Received: from mail-ot1-f53.google.com (mail-ot1-f53.google.com [209.85.210.53]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 09BE578193C for <~alpine/devel@lists.alpinelinux.org>; Sun, 18 Aug 2019 02:29:12 +0000 (UTC) Received: by mail-ot1-f53.google.com with SMTP id g17so12251375otl.2 for <~alpine/devel@lists.alpinelinux.org>; Sat, 17 Aug 2019 19:29:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=3EIAy6boJeN/LBY9lnpfORfvwmJ7bs31zTRB3OKm/Lw=; b=t/y+6gEj94E1ZY4TaZqhCwsH++8Y6eoVhLn7Zfc5exbnaaIO6B6kUTStuc/N0zXwmx WlEIeU4on4/wv3VNJL9zKOKFPqCZyMNVIA7ZCT13N2aMJ4VhvRnU/fi2M1/TuMHbnGOe sJ+ni1SEEHOk3/3ggiK4HDo88q84k0tkNhdjNj+pgWhYsKtN9XpfF/uJo4X8O4sEIlr4 JZ2CP+OAmRUyrDBqGISputTK8eJL3LOIlfcmpSmSz4imtQrec1yZPiCjmFHuy+IQ1yQk +RZHZTfidQB5m/36ICrurp2frkfNiT4l/mzMDV3Hto1oWPBmua1jUkpK8h1iHYIhk6/E eP1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=3EIAy6boJeN/LBY9lnpfORfvwmJ7bs31zTRB3OKm/Lw=; b=jggHc6YXWguGTEkRwT7IIeUs5mqBnx9nN/Vga0WpI7ZKYfl1+BDHPMzSfmjwYQdZkv iH9RGN9j8lfr28oJ6KfOyzqWJOo+zhj8mV90DuZzHcVOr2qvDWIenc10kV4zK8BoPJI7 WKId6aVkL0QvskTkorCry23T3hokiFu1NYK7Sb1kd3Gm3DPYOyc4hylVxmAIoAG594tW JblEEjXl1vo85MQAkcGWpA12VAoI0M3rfD8OQOXkATcjDapxBSvkKu0VTYV7jVDAGQgw aXoFRZp6qQFq4kUJUdvIP9OJjoWfmjjgRtnoY7bZAX7YooUp9KhhzeBuaiUgl6FEtD1V grJQ== X-Gm-Message-State: APjAAAWTb/+eEwr0WOIQKK8J4JxGirW8NHyqsvTmbw14nN6p7t5MYi3B 45/IB9DP8mnyC5sfS0uMOCOAroJcNnE+/+rt5q4= X-Google-Smtp-Source: =?utf-8?q?APXvYqwc6m+AFSn38iguxaIfS2RjNevqEePBPO/K4a5V?= =?utf-8?q?i+ug7KKRxqIaPA7Thm67k4JLPIz5pVlgB5KEjmKafEyKB/Y=3D?= X-Received: by 2002:a9d:6a94:: with SMTP id l20mr12437560otq.221.1566095351346; Sat, 17 Aug 2019 19:29:11 -0700 (PDT) MIME-Version: 1.0 References: <20190723091240.733103de@ncopa-desktop.copa.dup.pw> <20190723111532.5a18f982@ncopa-desktop.copa.dup.pw> <20190814230125.62d8de16@ncopa-desktop.copa.dup.pw> In-Reply-To: <20190814230125.62d8de16@ncopa-desktop.copa.dup.pw> From: Teppei Fukuda Date: Sat, 17 Aug 2019 16:29:00 -1000 Message-ID: Subject: Re: Security Issues in Redmine To: Natanael Copa Cc: Carlo Landmeter , ~alpine/devel@lists.alpinelinux.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Copa, Thank you for the kind response. I looked over all recent commits. I think the reported security issues in GitLab is sufficient as a first step. Of course, there are many better ways such as preparing a system for vulnerability management. However, it is hard to maintain. I believe the most important thing is sustainability. For maintainers, it should be easier to just write markdown for Issue/PR. Therefore, I think it is enough to parse markdown and generate security advisories. We need to fix the format of the security issues. The GiaLab "description templates" may be a good idea to fix the format. https://docs.gitlab.com/ee/user/project/description_templates.html If possible, let's have a video meeting! Best regards, Teppei 2019=E5=B9=B48=E6=9C=8814=E6=97=A5(=E6=B0=B4) 11:01 Natanael Copa : > > Hi, > > On Sun, 11 Aug 2019 14:29:50 -1000 > Teppei Fukuda wrote: > > > Hi Copa, > > > > My apologies for keeping asking you questions, but I have one more ques= tion. > > > > When I've been following the recent security related commits of > > alpine/aports, I've noticed that you always write secfixes comment > > even if they were not backported fixes. Was this defined as a rule? > > No, it was never an expressed or documented rule or request or > anything. The community have just filled in the secfixes data, so it > seems that is the direction things are "naturally" going. > > We have recently also moved to gitlab and have tried various ways to > report the issues. Gitlab has made things simpler, for example we are > now using one issue with tasklist of affected branches. We have also > started to add the commit data where the issue is fixed. This seems to > work relatively well and combined with the secfixes data, this is a > good step forward to an advisory program. > > > As I mentioned before, I hope that security advisories of Alpine will > > be provided. So I would like to help if I can do anything. > > Can you please have a look at the recent security fixes in gitlab and > see what you think, and what we could do differently. > https://gitlab.alpinelinux.org/alpine/aports/issues?scope=3Dall&utf8=3D%E= 2%9C%93&state=3Dclosed&label_name[]=3DSecurity > > I specifically wonder how to report multiple CVEs that affect different > branches. See for example > https://gitlab.alpinelinux.org/alpine/aports/issues/10699 > > Do you think that tracking the security data in secfixes comments in > APKBUILDs and the reported security issues in gitlab is sufficient? We > could probably start also report the issues that we have fixed already, > with the commit with the fix. > > > > > I know you are so busy. It would be appreciated if I discuss this with > > you when you have time. > > Would you like to have a video conference meeting? > > -nc > > > > > > > Best regards, > > Teppei > > > > 2019*7*23*(*) 16:56 Teppei Fukuda : > > > > > > Hi Copa, > > > > > > I appreciate your polite explanation. I understand. > > > > > > Currently, my program collects the following data: > > > 1. the secfixes comments in APKBUILD > > > 2. alpine-secdb (maybe the same as above) > > > 3. the security tickets of Redmine (will be replaced with the > > > issues of GitLab) 4. git diff APKBUILD (only commits related with > > > the above issues) > > > > > > I think we can generate the security advisories by checking all git > > > log like No. 4. For example, the following commit fixes > > > CVE-2019-13636. > > > https://github.com/alpinelinux/aports/pull/9642/files > > > > > > Watching this diff of main/patch/APKBUILD, we can detect the version > > > update from 2.7.6-r4 to 2.7.6-r5. This is my source code doing it. > > > https://github.com/knqyf263/vuln-list-update/blob/d8aefa60155637561a8= a2d3feb486bbb675c996c/alpine/alpine.go#L404-L450 > > > > > > I know this way is not perfect. There may be false > > > positive/negative. However, this process can be automated and the > > > maintenance cost is low. It may be a good way as a first step of > > > the security advisory. It is better if the format of the commit > > > message is fixed. e.g. [os_version] pkgname: fix CVE-ID. > > > > > > I want the security database of Alpine strongly and can help you in > > > the task of investigating it and writing an automation program. But, > > > It is difficult to do manual operation (e.g. I continue to fill the > > > security information manually). > > > > > > Best, > > > Teppei > > > > > > 2019*7*23*(*) 18:18 Natanael Copa : > > > > > > > > On Tue, 23 Jul 2019 17:54:40 +0900 > > > > Teppei Fukuda wrote: > > > > > > > > > Hi Carlo, > > > > > > > > > > Yes, it is. However, alpine-secdb is database of backported > > > > > fixes as README says. > > > > > >It is not a complete database of all security issues in > > > > > >Alpine. > > > > > > > > > > I need a complete database of all security issues. > > > > > > > > We currently don't have that. I do think we have much or maybe > > > > even most of the needed data, but its spread. > > > > > > > > We need someone who can figure out the pieces that is missing and > > > > find a way to collect and store it in a way that makes it as > > > > simple as possible to fix and roll out fixes. > > > > > > > > We could for example use the secfixes comments in APKBUILD and > > > > data from gitlab issues and generate a database from that, and > > > > have someone fill in the missing data, or we could turn it > > > > around, have someone collect all the data in a database and > > > > generate issues from that and maybe automatically add secfixes > > > > comments from it. > > > > > > > > But we need someone who can investigate and come up with a good > > > > plan. > > > > > > > > -nc >