Bug#987353: CVE-2020-8903 CVE-2020-8907 CVE-2020-8933

2021-05-16 Thread Theodore Y. Ts'o 
On Thu, May 13, 2021 at 09:56:53PM +0100, Marcin Kulisz wrote:
> 
> I hope that we're be able to change it, but for me fundamental
> question is if Google is interested in participating in effort to
> keep those packages in Debian main and if so what resources can be
> committed to do so.  From my side I can say that I'll try to find
> time to work on the relevant packages or to sponsor uploads if
> somebody else want to take on this task.

I'd be interested in helping; while I happen to work for Google, this
would only be in my personal compacity.  One caveat, though, which is
why I've hesitated in replying, is I don't have any experience
packaging Python applications.

In particular, if the Google SDK requires python packages that are
either newer or older than what is packaged in Debian, Debian's
prohibition of private copies of dependencies could make this quite
painful (if nothing else, just simply testing to make sure things
still work with variations in the Python packages available in
Debian)

- Ted

Bug#987353: CVE-2020-8903 CVE-2020-8907 CVE-2020-8933

2021-05-13 Thread Marcin Kulisz 
On 2021-05-10 12:16:09, Noah Meyerhans wrote:
> On Mon, May 10, 2021 at 09:00:34PM +0200, Moritz Mühlenhoff wrote:
> > > Hi, since this package was brought into Debian in ~2018, there have been
> > > several transformations in the GCE guest software stack and thus the
> > > current landscape is very different. Google doesn't actually maintain the
> > > official Debian package and we're not sure who is, if anyone. The Google
> > > provided packages are shipped separately and will override the Debian
> > > package if you use them from our repositories. Please see either our 
> > > Google
> > > Cloud docs 
> > > 
> > > or github readme
> > >  for info 
> > > on
> > > the packages we are maintaining and shipping for Debian systems and on the
> > > base Google provided GCE Debian images. Unfortunately, we never did find a
> > > DD sponsor to help maintain our guest packages in Debian on the cadence
> > > that we needed. I would advocate for removing this package from Debian if
> > > we can't find a set of maintainers.
> > 
> > Hi Zach,
> > as it stands google-compute-image-packages won't be part of the next Debian
> > stable release. Givem the last upload was in Oct 2019 the package seems
> > unmaintained anyway, so if noone steps up to maintain it in the next months
> > it's probably best to remove it entirely.
> 
> If we ever want to get to a point where the Debian cloud team is able to
> publish useful images to the Google cloud service, we'll need to get
> this package into shape for inclusion in a stable release.  The lack of
> good maintenance of packages such as this one is a big factor in us not
> being able to do so.  The package is nominally maintained by the cloud
> team, but none of the current members is active in working with it.

I hope that we're be able to change it, but for me fundamental question is if
Google is interested in participating in effort to keep those packages in
Debian main and if so what resources can be committed to do so.
From my side I can say that I'll try to find time to work on the relevant
packages or to sponsor uploads if somebody else want to take on this task.

So for me fist step for restarting this work would be to have a conversation
with Zach about agreeing what need to be done, how are we going to do it and
what commitments are we going to put in place to make it relevant in the long
run.

> As there seems to be interest within some members of the Debian
> community in having Debian-published images available for GCE, we should
> try to solicit help with package maintenance before we kick it out for
> good.

Thanks Noah for motivating me to reply to this email. I think this is worthy 
cause
thus I hope we can have sorted without removing those packages from Debian.
-- 

|_|0|_|  |
|_|_|0|  "Panta rei" |
|0|0|0|  kuLa    |

gpg --keyserver pgp.mit.edu --recv-keys 0x686930DD58C338B3
3DF1  A4DF  C732  4688  38BC  F121  6869  30DD  58C3  38B3


signature.asc
Description: PGP signature

Bug#987353: CVE-2020-8903 CVE-2020-8907 CVE-2020-8933

2021-05-10 Thread Noah Meyerhans 
On Mon, May 10, 2021 at 09:00:34PM +0200, Moritz Mühlenhoff wrote:
> > Hi, since this package was brought into Debian in ~2018, there have been
> > several transformations in the GCE guest software stack and thus the
> > current landscape is very different. Google doesn't actually maintain the
> > official Debian package and we're not sure who is, if anyone. The Google
> > provided packages are shipped separately and will override the Debian
> > package if you use them from our repositories. Please see either our Google
> > Cloud docs 
> > or github readme
> >  for info on
> > the packages we are maintaining and shipping for Debian systems and on the
> > base Google provided GCE Debian images. Unfortunately, we never did find a
> > DD sponsor to help maintain our guest packages in Debian on the cadence
> > that we needed. I would advocate for removing this package from Debian if
> > we can't find a set of maintainers.
> 
> Hi Zach,
> as it stands google-compute-image-packages won't be part of the next Debian
> stable release. Givem the last upload was in Oct 2019 the package seems
> unmaintained anyway, so if noone steps up to maintain it in the next months
> it's probably best to remove it entirely.

If we ever want to get to a point where the Debian cloud team is able to
publish useful images to the Google cloud service, we'll need to get
this package into shape for inclusion in a stable release.  The lack of
good maintenance of packages such as this one is a big factor in us not
being able to do so.  The package is nominally maintained by the cloud
team, but none of the current members is active in working with it.

As there seems to be interest within some members of the Debian
community in having Debian-published images available for GCE, we should
try to solicit help with package maintenance before we kick it out for
good.

noah



signature.asc
Description: PGP signature

Bug#987353: CVE-2020-8903 CVE-2020-8907 CVE-2020-8933

2021-05-10 Thread Moritz Mühlenhoff 
Am Thu, Apr 22, 2021 at 09:53:24AM -0700 schrieb Zach Marano:
> Hi, since this package was brought into Debian in ~2018, there have been
> several transformations in the GCE guest software stack and thus the
> current landscape is very different. Google doesn't actually maintain the
> official Debian package and we're not sure who is, if anyone. The Google
> provided packages are shipped separately and will override the Debian
> package if you use them from our repositories. Please see either our Google
> Cloud docs 
> or github readme
>  for info on
> the packages we are maintaining and shipping for Debian systems and on the
> base Google provided GCE Debian images. Unfortunately, we never did find a
> DD sponsor to help maintain our guest packages in Debian on the cadence
> that we needed. I would advocate for removing this package from Debian if
> we can't find a set of maintainers.

Hi Zach,
as it stands google-compute-image-packages won't be part of the next Debian
stable release. Givem the last upload was in Oct 2019 the package seems
unmaintained anyway, so if noone steps up to maintain it in the next months
it's probably best to remove it entirely.

Cheers,
Moritz

Bug#987353: CVE-2020-8903 CVE-2020-8907 CVE-2020-8933

2021-04-22 Thread Moritz Muehlenhoff 
Source: google-compute-image-packages
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team 

https://cloud.google.com/compute/docs/security-bulletins#2020619 seems unfixed
unstable/bullseye still.

Patches:
https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29

Cheers,
Moritz