Received: from cloud03.net4visions.de (cloud03.net4visions.de [168.119.227.151]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 690BA7810DA for <~alpine/users@lists.alpinelinux.org>; Thu, 27 Jan 2022 17:52:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tower-net.de; h= content-transfer-encoding:content-type:content-type:mime-version :message-id:references:in-reply-to:subject:subject:from:from :date:date; s=20201123; t=1643305914; bh=t0TvmiIOZRWk2fqj5BMgUE5 yGbYPF3BXZ51PoLC29Cc=; b=BvsHzo1Jalu2nRToLIyRrqzZExR3yNvAPWjRf8c IkcPkDs3HKkkdrgekdLLWzT1igZC90XdbyMJY1YyI2iSEmAo6MPeR4u/ETr6OWGO wFOgv0cdCFhgUiRuZFL2XIQpt6V53zjkQBzJS/JLUxEZu45L1iz2VVU8jz1vJlLA GWX5cE4QMm/QeycQLaWTTlzYOQwEE7ORWYioBAlzcRK+d9bNUxOX369MqLbKwwBI DMoIPVkLlcLzm8XYYYQlvtsCndePCAxQYiDZp+fSnH/qke2HA44tqPya9dCbM3dP dCn+dakwGg9h9b5Q6iivf78g5AJfmtBRHwnkxfHJuQlKpwoUp3bO0d+sJIkiVn8X 3TTbcoyEbAQa0ZeIdBo9LjxoOf2Hlo8ChT1Z6bRzIafDe1la97jwVUfI/hP9TiyC /XFe+Ta7PAchlAd1Qdqq0xR1R+Gz19U0+4DMtu+2EJhwILGj2k/96lGWn16oM6QQ wkAfv8/vxhF020NnCSs2qweac Date: Thu, 27 Jan 2022 17:51:50 +0000 From: Markus Kolb To: Jakub Jirutka , ~alpine/users@lists.alpinelinux.org Subject: =?US-ASCII?Q?Re=3A_Alpine_Linux_Project_=28was=3A_Alpi?= =?US-ASCII?Q?ne_Linux_affected_by_CVE-2022-0185=3F=29?= In-Reply-To: <2b551cfe-9642-4b03-93ab-1a23442dee3b@jirutka.cz> References: <2b551cfe-9642-4b03-93ab-1a23442dee3b@jirutka.cz> Message-ID: <29F8112B-57CE-4CA8-9B36-C7C77190E7A3@tower-net.de> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----QR0PXWPPS5IWAG6MZUP8BXN9WC1KN8 Content-Transfer-Encoding: 7bit Autocrypt: addr=alpinelinux+usersml@tower-net.de; prefer-encrypt=mutual; keydata= mQINBFTq7DkBEAD0NQBCJ8f+cPWrh1sXOAD32exrvI9sKPa6R683/RYjviPc3CRlGfT1x37pEEiZ Fh+ow50ZuYl4QXzhJTY/oHi9Kkhv/k65Qz49YrGpXjFZJMUJxsfukOa/pCLgshdZ5+KbEmtPlJ/D +zfXdk6ceicTPZd4VJ7pAOoDpUMQhNnvb+zSNVMRmVmVKBpsDByqmh4OdmvfvN/AyK7TxFmBYp6A vTgdIxUxjwevXvWMcor4OFE9XwLtlSnsuT0aLal3W6Skz0NikeELnkObR9hykVUKQAk9+NsmxOEr eo7tzknv2w2ddtLx0i1ghYGo+KJgxKEKoYg2Kiuw+IzwjZggHbisuTbNXEra6D/jnGAh/NPUElMu /2HpgVUnlANjaLFyIClpjUI3sv1LlmeYPsOEHSoaXn8xw1jg1i/ZxJh2wslTIm2GwUnlPodUTkOW D2qPCubNWM1Ax8DZUcGGpMPgnN7JvTONFRHfIpjwtxWn/HbKjYaLh0Na68KLPHvIKozL0hm0ZNUR 3rtgL1FjgyeA4gXQO2C9VkhEAoMpSeN0Xznr+vmyGS4qXhCE895+SBIg8OUfbMKx2OTISnSOnsJ2 +oO7eneKlt5wsqtBVESOtemozHaAa6rCsF+8lRdhkFxZSwxX5RUfPkMqt33gk9h1D6kTX4ZlFt2O 9HK0EpeD92SzbQARAQABtCFNYXJrdXMgS29sYiA8bWFya3VzQGtvbGJzLW5ldC5kZT6JAjoEEwEI ACQCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AFAlVS8mYCGQEACgkQPZkdrJmhi67LBRAAu3GK wp6XbrL4Q5/xChj+KFiUYx89sMYeoiZj46QLzwazy/ifZpc/2uVsXKTTzG2Ftkpx2WymzuWIAR7U FM9Jm43bsc8AYWvxccdKDtcDil1mRRTPkpiFGZbIxy7IBw8yxHHJoN1T+JB+R1FpZMLczmPrfMUS Ua+p/TU3lqugsayi/OeqN83F7qyX+FT1qmhzPQvZs/KjK3OYbOpwwGobdF2zU30q+Jt08YO0lU38 vwKZPFxiG93DhYoW5jha/jIeiGfN42uMAq4mrL4vNIFbixz0tT21DNuBueaZmtKcj/VALwrvmoSr eGFXH+9G+luAYsj47nAPQd0jjOuYHG6n7tLg/Ij7gZbomN3sMsoPyIyc2sCbv7jjPrc2BHYHwlLr T3HNnDgNdfC9QSYy8v9BufAcpvxMuKyw4+RHeoUIO8oPHAlyo6pe1ddP/lDW0e7tTr2SRXk2YVee icpRou4nREgREaZjiil5sJvzru5XZjnp7PpQekZLVkqTPrwfSj/sWSORHHcDxW/kYgPoRp7NMnkS Vrq7mFdy6rKdNw5hYWxTYZx7iyKsYpDTnFV/KhwyZ9Or+HY+3QsGnAcZYy2Q2vEEd5KGN+Dmw5Kv UWyto6BcSr0esnwu80IIuK+v2Xns1c2tdB3hmD8bYyuFS8AWoqxymwCCfr5r28Nf72/GLbK5Ag0E VOrsOQEQANl0xTH9bVs79I5MvB+NeIITYHW0koUDuVJIRDyJHBhtP7YpjuYzOGMkFJEL4Oqqhxaa b+c/c3kLo8QhKpLnfHhd/XY6iqj0XF72MdJa3woWAUV7CkUIxDaU/YT5usSK5wUYp4pyaHgufP2C RyAca8nHjKPpuiY/Y9DPPe7bfNmqzmf1Kzij4ovB5j9PmTKY3qY+j/hZoSM+G+CIb01GhPyOykhx D6pIiVvUxaNCUQzn1Z1+QU4jDRYZLSHdkT+AYwVi4fIKNWaPPnRTeSdSO1lylqPn/7PXQp0O/8cp ucyfFN6jGk1ZXpj1SnVQ8UJoDQBFgQt4Py2XXE6dMczk7OkziO/1CJrOIPqX5GO4+lq3fzNXIrsp 5vbOPzcxAMlolBucqnVTDW4EqiajGt2gJYOnG8uS48Vdo/clP6DxqGiuxsq5krz/gHvXIhj7XB1e hr/Xt8HUJ9csdvfPEKJ/eBVbNmpQlf+uVd6lyahVvi+It7xxlGrAN/Edey047ALjZHAQIoRggDLR Y/mJFaNpuYt8ul5/Jt5Cqjl13+XjgH3TPcbRdbGqDPE42aqZiTJSQPiA4jUWUYdF6+a8kdD4cLiy x8Px7NnmRJElbRoyKyy9scRvXy5ReMZwVKspz77JTGlS2cPHc+XSLYwwA9PXT89XJcNFkOT/scHc 1+7wmsCdABEBAAGJAh8EGAEIAAkFAlTq7DkCGwwACgkQPZkdrJmhi667rw/+JtHpUtJl/cpayHuF l9BYD/8USGtisMyS2jYiQaGuGcx9Ekn/6GGhCFWrqlSbs/hZYPeylYsBxPwKtDelAr2s/d5UNjSl F13DUm5AJAp4a+zmiee1/3c3ok68wF9mk/ADwHtLUEIztnMPOs9HpuEY3loMTAT4gDkrgOkkECAs GY/9tgic8sJSlB4AKylpHKuofX3j6Jw4GdGouPFfVaTowUHjotmax1sdtP5SEFd+bIhlimE3L03O Ev84pYnii2VQKt7XUcbEsGwD+5ETNiC9SvP+NPRDVV12zwwuwYPN8ZX8AobRtzAs72D/2isKPd2y /rFpwqk+g6Nc63P27yjHlU7fXsLfa/24yWw47KwSYbjckBj+l1uYjgDDxXqSWLgcXqN3OCLzONe6 XonWSkd5ion6yAygy0Kz+QoSZ5KNIASW72sEG9sEHhU8AF36dBVmuiYm+bN5TJPvzH0am0l6h8Ss Cx8lRsffRicQzolLwkZeaSJrVHPkghdjzIOFZqzw15R33mcQjJkoZgi3dXsUREad+Q00fj/ZlhVV TdavFIZY/R1MAjAmzz9SIJtZySywIXtE+yu1YZ9MyWXqJG1/LYOdP6PsWgzS3dwImuKMQUxWl6bX fzk/bvGxEe9C3SlEJdf5yUQTLpGnFTKGj8Oh8UsjPD5wTMcyCVdRiapHiFs= ------QR0PXWPPS5IWAG6MZUP8BXN9WC1KN8 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Am 25=2E Januar 2022 16:58:02 UTC schrieb Jakub Jirutka : >I didn=E2=80=99t find this patch on merge requests (https://gitlab=2Ealpi= nelinux=2Eorg/alpine/aports/-/merge_requests), so it predates the integrati= on of the aports mailing list and GitLab=2E That=E2=80=99s why it didn=E2= =80=99t get any attention=2E Even in those time, the preferred way for cont= ributing changes was through merge requests on GitLab, not mailing list=2E > >Your patch is for main/nodejs; coincidentally, I=E2=80=99m the maintainer= of this aport=2E I=E2=80=99ve never been following the aports mailing list= , only GitLab (and before that GitHub)=2E There was no automation over apo= rts ML, not even notifying of the maintainer, so I just didn=E2=80=99t know= about this patch (or any other there)=2E Fortunately, that=E2=80=99s in th= e past, when you send a patch to the aports ML, it automatically opens a MR= on GitLab and the maintainer of the target aport is automatically assigned= on it=2E Comments should be synced in both ways, but still, it=E2=80=99s m= uch better to use GitLab interface (web UI or API) to create and interact w= ith merge requests, instead of this archaic and limited mail-based approach= =2E > >So that=E2=80=99s what is/was going on=2E Additional man power is very mu= ch needed and welcome=2E > >Jakub J=2E > >On 1/25/22 4:46 PM, Markus Kolb wrote: >> Am 25=2E Januar 2022 14:24:17 UTC schrieb Jakub Jirutka : >>=20 >> But I've provided some months ago a patch for a security relate= d issue and never got an answer=2E >>=20 >>=20 >> Can you please provide a link to your merge request on https://gitl= ab=2Ealpinelinux=2Eorg that were closed without answer? >>=20 >> Thanks, >> Jakub J=2E >>=20 >> On 1/25/22 2:42 PM, Markus Kolb wrote: >>=20 >> It is kernel 5=2E15=2E15 and patched is the vuln in 5=2E15=2E16= =2E So yes=2E >> Looks like the maintenance becomes somewhat resource limited=2E >> But I've provided some months ago a patch for a security relate= d issue and never got an answer=2E So looks like they don't want to have ad= ditional man power=2E The issue has been closed some weeks later with provi= ding a new package=2E So somewhat questioning what is going on=2E >>=20 >>=20 >>=20 >> https://lists=2Ealpinelinux=2Eorg/~alpine/aports/patches/3549 > Ok Jakub=2E Well, I tried to follow the documented way on wiki=2Ealpinelinux=2Eorg how= to=20 contribute patches at this time=2E And there it is also today more or less documented like the months before= =2E It is also not your package or this single experience alone=2E There has b= een some more packages I've rebuilt myself in a newer version (not always f= rom edge) before they were available in the repo days/weeks later=2E Not su= re if it is really the case, but I got told on IRC that you (Alpine) would = have the information about security related releases on the publication of = CVE scores=2E This is at least sometimes not just-in-time and there are fix= ed upstream releases available long before this info is published=2E Someti= mes there is also POC Code published to the same date=2E=20 Next to this, there is not really much information how the "members" (are = they members?) of=20 Alpine Linux are organized=2E=20 Who are you, organized in the TSC? Is this part of the main job of the=20 core people or your hobby? Are you paid by the sponsors for the developmen= t=20 on Alpine for your living? Is there some interest by the sponsors to drive= Alpine or is it=20 personal interest? Is there any relation to musl development and project? Do you develop Alpine for a special purpose for yourself, your employer or= =20 customer? What is the concept of trust for package maintainers? At the moment it is like expecting everything and nothing=2E Not sure if i= t is responsible to recommend Alpine to boss or customer and base their pla= tforms on it=2E Will the community stay alive if one of Timo, Natanael or C= arlo have or want to do something different? I'm using Alpine Linux some years with a very limited package selection, b= ecause I like the concept of the small base system, and I'm subscribed to t= he list also some similar time, but somehow I miss the insight I'm used to = get from other Opensource OS community projects during this time=2E=20 Thanks Markus ------QR0PXWPPS5IWAG6MZUP8BXN9WC1KN8 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Am 25=2E Januar 2022 16= :58:02 UTC schrieb Jakub Jirutka <jakub@jirutka=2Ecz>:
I didn=E2=80=99t find this patch on mer=
ge requests (https://gitlab=2Ealpinelinux=2Eorg/alpine/aports/-/merge_=
requests), so it predates the integration of the aports mailing list an=
d GitLab=2E That=E2=80=99s why it didn=E2=80=99t get any attention=2E Even =
in those time, the preferred way for contributing changes was through merge=
 requests on GitLab, not mailing list=2E

Your patch is for main/node=
js; coincidentally, I=E2=80=99m the maintainer of this aport=2E I=E2=80=99v=
e never been following the aports mailing list, only GitLab (and before tha=
t GitHub)=2E There was  no automation over aports ML, not even notifying of=
 the maintainer, so I just didn=E2=80=99t know about this patch (or any oth=
er there)=2E Fortunately, that=E2=80=99s in the past, when you send a patch=
 to the aports ML, it automatically opens a MR on GitLab and the maintainer=
 of the target aport is automatically assigned on it=2E Comments should be =
synced in both ways, but still, it=E2=80=99s much better to use GitLab inte=
rface (web UI or API) to create and interact with merge requests, instead o=
f this archaic and limited mail-based approach=2E

So that=E2=80=99s =
what is/was going on=2E Additional man power is very much needed and welcom=
e=2E

Jakub J=2E

On 1/25/22 4:46 PM, Markus Kolb wrote:
Am 25=2E Januar 2022 14:24:17=
 UTC schrieb Jakub Jirutka <jakub@jirutka=2Ecz>:

        But I=
've provided some months ago a patch for a security related issue and never=
 got an answer=2E


    Can you please provide a link to your merg=
e request on https://gitlab=
=2Ealpinelinux=2Eorg that were closed without answer?

    Thanks=
,
    Jakub J=2E

    On 1/25/22 2:42 PM, Markus Kolb wrote:
        It is kernel 5=2E15=2E15 and patched is the vuln in 5=2E15=2E16=
=2E So yes=2E
        Looks like the maintenance becomes somewhat resour=
ce limited=2E
        But I've provided some months ago a patch for a se=
curity related issue and never got an answer=2E So looks like they don't wa=
nt to have additional man power=2E The issue has been closed some weeks lat=
er with providing a new package=2E So somewhat questioning what is going on=
=2E



https://lists=2Ealpinelinux=2Eorg/~alpine/aports/patches/=
3549


Ok = Jakub=2E
Well, I tried to follow the documented way on wiki=2Ealpinelinu= x=2Eorg how to
contribute patches at this time=2E
And there it is al= so today more or less documented like the months before=2E

It is als= o not your package or this single experience alone=2E There has been some m= ore packages I've rebuilt myself in a newer version (not always from edge) = before they were available in the repo days/weeks later=2E Not sure if it i= s really the case, but I got told on IRC that you (Alpine) would have the i= nformation about security related releases on the publication of CVE scores= =2E This is at least sometimes not just-in-time and there are fixed upstrea= m releases available long before this info is published=2E Sometimes there = is also POC Code published to the same date=2E

Next to this, there = is not really much information how the "members" (are they members?) of Alpine Linux are organized=2E
Who are you, organized in the TSC? Is th= is part of the main job of the
core people or your hobby? Are you paid = by the sponsors for the development
on Alpine for your living? Is there= some interest by the sponsors to drive Alpine or is it
personal intere= st? Is there any relation to musl development and project?
Do you develo= p Alpine for a special purpose for yourself, your employer or
customer?=
What is the concept of trust for package maintainers?
At the moment = it is like expecting everything and nothing=2E Not sure if it is responsibl= e to recommend Alpine to boss or customer and base their platforms on it=2E= Will the community stay alive if one of Timo, Natanael or Carlo have or wa= nt to do something different?
I'm using Alpine Linux some years with a v= ery limited package selection, because I like the concept of the small base= system, and I'm subscribed to the list also some similar time, but somehow= I miss the insight I'm used to get from other Opensource OS community proj= ects during this time=2E

Thanks
Markus
------QR0PXWPPS5IWAG6MZUP8BXN9WC1KN8--