Received: from mx1.tetrasec.net (mx1.tetrasec.net [74.117.190.25]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 6C151781A9A for <~alpine/devel@lists.alpinelinux.org>; Wed, 14 Aug 2019 21:01:33 +0000 (UTC) Received: from mx1.tetrasec.net (mail.local [127.0.0.1]) by mx1.tetrasec.net (Postfix) with ESMTP id 6130D9E21B3; Wed, 14 Aug 2019 21:01:31 +0000 (UTC) Received: from ncopa-desktop.copa.dup.pw (67.63.200.37.customer.cdi.no [37.200.63.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: alpine@tanael.org) by mx1.tetrasec.net (Postfix) with ESMTPSA id 2CD349E211C; Wed, 14 Aug 2019 21:01:29 +0000 (UTC) Date: Wed, 14 Aug 2019 23:01:25 +0200 From: Natanael Copa To: Teppei Fukuda Cc: Carlo Landmeter , ~alpine/devel@lists.alpinelinux.org Subject: Re: Security Issues in Redmine Message-ID: <20190814230125.62d8de16@ncopa-desktop.copa.dup.pw> In-Reply-To: References: <20190723091240.733103de@ncopa-desktop.copa.dup.pw> <20190723111532.5a18f982@ncopa-desktop.copa.dup.pw> X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-alpine-linux-musl) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi, On Sun, 11 Aug 2019 14:29:50 -1000 Teppei Fukuda wrote: > Hi Copa, >=20 > My apologies for keeping asking you questions, but I have one more questi= on. >=20 > When I've been following the recent security related commits of > alpine/aports, I've noticed that you always write secfixes comment > even if they were not backported fixes. Was this defined as a rule? No, it was never an expressed or documented rule or request or anything. The community have just filled in the secfixes data, so it seems that is the direction things are "naturally" going. We have recently also moved to gitlab and have tried various ways to report the issues. Gitlab has made things simpler, for example we are now using one issue with tasklist of affected branches. We have also started to add the commit data where the issue is fixed. This seems to work relatively well and combined with the secfixes data, this is a good step forward to an advisory program. > As I mentioned before, I hope that security advisories of Alpine will > be provided. So I would like to help if I can do anything. Can you please have a look at the recent security fixes in gitlab and see what you think, and what we could do differently. https://gitlab.alpinelinux.org/alpine/aports/issues?scope=3Dall&utf8=3D%E2%= 9C%93&state=3Dclosed&label_name[]=3DSecurity I specifically wonder how to report multiple CVEs that affect different branches. See for example https://gitlab.alpinelinux.org/alpine/aports/issues/10699 Do you think that tracking the security data in secfixes comments in APKBUILDs and the reported security issues in gitlab is sufficient? We could probably start also report the issues that we have fixed already, with the commit with the fix. >=20 > I know you are so busy. It would be appreciated if I discuss this with > you when you have time. Would you like to have a video conference meeting? -nc > >=20 > Best regards, > Teppei >=20 > 2019*7*23*(*) 16:56 Teppei Fukuda : > > > > Hi Copa, > > > > I appreciate your polite explanation. I understand. > > > > Currently, my program collects the following data: > > 1. the secfixes comments in APKBUILD > > 2. alpine-secdb (maybe the same as above) > > 3. the security tickets of Redmine (will be replaced with the > > issues of GitLab) 4. git diff APKBUILD (only commits related with > > the above issues) > > > > I think we can generate the security advisories by checking all git > > log like No. 4. For example, the following commit fixes > > CVE-2019-13636. > > https://github.com/alpinelinux/aports/pull/9642/files > > > > Watching this diff of main/patch/APKBUILD, we can detect the version > > update from 2.7.6-r4 to 2.7.6-r5. This is my source code doing it. > > https://github.com/knqyf263/vuln-list-update/blob/d8aefa60155637561a8a2= d3feb486bbb675c996c/alpine/alpine.go#L404-L450 > > > > I know this way is not perfect. There may be false > > positive/negative. However, this process can be automated and the > > maintenance cost is low. It may be a good way as a first step of > > the security advisory. It is better if the format of the commit > > message is fixed. e.g. [os_version] pkgname: fix CVE-ID. > > > > I want the security database of Alpine strongly and can help you in > > the task of investigating it and writing an automation program. But, > > It is difficult to do manual operation (e.g. I continue to fill the > > security information manually). > > > > Best, > > Teppei > > > > 2019*7*23*(*) 18:18 Natanael Copa : =20 > > > > > > On Tue, 23 Jul 2019 17:54:40 +0900 > > > Teppei Fukuda wrote: > > > =20 > > > > Hi Carlo, > > > > > > > > Yes, it is. However, alpine-secdb is database of backported > > > > fixes as README says. =20 > > > > >It is not a complete database of all security issues in > > > > >Alpine. =20 > > > > > > > > I need a complete database of all security issues. =20 > > > > > > We currently don't have that. I do think we have much or maybe > > > even most of the needed data, but its spread. > > > > > > We need someone who can figure out the pieces that is missing and > > > find a way to collect and store it in a way that makes it as > > > simple as possible to fix and roll out fixes. > > > > > > We could for example use the secfixes comments in APKBUILD and > > > data from gitlab issues and generate a database from that, and > > > have someone fill in the missing data, or we could turn it > > > around, have someone collect all the data in a database and > > > generate issues from that and maybe automatically add secfixes > > > comments from it. > > > > > > But we need someone who can investigate and come up with a good > > > plan. > > > > > > -nc =20