Received: from mail-40135.protonmail.ch (mail-40135.protonmail.ch [185.70.40.135]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 7CB8278198D for <~alpine/devel@lists.alpinelinux.org>; Sun, 18 Aug 2019 12:58:32 +0000 (UTC) Date: Sun, 18 Aug 2019 12:58:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1566133110; bh=PEAt2QFwMp/eiHcq5neex/WUL5ukYXfHxuD6GyjlpXw=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=dPmNMoHY+VtUYV/BQcO/hC5ia3HSIj9YF8GhJEE8s3T5cpiLR5ZdGsOA/WzcevVjb zzUSR4zJeCbhgkHWWf9I8lZaIbJtZqLkknr1m4NxaoHFCscLC3WI3FH7sabGYQzo/x QohTptAfkbo1VpMvL4B8dkePmdyP1T/nJ0mE1010= To: Teppei Fukuda From: ecsx Cc: Natanael Copa , Carlo Landmeter , "~alpine/devel@lists.alpinelinux.org" <~alpine/devel@lists.alpinelinux.org> Reply-To: ecsx Subject: Re: Security Issues in Redmine Message-ID: =?utf-8?q?=3CCVtiaH-LQ2HdI6J=5F8xJh3vs46ri=5Fwe6ioCYxTg7CIFs?= =?utf-8?q?q3nMHiU=5F=5FYEBdWgNFI=5FSOX=5Fbj0y84fGA2cKDQRDrFTPmFn8IRgsQVxj?= =?utf-8?q?2F74I2hOQ=3D=40protonmail=2Ecom=3E?= In-Reply-To: References: <20190723091240.733103de@ncopa-desktop.copa.dup.pw> <20190723111532.5a18f982@ncopa-desktop.copa.dup.pw> <20190814230125.62d8de16@ncopa-desktop.copa.dup.pw> Feedback-ID: =?utf-8?q?rfqEyWCqWp1raYnSrQM7wRmLaD8V0x-8nfFhjPo0Xf4EctzPnMsu1?= =?utf-8?q?XXI2RUPT3HPiFWcIJFwPnnZyvTgi9-DmQ=3D=3D=3AExt=3AProtonMail?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.2 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,FREEMAIL_REPLYTO autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.protonmail.ch Speaking only about aesthetics here, but for me having APKBUILD with lots o= f CVE comments is not welcoming and make it harder to read. Especially pack= aged with lots of vulns. Detaching the CVE list from the APKBUILD itself could do wonders for readab= ility. =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Saturday, August 17, 2019 11:29 PM, Teppei Fukuda w= rote: > Hi Copa, > > Thank you for the kind response. > > I looked over all recent commits. I think the reported security issues > in GitLab is sufficient as a first step. Of course, there are many > better ways such as preparing a system for vulnerability management. > However, it is hard to maintain. I believe the most important thing is > sustainability. > > For maintainers, it should be easier to just write markdown for > Issue/PR. Therefore, I think it is enough to parse markdown and > generate security advisories. We need to fix the format of the > security issues. The GiaLab "description templates" may be a good idea > to fix the format. > https://docs.gitlab.com/ee/user/project/description_templates.html > > If possible, let's have a video meeting! > > Best regards, > Teppei > > 2019=E5=B9=B48=E6=9C=8814=E6=97=A5(=E6=B0=B4) 11:01 Natanael Copa ncopa@a= lpinelinux.org: > > > Hi, > > On Sun, 11 Aug 2019 14:29:50 -1000 > > Teppei Fukuda knqyf263@gmail.com wrote: > > > > > Hi Copa, > > > My apologies for keeping asking you questions, but I have one more qu= estion. > > > When I've been following the recent security related commits of > > > alpine/aports, I've noticed that you always write secfixes comment > > > even if they were not backported fixes. Was this defined as a rule? > > > > No, it was never an expressed or documented rule or request or > > anything. The community have just filled in the secfixes data, so it > > seems that is the direction things are "naturally" going. > > We have recently also moved to gitlab and have tried various ways to > > report the issues. Gitlab has made things simpler, for example we are > > now using one issue with tasklist of affected branches. We have also > > started to add the commit data where the issue is fixed. This seems to > > work relatively well and combined with the secfixes data, this is a > > good step forward to an advisory program. > > > > > As I mentioned before, I hope that security advisories of Alpine will > > > be provided. So I would like to help if I can do anything. > > > > Can you please have a look at the recent security fixes in gitlab and > > see what you think, and what we could do differently. > > https://gitlab.alpinelinux.org/alpine/aports/issues?scope=3Dall&utf8=3D= =E2=9C=93&state=3Dclosed&label_name[]=3DSecurity > > I specifically wonder how to report multiple CVEs that affect different > > branches. See for example > > https://gitlab.alpinelinux.org/alpine/aports/issues/10699 > > Do you think that tracking the security data in secfixes comments in > > APKBUILDs and the reported security issues in gitlab is sufficient? We > > could probably start also report the issues that we have fixed already, > > with the commit with the fix. > > > > > I know you are so busy. It would be appreciated if I discuss this wit= h > > > you when you have time. > > > > Would you like to have a video conference meeting? > > -nc > > > > > Best regards, > > > Teppei > > > 2019723*(*) 16:56 Teppei Fukuda knqyf263@gmail.com: > > > > > > > Hi Copa, > > > > I appreciate your polite explanation. I understand. > > > > Currently, my program collects the following data: > > > > > > > > 1. the secfixes comments in APKBUILD > > > > 2. alpine-secdb (maybe the same as above) > > > > 3. the security tickets of Redmine (will be replaced with the > > > > issues of GitLab) 4. git diff APKBUILD (only commits related wi= th > > > > the above issues) > > > > > > > > > > > > I think we can generate the security advisories by checking all git > > > > log like No. 4. For example, the following commit fixes > > > > CVE-2019-13636. > > > > https://github.com/alpinelinux/aports/pull/9642/files > > > > Watching this diff of main/patch/APKBUILD, we can detect the versio= n > > > > update from 2.7.6-r4 to 2.7.6-r5. This is my source code doing it. > > > > https://github.com/knqyf263/vuln-list-update/blob/d8aefa60155637561= a8a2d3feb486bbb675c996c/alpine/alpine.go#L404-L450 > > > > I know this way is not perfect. There may be false > > > > positive/negative. However, this process can be automated and the > > > > maintenance cost is low. It may be a good way as a first step of > > > > the security advisory. It is better if the format of the commit > > > > message is fixed. e.g. [os_version] pkgname: fix CVE-ID. > > > > I want the security database of Alpine strongly and can help you in > > > > the task of investigating it and writing an automation program. But= , > > > > It is difficult to do manual operation (e.g. I continue to fill the > > > > security information manually). > > > > Best, > > > > Teppei > > > > 2019723*(*) 18:18 Natanael Copa ncopa@alpinelinux.org: > > > > > > > > > On Tue, 23 Jul 2019 17:54:40 +0900 > > > > > Teppei Fukuda knqyf263@gmail.com wrote: > > > > > > > > > > > Hi Carlo, > > > > > > Yes, it is. However, alpine-secdb is database of backported > > > > > > fixes as README says. > > > > > > > > > > > > > It is not a complete database of all security issues in > > > > > > > Alpine. > > > > > > > > > > > > I need a complete database of all security issues. > > > > > > > > > > We currently don't have that. I do think we have much or maybe > > > > > even most of the needed data, but its spread. > > > > > We need someone who can figure out the pieces that is missing and > > > > > find a way to collect and store it in a way that makes it as > > > > > simple as possible to fix and roll out fixes. > > > > > We could for example use the secfixes comments in APKBUILD and > > > > > data from gitlab issues and generate a database from that, and > > > > > have someone fill in the missing data, or we could turn it > > > > > around, have someone collect all the data in a database and > > > > > generate issues from that and maybe automatically add secfixes > > > > > comments from it. > > > > > But we need someone who can investigate and come up with a good > > > > > plan. > > > > > -nc