how does one stay on top of YP security alerts?

how does one stay on top of YP security alerts?

[Robert P. J. Day]

  colleague wants to know how one stays up to date with security
alerts related to YP releases, i checked out the yocto-security
mailing list:

https://lists.yoctoproject.org/pipermail/yocto-security/

but that looks like a very dead mailing list. are there other options?

rday

-- 

========================================================================
Robert P. J. Day                                 Ottawa, Ontario, CANADA
                        http://crashcourse.ca

Twitter:                                       http://twitter.com/rpjday
LinkedIn:                               http://ca.linkedin.com/in/rpjday
========================================================================

Re: how does one stay on top of YP security alerts?

[Alexander Kanavin]

On 01/07/2017 05:29 PM, Robert P. J. Day wrote:
>
>   colleague wants to know how one stays up to date with security
> alerts related to YP releases, i checked out the yocto-security
> mailing list:
>
> https://lists.yoctoproject.org/pipermail/yocto-security/
>
> but that looks like a very dead mailing list. are there other options?

You can subscribe to yocto-announce list and follow the announcements 
for stable point releases, or simply pull from release branches as often 
as possible, and make some form of 'git log' your personal security alert.

Alex

Re: how does one stay on top of YP security alerts?

[Bent Bisballe Nyeng]

On 01/09/2017 02:12 PM, Alexander Kanavin wrote:
> On 01/07/2017 05:29 PM, Robert P. J. Day wrote:
>>   colleague wants to know how one stays up to date with security
>> alerts related to YP releases, i checked out the yocto-security
>> mailing list:
>>
>> https://lists.yoctoproject.org/pipermail/yocto-security/
>>
>> but that looks like a very dead mailing list. are there other options?
> You can subscribe to yocto-announce list and follow the announcements 
> for stable point releases, or simply pull from release branches as often 
> as possible, and make some form of 'git log' your personal security alert.
>
> Alex
>
So /is/ the yocto-security mailinglist considered "dead"? Or has there
simply not been any security issues for a while?

Kind regards
Bent Bisballe Nyeng

Re: how does one stay on top of YP security alerts?

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 472 bytes --]

On 10 January 2017 at 10:01, Bent Bisballe Nyeng <xbbn@mjolner.dk> wrote:

> So /is/ the yocto-security mailinglist considered "dead"? Or has there
> simply not been any security issues for a while?
>

IIRC, yocto-security was more to discuss security issues, not an
announcement of security related fixes.  If you care about security then
you'll want notice for more than just what is in oe-core, so I suggest
monitoring the CVE announcements directly.

Ross

[-- Attachment #2: Type: text/html, Size: 888 bytes --]

Re: how does one stay on top of YP security alerts?

[Bent Bisballe Nyeng]

[-- Attachment #1: Type: text/plain, Size: 1068 bytes --]

On 01/10/2017 11:29 AM, Burton, Ross wrote:

On 10 January 2017 at 10:01, Bent Bisballe Nyeng <xbbn@mjolner.dk<mailto:xbbn@mjolner.dk>> wrote:
So /is/ the yocto-security mailinglist considered "dead"? Or has there
simply not been any security issues for a while?

IIRC, yocto-security was more to discuss security issues, not an announcement of security related fixes.  If you care about security then you'll want notice for more than just what is in oe-core, so I suggest monitoring the CVE announcements directly.

Ross

I found the list initially through this page: https://wiki.yoctoproject.org/wiki/Security where it is described as the security [at] yoctoprojct [dot] org being the discussion list and the yocto [dash] security [at] yoctoproject[dot] org being the security announcement list.

If the yocto [dash] security [at] yoctoproject[dot] org is in fact no longer active I think it is important that the wiki page is changed to reflect that to prevent potential dangerous misunderstandings in the future.

Kind regards
Bent Bisballe Nyeng

[-- Attachment #2: Type: text/html, Size: 1967 bytes --]

Re: how does one stay on top of YP security alerts?

[Paul Eggleton]

On Tue, 10 Jan 2017 10:37:48 Bent Bisballe Nyeng wrote:
> I found the list initially through this page:
> https://wiki.yoctoproject.org/wiki/Security where it is described as the
> security [at] yoctoprojct [dot] org being the discussion list and the yocto
> [dash] security [at] yoctoproject[dot] org being the security announcement
> list.

That's not what it says. What it does say is that yocto-security@ list is for 
discussions about security patches, and security@ is for private notification 
about security issues *to* several nominated individuals. There isn't an 
announcement list I'm afraid.
 
> If the yocto [dash] security [at] yoctoproject[dot] org is in fact no longer
> active I think it is important that the wiki page is changed to reflect
> that to prevent potential dangerous misunderstandings in the future.

I'm not sure how you came to the conclusions you did - do you have any 
suggestions on rewording?

I will say that the yocto-security@ list has been pretty quiet since it was 
set up. Adding a few people on CC - are there any plans to make better use of 
this list?

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: how does one stay on top of YP security alerts?

[Bent Bisballe Nyeng]

On 01/10/2017 09:53 PM, Paul Eggleton wrote:
> On Tue, 10 Jan 2017 10:37:48 Bent Bisballe Nyeng wrote:
>> I found the list initially through this page:
>> https://wiki.yoctoproject.org/wiki/Security where it is described as the
>> security [at] yoctoprojct [dot] org being the discussion list and the yocto
>> [dash] security [at] yoctoproject[dot] org being the security announcement
>> list.
> That's not what it says. What it does say is that yocto-security@ list is for 
> discussions about security patches, and security@ is for private notification 
> about security issues *to* several nominated individuals. There isn't an 
> announcement list I'm afraid.
>  
>> If the yocto [dash] security [at] yoctoproject[dot] org is in fact no longer
>> active I think it is important that the wiki page is changed to reflect
>> that to prevent potential dangerous misunderstandings in the future.
> I'm not sure how you came to the conclusions you did - do you have any 
> suggestions on rewording?
>
> I will say that the yocto-security@ list has been pretty quiet since it was 
> set up. Adding a few people on CC - are there any plans to make better use of 
> this list?
>
> Cheers,
> Paul
I can see now that I half read, half assumed what the page said...

The ideal solution in my opinion would be to actually turn the
yocto-security list into a security announcement list as this would make
it the perfect resource for monitoring security issues for shipped
products instead of having to make some kind of grep filter on the git logs.

Would this be an option? I think it would be of great benefit to the
yocto community if such a list existed.

Kind regards
Bent Bisballe Nyeng

Re: how does one stay on top of YP security alerts?

[Philip Balister]

The question of security comes up at every OpenEmbedded developer
meeting. Clearly, the companies building products with OpenEmbedded care
about security.

The problem following the CVE's direct is you need to do analysis to
determine if a specific release has the vulnerability.

We do have guidelines for marking CVE's addressed by commits, to help
people interested in developing tools to show what CVE's are addressed
in the meta data.

One suggestion made is to setup some form of git hook to email commits
with CVE tags to the security list. We are very interested in
encouraging people who care about security to use the security mailing
list to improve overall security of distributions (like Poky) built with
OpenEmbedded.

Philip

On 01/10/2017 05:37 AM, Bent Bisballe Nyeng wrote:
> On 01/10/2017 11:29 AM, Burton, Ross wrote:
> 
> On 10 January 2017 at 10:01, Bent Bisballe Nyeng <xbbn@mjolner.dk<mailto:xbbn@mjolner.dk>> wrote:
> So /is/ the yocto-security mailinglist considered "dead"? Or has there
> simply not been any security issues for a while?
> 
> IIRC, yocto-security was more to discuss security issues, not an announcement of security related fixes.  If you care about security then you'll want notice for more than just what is in oe-core, so I suggest monitoring the CVE announcements directly.
> 
> Ross
> 
> I found the list initially through this page: https://wiki.yoctoproject.org/wiki/Security where it is described as the security [at] yoctoprojct [dot] org being the discussion list and the yocto [dash] security [at] yoctoproject[dot] org being the security announcement list.
> 
> If the yocto [dash] security [at] yoctoproject[dot] org is in fact no longer active I think it is important that the wiki page is changed to reflect that to prevent potential dangerous misunderstandings in the future.
> 
> Kind regards
> Bent Bisballe Nyeng
> 
> 
> 

Re: how does one stay on top of YP security alerts?

[Alexander Kanavin]

On 01/11/2017 04:49 PM, Philip Balister wrote:
> The problem following the CVE's direct is you need to do analysis to
> determine if a specific release has the vulnerability.
>
> We do have guidelines for marking CVE's addressed by commits, to help
> people interested in developing tools to show what CVE's are addressed
> in the meta data.
 >
> One suggestion made is to setup some form of git hook to email commits
> with CVE tags to the security list.

This is not going to work if a security issue is fixed by a version 
update without an intermediate backported patch (which often happens). 
And cve-check-tool is notorious for inaccuracies both ways.

There's simply no easy, working solution to this, the way I see it. In 
the master branch the best we can do is to stay close to upstream, for 
release branches the only thing that will really work is having real 
recipe maintainers who follow upstream development closely.

Alex

Re: how does one stay on top of YP security alerts?

[Mark Hatle]

On 1/11/17 8:49 AM, Philip Balister wrote:
> The question of security comes up at every OpenEmbedded developer
> meeting. Clearly, the companies building products with OpenEmbedded care
> about security.
> 
> The problem following the CVE's direct is you need to do analysis to
> determine if a specific release has the vulnerability.
> 
> We do have guidelines for marking CVE's addressed by commits, to help
> people interested in developing tools to show what CVE's are addressed
> in the meta data.
> 
> One suggestion made is to setup some form of git hook to email commits
> with CVE tags to the security list. We are very interested in
> encouraging people who care about security to use the security mailing
> list to improve overall security of distributions (like Poky) built with
> OpenEmbedded.

We started looking into having a git hook that would email the list whenever a
commit (with the CVE tag in it) was present, but with holidays (and other work
items I had).. this of course dropped lower in the priority list.

I do think this is the only reasonable way to do this.  Use an individual
branch's commit information to discover what is fixed.

If it's not listed as fixed, it's the users responsibility to understand if they
are vulnerable, deal with the vulnerability and (hopefully) send the patch to
the mailing lists so others can benefit from it.

(Speaking as a commercial OSV for a second)  The latest step of triage, fix and
send -- as well as announcing to customers and documenting things that are NOT
vulnerable are all services we provide.  I would expect any commercial OSV to
provide a similar service for their customers.  This is certainly a 'value-add'
that we do above and beyond the open source community.

This really is an 'above and beyond' request for the community.  The community
only cares about what HAS been fixed and the in-progress development release.
Anything beyond that is best effort, and the Yocto Project compliance guidelines
(and related process, encouraging contributions) helps keep commercial OSVs (who
do this work anyway) involved with keeping the community up to date.

--Mark

> Philip
> 
> On 01/10/2017 05:37 AM, Bent Bisballe Nyeng wrote:
>> On 01/10/2017 11:29 AM, Burton, Ross wrote:
>>
>> On 10 January 2017 at 10:01, Bent Bisballe Nyeng <xbbn@mjolner.dk<mailto:xbbn@mjolner.dk>> wrote:
>> So /is/ the yocto-security mailinglist considered "dead"? Or has there
>> simply not been any security issues for a while?
>>
>> IIRC, yocto-security was more to discuss security issues, not an announcement of security related fixes.  If you care about security then you'll want notice for more than just what is in oe-core, so I suggest monitoring the CVE announcements directly.
>>
>> Ross
>>
>> I found the list initially through this page: https://wiki.yoctoproject.org/wiki/Security where it is described as the security [at] yoctoprojct [dot] org being the discussion list and the yocto [dash] security [at] yoctoproject[dot] org being the security announcement list.
>>
>> If the yocto [dash] security [at] yoctoproject[dot] org is in fact no longer active I think it is important that the wiki page is changed to reflect that to prevent potential dangerous misunderstandings in the future.
>>
>> Kind regards
>> Bent Bisballe Nyeng
>>
>>
>>