Re: Guidance for CVE triage and listing packages in dla-needed.txt
Hi Roberto
> I tried re-reading your previous email several times and I am still not
> able to figure out what you are trying to demonstrate by your counting.
> If the conclusion is as you have it above, "We clearly do not fix all
> no-dsa in any case," then I agree.
Yes, that was what I wanted to demonstrate. Or in fact not entirely.
The counting was there to make us able to draw some conclusions and
the conclusion I drew was that we clearly do not fix all no-dsa or
postponed. I wanted you to see the data so you could draw your own
conclusions and not rely on my entirely.
More on this below where I try to give the full context.
> But I don't see what significant
> bearing that has on this discussion.
You asked me what constitutes a minor issue and my conclusion was that
we do not have a definition. At least I cannot find any written
definition anywhere.
The conclusion I could make was that it constitutes a decision that it
is not worth fixing (at least not immediately) the CVE.
So then I tried to figure out what defines that and I honestly cannot
tell (with a precise written definition). It is a rather random
decision. Or maybe not random but it depends on a lot of things
including things like the state of the package in the first place. It
is a judgement call every time, and people have made very different
judgements and hence from outside it looks random.
I had also found that there is this severity level definition, and
thought we could use that to "draw the line" between what is worth
fixing and what is not. But to do that I needed to know how large a
portion of the CVEs we have that we could reasonably fix with the kind
of budget and velocity we have.
Therefore I tried to figure out from our CVE database what a
reasonable level of "fixing" would be and so I started counting.
Just to figure out if it is reasonable to fix all unimportant or not,
whether it is worth fixing "low" or not or some other level.
To make sure we focus on the important security problems and not
things that are not a problem in practice.
I think it is important that we fix the high severity problems swiftly
and if we focus too much on low severity problems we may not be able
to do that. Or at least that is a worry on my part.
It was not meant as a precise art, it was meant to give some ballpark
figure to make a judgement on what is reasonable to fix.
I hope this explains why it has bearing on the discussion.
But if it does not matter, I think we can skip what eventual bug we
have in the data collection. :-) Well we can skip it anyway because I
think we have anyway agreed on the conclusion on that part.
I still do not have a written definition, of what is a minor issue, to
refer to. Therefor I do not think we have a conclusion on when we
should fix something, when we should decide to wait or to simply let
the CVE rot in postponed or no-dsa forever.
There are some things that are clear though.
- High severity problems should be fixed with speed. That is clear. I
think all agree on that.
- Medium severity problems should also be fixed eventually. I think
that is also clear. But also here there are levels. I'm not clear on
whether they should be postponed or put to dla-needed for example.
There are many no-dsa (as told by Debian Security team) issues to make
a re-assessment for.
- Low severity problems are also not clear to me. I think most agree
that we can fix them if we have nothing else to do. But should they be
postponed and/or put to dla-needed?
- I think it is clear that we do not intend to fix unimportant issues.
And the precise definition of the above seems to be something we can
discuss as well. Especially on the level of confidence we should have.
Cheers
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Reply to: