With the advent of the OpenPKG Enterprise and OpenPKG Community distributions in Q4/2006, the OpenPKG security engineering is finally restructured, too.
While the security engineering for OpenPKG Enterprise is performed by OpenPKG GmbH, the security engineering for OpenPKG Community is performed by OpenPKG Foundation e.V., of course. To support this scope spreading and the necessary maximum independent progressing of each organization without loosing consistency in the results, a completely new workflow and corresponding infrastructure was established. The most noticeable changes are: Shared Security Issue Resource Pool ----------------------------------- Both organizations continue to use exactly the same resource pool for tracking all security issue information. This pool is intentionally centrally located and fully versioned at the OpenPKG Project. This ensures fully consistent information and resulting service across the two cooperating organizations, independent which organization determines which parts of the individual information. The resource pool now uses a syntactically strictly structured format which allows its main content to be automatically synchronized with a RDBMS for fast online querying and displaying. In a time-consuming process the OpenPKG GmbH worked-off all (over 200) individual Security Advisories of the past and converted them into the new internal Security Issue (SI) format. Security Issue (SI) vs. Security Advisory (SA) ---------------------------------------------- Every security issue information is now also uniquely identified with OpenPKG-internal Security Issue (SI) ids of the form "OpenPKG-SI-YYYYMMDD.NN". Please do not intermix this with the public OpenPKG Security Advisory (SA) ids of the form "OpenPKG-SA-YYYY.NNN". The SI ids identify the issue in the internal resource pool and are for internal cross-referencing only. As in the past, the SA ids identify the issue publically in case OpenPKG was determined to be affected (and hence a Security Advisory was published from it). Security Advisory Publishing ---------------------------- The OpenPKG Project will no longer sent out Security Advisory mails on its own. Instead it from now on maintains the central security issue resource pool for the OpenPKG GmbH and OpenPKG Foundation e.V. only. As the OpenPKG GmbH with its OpenPKG Enterprise product strongly focuses on the security engineering aspects, they implemented a new infrastructure for the publishing of Security Advisories under http://www.openpkg.com/security/advisories/. All old (and already published) URLs inside the old infrastructure of the OpenPKG Project are still valid as they get automatically redirected to the corresponding URLs in the new infrastructure of the OpenPKG GmbH. As a result of the new security issue tracking and its processing workflow, the Security Advisory documents under http://www.openpkg.com/security/advisories/ under are no longer just copies of the published Security Advisory mails (as it was the case in the past). Instead the Security Advisories are now on-demand rendered messages (with a particular publishing date and a particular revision number) which are entirely derived from the information in the security issue resource pool. The Security Advisory mails the OpenPKG GmbH now sends out are just snapshots of this security issue information at the time the OpenPKG GmbH fixes the OpenPKG Enterprise distribution in order to inform the OpenPKG audience about the security incident as early as possible. Security Advisory Online Status ------------------------------- The new workflow especially allows the two organizations to modify the information in the Security Advisories even _after_ they were already sent out once as -- unchangeable and signed -- mails. This is very important as experience shows that CVE numbers, vendor confirmation URLs or even information about additionally fixed OpenPKG packages in particular OpenPKG distributions are not (and cannot be) always already known at the time the OpenPKG audience should be informed. So, from now on, if you receive an OpenPKG Security Advisory, read it carefully and decide (based on the information about the issue subject) whether you have to react. If you need more and/or updated information go to the URL http://openpkg.com/go/OpenPKG-SA-YYYY-NNN which is prominently displayed in the mail. There you will find the _LATEST_ version of this Security Advisory. You will be able to easily determine whether the information is newer by comparing the "Issue Last Modified" and "Issue Revision" fields in the two messages. Especially, in the online version of the Security Advisory, look at the third/last section: there you find detailed information about the affected and corrected OpenPKG distributions, series and packages. In case one of the two organizations still have not provided update packages for their distribution, the corresponding entries are labeled as "pending" there, too. - - - With this new workflow, you will be informed as early as possible about particular security incidents in the OpenPKG world and additionally, at any time, you now have a clear online and realtime view of the current status. Additionally, although two organizations are independently performing the security engineering for their OpenPKG distributions and series, it is ensured that the results are fully consistent across OpenPKG. The OpenPKG GmbH and the OpenPKG Foundation e.V. think that this way an even better security engineering service can be delivered to both the business customers and the community users. Ralf S. Engelschall on behalf of the OpenPKG GmbH and the OpenPKG Foundation e.V. ______________________________________________________________________ The OpenPKG Project www.openpkg.org Project Announcement List openpkg-announce@openpkg.org