Kanavin wrote: > On 01/07/2017 05:29 PM, Robert P. J. Day wrote: >> colleague wants to know how one stays up to date with security >> alerts related to YP releases, i checked out the yocto-security >> mailing list: >> >> https://lists.yoctoproject.org/pipermail/yocto-security/ >> >> but that looks like a very dead mailing list. are there other options? > You can subscribe to yocto-announce list and follow the announcements > for stable point releases, or simply pull from release branches as often > as possible, and make some form of 'git log' your personal security alert. > > Alex > So /is/ the yocto-security mailinglist considered "dead"? Or has there simply not been any security issues for a while? Kind regards Bent Bisballe Nyeng ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how does one stay on top of YP security alerts? 2017-01-10 10:01 ` Bent Bisballe Nyeng @ 2017-01-10 10:29 ` Burton, Ross 2017-01-10 10:37 ` Bent Bisballe Nyeng 0 siblings, 1 reply; 10+ messages in thread From: Burton, Ross @ 2017-01-10 10:29 UTC (permalink / raw) To: Bent Bisballe Nyeng; +Cc: yocto [-- Attachment #1: Type: text/plain, Size: 472 bytes --] On 10 January 2017 at 10:01, Bent Bisballe Nyeng <xbbn@mjolner.dk> wrote: > So /is/ the yocto-security mailinglist considered "dead"? Or has there > simply not been any security issues for a while? > IIRC, yocto-security was more to discuss security issues, not an announcement of security related fixes. If you care about security then you'll want notice for more than just what is in oe-core, so I suggest monitoring the CVE announcements directly. Ross [-- Attachment #2: Type: text/html, Size: 888 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how does one stay on top of YP security alerts? 2017-01-10 10:29 ` Burton, Ross @ 2017-01-10 10:37 ` Bent Bisballe Nyeng 2017-01-10 20:51 ` Paul Eggleton 2017-01-11 14:49 ` Philip Balister 0 siblings, 2 replies; 10+ messages in thread From: Bent Bisballe Nyeng @ 2017-01-10 10:37 UTC (permalink / raw) To: yocto [-- Attachment #1: Type: text/plain, Size: 1068 bytes --] On 01/10/2017 11:29 AM, Burton, Ross wrote: On 10 January 2017 at 10:01, Bent Bisballe Nyeng <xbbn@mjolner.dk<mailto:xbbn@mjolner.dk>> wrote: So /is/ the yocto-security mailinglist considered "dead"? Or has there simply not been any security issues for a while? IIRC, yocto-security was more to discuss security issues, not an announcement of security related fixes. If you care about security then you'll want notice for more than just what is in oe-core, so I suggest monitoring the CVE announcements directly. Ross I found the list initially through this page: https://wiki.yoctoproject.org/wiki/Security where it is described as the security [at] yoctoprojct [dot] org being the discussion list and the yocto [dash] security [at] yoctoproject[dot] org being the security announcement list. If the yocto [dash] security [at] yoctoproject[dot] org is in fact no longer active I think it is important that the wiki page is changed to reflect that to prevent potential dangerous misunderstandings in the future. Kind regards Bent Bisballe Nyeng [-- Attachment #2: Type: text/html, Size: 1967 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how does one stay on top of YP security alerts? 2017-01-10 10:37 ` Bent Bisballe Nyeng @ 2017-01-10 20:51 ` Paul Eggleton 2017-01-11 8:29 ` Bent Bisballe Nyeng 2017-01-11 14:49 ` Philip Balister 1 sibling, 1 reply; 10+ messages in thread From: Paul Eggleton @ 2017-01-10 20:51 UTC (permalink / raw) To: Bent Bisballe Nyeng; +Cc: yocto On Tue, 10 Jan 2017 10:37:48 Bent Bisballe Nyeng wrote: > I found the list initially through this page: > https://wiki.yoctoproject.org/wiki/Security where it is described as the > security [at] yoctoprojct [dot] org being the discussion list and the yocto > [dash] security [at] yoctoproject[dot] org being the security announcement > list. That's not what it says. What it does say is that yocto-security@ list is for discussions about security patches, and security@ is for private notification about security issues *to* several nominated individuals. There isn't an announcement list I'm afraid. > If the yocto [dash] security [at] yoctoproject[dot] org is in fact no longer > active I think it is important that the wiki page is changed to reflect > that to prevent potential dangerous misunderstandings in the future. I'm not sure how you came to the conclusions you did - do you have any suggestions on rewording? I will say that the yocto-security@ list has been pretty quiet since it was set up. Adding a few people on CC - are there any plans to make better use of this list? Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how does one stay on top of YP security alerts? 2017-01-10 20:51 ` Paul Eggleton @ 2017-01-11 8:29 ` Bent Bisballe Nyeng 0 siblings, 0 replies; 10+ messages in thread From: Bent Bisballe Nyeng @ 2017-01-11 8:29 UTC (permalink / raw) To: Paul Eggleton; +Cc: yocto On 01/10/2017 09:53 PM, Paul Eggleton wrote: > On Tue, 10 Jan 2017 10:37:48 Bent Bisballe Nyeng wrote: >> I found the list initially through this page: >> https://wiki.yoctoproject.org/wiki/Security where it is described as the >> security [at] yoctoprojct [dot] org being the discussion list and the yocto >> [dash] security [at] yoctoproject[dot] org being the security announcement >> list. > That's not what it says. What it does say is that yocto-security@ list is for > discussions about security patches, and security@ is for private notification > about security issues *to* several nominated individuals. There isn't an > announcement list I'm afraid. > >> If the yocto [dash] security [at] yoctoproject[dot] org is in fact no longer >> active I think it is important that the wiki page is changed to reflect >> that to prevent potential dangerous misunderstandings in the future. > I'm not sure how you came to the conclusions you did - do you have any > suggestions on rewording? > > I will say that the yocto-security@ list has been pretty quiet since it was > set up. Adding a few people on CC - are there any plans to make better use of > this list? > > Cheers, > Paul I can see now that I half read, half assumed what the page said... The ideal solution in my opinion would be to actually turn the yocto-security list into a security announcement list as this would make it the perfect resource for monitoring security issues for shipped products instead of having to make some kind of grep filter on the git logs. Would this be an option? I think it would be of great benefit to the yocto community if such a list existed. Kind regards Bent Bisballe Nyeng ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how does one stay on top of YP security alerts? 2017-01-10 10:37 ` Bent Bisballe Nyeng 2017-01-10 20:51 ` Paul Eggleton @ 2017-01-11 14:49 ` Philip Balister 2017-01-11 14:56 ` Alexander Kanavin 2017-01-11 17:46 ` Mark Hatle 1 sibling, 2 replies; 10+ messages in thread From: Philip Balister @ 2017-01-11 14:49 UTC (permalink / raw) To: Bent Bisballe Nyeng, yocto The question of security comes up at every OpenEmbedded developer meeting. Clearly, the companies building products with OpenEmbedded care about security. The problem following the CVE's direct is you need to do analysis to determine if a specific release has the vulnerability. We do have guidelines for marking CVE's addressed by commits, to help people interested in developing tools to show what CVE's are addressed in the meta data. One suggestion made is to setup some form of git hook to email commits with CVE tags to the security list. We are very interested in encouraging people who care about security to use the security mailing list to improve overall security of distributions (like Poky) built with OpenEmbedded. Philip On 01/10/2017 05:37 AM, Bent Bisballe Nyeng wrote: > On 01/10/2017 11:29 AM, Burton, Ross wrote: > > On 10 January 2017 at 10:01, Bent Bisballe Nyeng <xbbn@mjolner.dk<mailto:xbbn@mjolner.dk>> wrote: > So /is/ the yocto-security mailinglist considered "dead"? Or has there > simply not been any security issues for a while? > > IIRC, yocto-security was more to discuss security issues, not an announcement of security related fixes. If you care about security then you'll want notice for more than just what is in oe-core, so I suggest monitoring the CVE announcements directly. > > Ross > > I found the list initially through this page: https://wiki.yoctoproject.org/wiki/Security where it is described as the security [at] yoctoprojct [dot] org being the discussion list and the yocto [dash] security [at] yoctoproject[dot] org being the security announcement list. > > If the yocto [dash] security [at] yoctoproject[dot] org is in fact no longer active I think it is important that the wiki page is changed to reflect that to prevent potential dangerous misunderstandings in the future. > > Kind regards > Bent Bisballe Nyeng > > > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how does one stay on top of YP security alerts? 2017-01-11 14:49 ` Philip Balister @ 2017-01-11 14:56 ` Alexander Kanavin 2017-01-11 17:46 ` Mark Hatle 1 sibling, 0 replies; 10+ messages in thread From: Alexander Kanavin @ 2017-01-11 14:56 UTC (permalink / raw) To: yocto On 01/11/2017 04:49 PM, Philip Balister wrote: > The problem following the CVE's direct is you need to do analysis to > determine if a specific release has the vulnerability. > > We do have guidelines for marking CVE's addressed by commits, to help > people interested in developing tools to show what CVE's are addressed > in the meta data. > > One suggestion made is to setup some form of git hook to email commits > with CVE tags to the security list. This is not going to work if a security issue is fixed by a version update without an intermediate backported patch (which often happens). And cve-check-tool is notorious for inaccuracies both ways. There's simply no easy, working solution to this, the way I see it. In the master branch the best we can do is to stay close to upstream, for release branches the only thing that will really work is having real recipe maintainers who follow upstream development closely. Alex ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how does one stay on top of YP security alerts? 2017-01-11 14:49 ` Philip Balister 2017-01-11 14:56 ` Alexander Kanavin @ 2017-01-11 17:46 ` Mark Hatle 1 sibling, 0 replies; 10+ messages in thread From: Mark Hatle @ 2017-01-11 17:46 UTC (permalink / raw) To: Philip Balister, Bent Bisballe Nyeng, yocto On 1/11/17 8:49 AM, Philip Balister wrote: > The question of security comes up at every OpenEmbedded developer > meeting. Clearly, the companies building products with OpenEmbedded care > about security. > > The problem following the CVE's direct is you need to do analysis to > determine if a specific release has the vulnerability. > > We do have guidelines for marking CVE's addressed by commits, to help > people interested in developing tools to show what CVE's are addressed > in the meta data. > > One suggestion made is to setup some form of git hook to email commits > with CVE tags to the security list. We are very interested in > encouraging people who care about security to use the security mailing > list to improve overall security of distributions (like Poky) built with > OpenEmbedded. We started looking into having a git hook that would email the list whenever a commit (with the CVE tag in it) was present, but with holidays (and other work items I had).. this of course dropped lower in the priority list. I do think this is the only reasonable way to do this. Use an individual branch's commit information to discover what is fixed. If it's not listed as fixed, it's the users responsibility to understand if they are vulnerable, deal with the vulnerability and (hopefully) send the patch to the mailing lists so others can benefit from it. (Speaking as a commercial OSV for a second) The latest step of triage, fix and send -- as well as announcing to customers and documenting things that are NOT vulnerable are all services we provide. I would expect any commercial OSV to provide a similar service for their customers. This is certainly a 'value-add' that we do above and beyond the open source community. This really is an 'above and beyond' request for the community. The community only cares about what HAS been fixed and the in-progress development release. Anything beyond that is best effort, and the Yocto Project compliance guidelines (and related process, encouraging contributions) helps keep commercial OSVs (who do this work anyway) involved with keeping the community up to date. --Mark > Philip > > On 01/10/2017 05:37 AM, Bent Bisballe Nyeng wrote: >> On 01/10/2017 11:29 AM, Burton, Ross wrote: >> >> On 10 January 2017 at 10:01, Bent Bisballe Nyeng <xbbn@mjolner.dk<mailto:xbbn@mjolner.dk>> wrote: >> So /is/ the yocto-security mailinglist considered "dead"? Or has there >> simply not been any security issues for a while? >> >> IIRC, yocto-security was more to discuss security issues, not an announcement of security related fixes. If you care about security then you'll want notice for more than just what is in oe-core, so I suggest monitoring the CVE announcements directly. >> >> Ross >> >> I found the list initially through this page: https://wiki.yoctoproject.org/wiki/Security where it is described as the security [at] yoctoprojct [dot] org being the discussion list and the yocto [dash] security [at] yoctoproject[dot] org being the security announcement list. >> >> If the yocto [dash] security [at] yoctoproject[dot] org is in fact no longer active I think it is important that the wiki page is changed to reflect that to prevent potential dangerous misunderstandings in the future. >> >> Kind regards >> Bent Bisballe Nyeng >> >> >> ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2017-01-11 17:46 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-01-07 15:29 how does one stay on top of YP security alerts? Robert P. J. Day 2017-01-09 13:08 ` Alexander Kanavin 2017-01-10 10:01 ` Bent Bisballe Nyeng 2017-01-10 10:29 ` Burton, Ross 2017-01-10 10:37 ` Bent Bisballe Nyeng 2017-01-10 20:51 ` Paul Eggleton 2017-01-11 8:29 ` Bent Bisballe Nyeng 2017-01-11 14:49 ` Philip Balister 2017-01-11 14:56 ` Alexander Kanavin 2017-01-11 17:46 ` Mark Hatle
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.