Received: from mail-ot1-f54.google.com (mail-ot1-f54.google.com [209.85.210.54]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 7B83778104D for <~alpine/devel@lists.alpinelinux.org>; Mon, 12 Aug 2019 00:30:03 +0000 (UTC) Received: by mail-ot1-f54.google.com with SMTP id f17so17698206otq.4 for <~alpine/devel@lists.alpinelinux.org>; Sun, 11 Aug 2019 17:30:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=cm05c+OBq+6uDduto6Kb/zAqN2hlylX0CwgLd5jer6g=; b=MLXt24s6+x9gWquKFpeasb+PoEYNZijAeS8UB65cBEgBcUqEpbjleb9bA1A7Qb1Nu4 A4VGMprhssPnA5wDh5SlCD/8/CcfWEDyboPDFY/kW7+KzC9mEiPjechAZSf36BWJF9Mu xdwI9OLnIC04V3SrwE+y3c3eGEWOV3c2mDWL6W0cpnpbMCQ1CfZ5WS8TTywE4SdZav7y 1LvMMub8lK9e5oFyffDxEqEC4ruvfbIT6LoJaqfgX3fGLj+TcqxocveOyzdO4x/uk1bg wxVpcKpWuvVk6/NgaqGmhapd3akOqzxgrT3zjEv7g2faZpSDK5H62Uzn4rLHtDLXKQo1 S2Jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=cm05c+OBq+6uDduto6Kb/zAqN2hlylX0CwgLd5jer6g=; b=d1dg4oxKUUAA8yPhg/039tT6APaI5emRaxkWSlbFKH6AYJirImpNFocTQfzLOBsvA3 LTuWzlWOh5RNTOda8A5nza+rjyFECH6aLeNUB+fLMV/Sw3UZy+jbMGr7anii86Lwuaqp ZC3RaGxB/KACV5De0D66XijfwtEXCraKeyNwObS5X3CRVXwsfYt6T5d6QLUSYEaPkOO8 ClzRZ8plwJ1e53UPeiq73FS9LluA+5XBuYN3UnDzbf8Ch69SJBW65IEPETcLYAwSYWhR SWXvtYHhAjMTDUTq0ZZrLbN3RRKi55YyolO2V8A+LOxXShGmQ9fjXLKZDSpz7e7xGhIj Dztg== X-Gm-Message-State: APjAAAUpWXfUFBFCAVDewP8B21rE/ZdBDcC6n2yb/IxoItzTAR4paUm+ W7djdka3dGT2XS5m+v55UN/NmoJ3Up8IsDgqwxc+W8Bx X-Google-Smtp-Source: =?utf-8?q?APXvYqy18PGSAH5zf9WdWY+leuM0irkp3vdJlb2cNXGF?= =?utf-8?q?pDwTLkVWm1CnUOI0e3jcs/ifm2ibN6rnwgeiNmalCcPPBIU=3D?= X-Received: by 2002:a9d:4d81:: with SMTP id u1mr25115625otk.221.1565569801431; Sun, 11 Aug 2019 17:30:01 -0700 (PDT) MIME-Version: 1.0 References: <20190723091240.733103de@ncopa-desktop.copa.dup.pw> <20190723111532.5a18f982@ncopa-desktop.copa.dup.pw> In-Reply-To: From: Teppei Fukuda Date: Sun, 11 Aug 2019 14:29:50 -1000 Message-ID: Subject: Re: Security Issues in Redmine To: Natanael Copa Cc: Carlo Landmeter , ~alpine/devel@lists.alpinelinux.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Copa, My apologies for keeping asking you questions, but I have one more question= . When I've been following the recent security related commits of alpine/aports, I've noticed that you always write secfixes comment even if they were not backported fixes. Was this defined as a rule? As I mentioned before, I hope that security advisories of Alpine will be provided. So I would like to help if I can do anything. I know you are so busy. It would be appreciated if I discuss this with you when you have time. Best regards, Teppei 2019=E5=B9=B47=E6=9C=8823=E6=97=A5(=E7=81=AB) 16:56 Teppei Fukuda : > > Hi Copa, > > I appreciate your polite explanation. I understand. > > Currently, my program collects the following data: > 1. the secfixes comments in APKBUILD > 2. alpine-secdb (maybe the same as above) > 3. the security tickets of Redmine (will be replaced with the issues of G= itLab) > 4. git diff APKBUILD (only commits related with the above issues) > > I think we can generate the security advisories by checking all git > log like No. 4. For example, the following commit fixes > CVE-2019-13636. > https://github.com/alpinelinux/aports/pull/9642/files > > Watching this diff of main/patch/APKBUILD, we can detect the version > update from 2.7.6-r4 to 2.7.6-r5. This is my source code doing it. > https://github.com/knqyf263/vuln-list-update/blob/d8aefa60155637561a8a2d3= feb486bbb675c996c/alpine/alpine.go#L404-L450 > > I know this way is not perfect. There may be false positive/negative. > However, this process can be automated and the maintenance cost is > low. It may be a good way as a first step of the security advisory. It > is better if the format of the commit message is fixed. e.g. > [os_version] pkgname: fix CVE-ID. > > I want the security database of Alpine strongly and can help you in > the task of investigating it and writing an automation program. But, > It is difficult to do manual operation (e.g. I continue to fill the > security information manually). > > Best, > Teppei > > 2019=E5=B9=B47=E6=9C=8823=E6=97=A5(=E7=81=AB) 18:18 Natanael Copa : > > > > On Tue, 23 Jul 2019 17:54:40 +0900 > > Teppei Fukuda wrote: > > > > > Hi Carlo, > > > > > > Yes, it is. However, alpine-secdb is database of backported fixes as > > > README says. > > > >It is not a complete database of all security issues in Alpine. > > > > > > I need a complete database of all security issues. > > > > We currently don't have that. I do think we have much or maybe even > > most of the needed data, but its spread. > > > > We need someone who can figure out the pieces that is missing and find > > a way to collect and store it in a way that makes it as simple as > > possible to fix and roll out fixes. > > > > We could for example use the secfixes comments in APKBUILD and data > > from gitlab issues and generate a database from that, and have someone > > fill in the missing data, or we could turn it around, have someone > > collect all the data in a database and generate issues from that and > > maybe automatically add secfixes comments from it. > > > > But we need someone who can investigate and come up with a good plan. > > > > -nc