Received: from mx1.tetrasec.net (mx1.tetrasec.net [74.117.190.25])	by
 nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id C7B0F781F64	for
 <~alpine/devel@lists.alpinelinux.org>; Tue, 23 Jul 2019 08:54:46 +0000 (UTC)
Received: from mx1.tetrasec.net (mail.local [127.0.0.1])
	by mx1.tetrasec.net (Postfix) with ESMTP id 7B9EB9E0372;
	Tue, 23 Jul 2019 08:54:44 +0000 (UTC)
Received: from ncopa-desktop.copa.dup.pw (67.63.200.37.customer.cdi.no
 [37.200.63.67])	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256
 bits)	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits)
 server-digest SHA256)	(No client certificate requested)	(Authenticated
 sender: alpine@tanael.org)	by mx1.tetrasec.net (Postfix) with ESMTPSA id
 5AF219E0070;	Tue, 23 Jul 2019 08:54:42 +0000 (UTC)
Date: Tue, 23 Jul 2019 10:54:32 +0200
From: Natanael Copa <ncopa@alpinelinux.org>
To: Teppei Fukuda <knqyf263@gmail.com>
Cc: ~alpine/devel@lists.alpinelinux.org
Subject: Re: Security Issues in Redmine
Message-ID: <20190723105432.5eb45cbe@ncopa-desktop.copa.dup.pw>
In-Reply-To: 
 <CAD59NR0z51BV+n3T0NJOdURG6AVu=x0e89eXv8ZZU+-PkcGBMA@mail.gmail.com>
References: 
 <CAD59NR0X7w6N-8o+rGUPcyH+gbBLc6CGPRVRZy_UsAB73s3tTA@mail.gmail.com>
	<20190723091240.733103de@ncopa-desktop.copa.dup.pw>
	<CAD59NR0z51BV+n3T0NJOdURG6AVu=x0e89eXv8ZZU+-PkcGBMA@mail.gmail.com>
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Tue, 23 Jul 2019 16:42:43 +0900
Teppei Fukuda <knqyf263@gmail.com> wrote:

> Hi Copa,
>=20
> Thank you for the quick response! I will watch the issues of the
> aports repository.
>=20
> By the way, I developed the crawler to save the vulnerability
> information of Alpine as JSON format like the following.
> Data: https://github.com/knqyf263/vuln-list/tree/master/alpine
> Program: https://github.com/knqyf263/vuln-list-update/tree/master/alpine

Oh, nice!
=20
> Do you have a plan to provide the vulnerability information as a
> parsable format (JSON, YAML, etc.) officially? Or, as I have already
> developed the program, is there anything I can help?

Short answer:
- we have someone who helps us report unfixed issues
- we lack someone that retro actively reports fixed things
- we want make it as simple as possible for those who actually fixes
  things (eg, we don't want those people to do heavy manual work to be
  able to push fixes)
- we want things to be automated as much as possible


Longer answer:

We are definitively interested in an advisory program, and we have
talked about it. The main problem so far is that we don't have the
needed manpower (yet).

The most important thing is to actually fix the issues. We do have a
working system to detect and make sure unfixed issues gets fixed.

The next step is to announce this in one way or the other. This we
don't have in place yet. It was possible to follow using atoms in
redmine or similar. We haven't worked out 100% how to do this in gitlab
yet.

But keep in mind that the reason that those issues are reported in our
bugtracker, is to make sure they are fixed, not to let people know that
they need to update. This means that if someone do an update that
happens to include a security fix, we may not bother file an issue
for it afterwards. So you will not see all issues by follow gitlab (it
was the same with redmine)

We do try to record which version fixes CVE issues, and to make that
simple we do that as comments in the APKBUILDs. Those are formatted as
yaml, so it is possible to extract that information. We do that with
alpine-secdb. (https://git.alpinelinux.org/alpine-secdb) this is still
a manual process, and should be automated.

Note that the alpine-secdb was created because there are 3rd party
security scanners that detects open source components and their version
number and compare that to a CVE database and flags vulnerable
versions. Those scanners does not detect when we backport patches. So
we use this as whitelist for such scanners. This means that this list
is not necessarily complete either.

I would like to combine the data we have and have some sort of advisory
program. It would be great if someone could help with this.

Thanks!

-nc


>=20
> Thanks,
> Teppei
>=20
> 2019*7*23*(*) 16:12 Natanael Copa <ncopa@alpinelinux.org>:
> >
> > Hi Teppei!
> >
> > On Tue, 23 Jul 2019 15:51:28 +0900
> > Teppei Fukuda <knqyf263@gmail.com> wrote:
> > =20
> > > Hi
> > >
> > > I've watched the security related issues in Redmine.
> > > https://bugs.alpinelinux.org/projects/alpine/issues
> > >
> > > I saw the following announcement.
> > > "Migration from Redmine to GitLab"
> > > https://lists.alpinelinux.org/~alpine/devel/%20%3CCA+cSEmPRYLv45t4+z-=
BsRBHyV5M0c2BisPFrjNDmUtPd28Mm_w%40mail.gmail.com%3E
> > >
> > > Currently, where should we watch to know the security issues? Is it b=
elow?
> > > https://gitlab.alpinelinux.org/alpine/aports/issues?scope=3Dall&utf8=
=3D%E2%9C%93&state=3Dall&label_name[]=3DSecurity =20
> >
> > Yes, this is the current way to find the security issues. As you
> > understand we are still trying to work out all details. We are open to
> > ideas how to make it better.
> >
> > Thanks!
> > =20
> > >
> > > Best regards,
> > > Teppei Fukuda (@knqyf263) =20
> > =20