Re: LTS, no-dsa reasoning and sponsored packages
Am 16.04.19 um 09:17 schrieb Raphael Hertzog: > Hi, > > On Mon, 08 Apr 2019, Markus Koschany wrote: >> "Not used by any sponsor" is often used internally in commit messages as >> an additional comment, reason and clarification why a certain issue is > > In commit message to which repository? > > I think you are mixing the ELTS security tracker here. No, I don't. > >> marked no-dsa or ignored, mostly intended for those people who work on >> LTS. Of course we always take into consideration how useful a fix is and >> on what we should spend our time on. This should come to no surprise to >> everyone who followed LTS in the past. Debian LTS is only possible >> because of this sponsorship and of course it is part of Debian. > > FWIW, I agree fully with Salvatore that "Not used by any sponsor" is > completely irrelevant for CVE triaging. > > It's relevant when paid LTS contributors have to select which packages > they are going to work on, but it's not relevant to evaluate the > importance of a CVE. > > (The story is very different for ELTS, obviously) I think there is a big misunderstanding here. For instance I have triaged edk2 which is a non-free package in Jessie. Normally we don't support non-free but we make an exception when it is used by sponsors like firmware-nonfree or unrar in the past. Thus when I write non-free is not supported, not used by any sponsor I am clarifying that we should not spend time on such a package. This was always our policy. Also popcon value is a factor to consider for spending time on a fix. When there are only 10 reported installations for a web application like hoteldruid then we usually prioritize more important packages. Hence I have sent an email to the maintainer of hoteldruid with our rationale and asked him if he would like to work on the package in the meantime. I don't agree with Salvatore's concerns and I find "Minor issue" far less informative as a reasoning which the security team uses rather often as a justification. Markus signature.asc Description: OpenPGP digital signature
Re: LTS, no-dsa reasoning and sponsored packages
Hi, On 16/04/2019 09:20, Raphael Hertzog wrote: > On Tue, 09 Apr 2019, Sylvain Beucler wrote: >> On 09/04/2019 09:50, Ingo Wichmann wrote: >>> labeling it "minor issues" when the real reason is "sponsors needed" >>> sounds wrong to me. >> That's never been the real reason so far AFAICS, only a complementary >> reason. > Ok, still to not encourage this bad practice, please remove those > "complementary reasons" from the existing entries. Already did for mine, just removed the others (pointing to your mail in the commit message). - Sylvain
Re: LTS, no-dsa reasoning and sponsored packages
Hi, On Tue, 09 Apr 2019, Sylvain Beucler wrote: > On 09/04/2019 09:50, Ingo Wichmann wrote: > > labeling it "minor issues" when the real reason is "sponsors needed" > > sounds wrong to me. > > That's never been the real reason so far AFAICS, only a complementary > reason. Ok, still to not encourage this bad practice, please remove those "complementary reasons" from the existing entries. Cheres, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: LTS, no-dsa reasoning and sponsored packages
Hi, On Mon, 08 Apr 2019, Markus Koschany wrote: > "Not used by any sponsor" is often used internally in commit messages as > an additional comment, reason and clarification why a certain issue is In commit message to which repository? I think you are mixing the ELTS security tracker here. > marked no-dsa or ignored, mostly intended for those people who work on > LTS. Of course we always take into consideration how useful a fix is and > on what we should spend our time on. This should come to no surprise to > everyone who followed LTS in the past. Debian LTS is only possible > because of this sponsorship and of course it is part of Debian. FWIW, I agree fully with Salvatore that "Not used by any sponsor" is completely irrelevant for CVE triaging. It's relevant when paid LTS contributors have to select which packages they are going to work on, but it's not relevant to evaluate the importance of a CVE. (The story is very different for ELTS, obviously) Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: LTS, no-dsa reasoning and sponsored packages
Hi Sylvain, On Mon, Apr 08, 2019 at 10:18:08PM +0200, Sylvain Beucler wrote: > Hi, > > On 08/04/2019 21:56, Holger Levsen wrote: > > On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote: > >> Recently I noticed that for a no-dsa (either for no-dsa or the > >> stronger ignored) as explanation was started to be used e.g. "not used > >> by any sponsor". > > That sounds related to my triage of libpodofo today. It was at least the trigger for my mail ;-) > Firstly, as an aside, it seemed to me that was not stronger, > but more precise than (a "sub-state" as documented at > https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory > ). > Let me know if you prefer we use Yep I know about the sub-state distinction. What I meant with stronger can maybe been illustrated as follows: while a issue marked as no-dsa might be reconsidered, postponed defintively to be looked at at next update we want to have for a specific source package, ignored is stronger in the sense, we likely are going not to look at this anymore from security team point of view (well one can always reconsider, but let's say that is the intetion at the point when someone adds the entry in the list for specific CVE and suite). Does not mean cannot be fixed, but somehow goes down on the radar. Anyway, but that was not the main point. I raised the concern about the 'not used by any sponsors' part. Using the appropriate substate as needed is fine, so whatever it will be for the respective entry, either no-dsa, postponed or ignored for the respective triage. > >> If LTS is meant as Debian project, then I would suggest not to start > >> to use those formulations, which I think are fine for ELTS, which is a > >> dedicated project not on Debian directly. Saying something is not DSA > >> worthy or is going to be ignored, because it's not used by a LTS > >> sponsor will give a signal to others that indeed, Debian LTS is not a > >> generic Debian project. > > thanks for bringing this up. FWIW, I agree with you. > Secondly, being my first go at triaging, I looked at past triages, and > the first occurrence of "not used by any sponsor" is from last August, > so I believed that was a good reason to document it as an additional > reason (the main reason being it's a caught exception / basic DoS, not a > crash with memory overwrite & cie, plus a low popcon for Jessie). > > But I'll leave that out from now on. > > > >> Just stick to "Minor issue" in such cases if something is not DSA > >> worthy because the issue is minor, but do not make it depdendent on if > >> a paying LTS sponsor is using it or not. > > (or dont mark it "Minor issue" if it's not minor. This should also > > hopefully make it more likely someone picks it up as a volunteer efford, > > eg when proofing one is captable of lts work...) > > FWIW I like when we justify why it is minor. Sure, I really wanted to hilight the 'not used by any sponsor' part. It is perfectly fine to write more there, not just minor issue, and give some concise reasoning on why something is no-dsa, ignored or postponed. Just try to keep it coincise (or other worded not let it become a novel). Hope this helps, Regards, Salvatore
Re: LTS, no-dsa reasoning and sponsored packages
On Tuesday 09 April 2019 03:09 AM, Markus Koschany wrote: > Am 08.04.19 um 21:51 schrieb Salvatore Bonaccorso: >> Hi LTS contributors, >> >> Recently I noticed that for a no-dsa (either for no-dsa or the >> stronger ignored) as explanation was started to be used e.g. "not used >> by any sponsor". >> >> If LTS is meant as Debian project, then I would suggest not to start >> to use those formulations, which I think are fine for ELTS, which is a >> dedicated project not on Debian directly. Saying something is not DSA >> worthy or is going to be ignored, because it's not used by a LTS >> sponsor will give a signal to others that indeed, Debian LTS is not a >> generic Debian project. > > "Not used by any sponsor" is often used internally in commit messages as > an additional comment, reason and clarification why a certain issue is > marked no-dsa or ignored, mostly intended for those people who work on > LTS. Of course we always take into consideration how useful a fix is and > on what we should spend our time on. This should come to no surprise to > everyone who followed LTS in the past. Debian LTS is only possible > because of this sponsorship and of course it is part of Debian. "Not used by any sponsor" should not be on commit messages too. I understand that you are doing this for clarity. But paid contributors have a file that contain packages and its priority so looking to it is enough than mentioning those redundantly. --abhijith
Re: LTS, no-dsa reasoning and sponsored packages
Hi, On 09/04/2019 09:50, Ingo Wichmann wrote: > labeling it "minor issues" when the real reason is "sponsors needed" > sounds wrong to me. That's never been the real reason so far AFAICS, only a complementary reason. [jessie] - libpodofo (DoS, not used by any sponsor) [jessie] - hoteldruid (low popcon, not used by any sponsor) [jessie] - hoteldruid (low popcon, not used by any sponsor) [jessie] - hoteldruid (low popcon, not used by any sponsor) [jessie] - hoteldruid (low popcon, not used by any sponsor) [jessie] - tcpreplay (not used by any sponsor, hard to exploit) [jessie] - tcpreplay (not used by any sponsor, hard to exploit) [jessie] - edk2 (non-free, not used by any sponsor) [jessie] - edk2 (non-free, not used by any sponsor) [jessie] - edk2 (non-free, not used by any sponsor) [jessie] - edk2 (non-free is not supported, not used by any sponsor) [jessie] - edk2 (non-free is not supported, not used by any sponsor) Cheers! Sylvain
Re: LTS, no-dsa reasoning and sponsored packages
Hi Hugo, "funding needed" is OK to me, too. But to me, the packages that we're talking about are "orphaned in LTS". To change that, we need a Debian Maintainer to pick that package, fix it and upload it. Maybe that Debian Maintainer needs funding, maybe not. But still "funding needed" would be ok to me. Ingo Am 09.04.19 um 10:29 schrieb Hugo Lefeuvre: >> labeling it "minor issues" when the real reason is "sponsors needed" >> sounds wrong to me. >> >> I'd say "minor issues" is right for minor issues. And "sponsors needed" >> is a legitimate, helpful additional information. >> >> It seems to me, that it's not uncommon to Debian to search for a sponsor >> of a package: >> https://mentors.debian.net/sponsors > When we speak about sponsors in this context, we mean the "contributing > companies and organizations", the entities funding the Debian LTS > project[0], not mentors from the package sponsoring process. > > Yet another reason to not use "sponsoring" related arguments in the > tracker? > > [0] https://wiki.debian.org/LTS/Funding -- Linuxhotel GmbH, Geschäftsführer Dipl.-Ing. Ingo Wichmann HRB 20463 Amtsgericht Essen, UStID DE 814 943 641 Antonienallee 1, 45279 Essen, Tel.: 0201 8536-600, http://www.linuxhotel.de signature.asc Description: OpenPGP digital signature
Re: LTS, no-dsa reasoning and sponsored packages
Hi Ingo, > labeling it "minor issues" when the real reason is "sponsors needed" > sounds wrong to me. > > I'd say "minor issues" is right for minor issues. And "sponsors needed" > is a legitimate, helpful additional information. > > It seems to me, that it's not uncommon to Debian to search for a sponsor > of a package: > https://mentors.debian.net/sponsors When we speak about sponsors in this context, we mean the "contributing companies and organizations", the entities funding the Debian LTS project[0], not mentors from the package sponsoring process. Yet another reason to not use "sponsoring" related arguments in the tracker? [0] https://wiki.debian.org/LTS/Funding -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: LTS, no-dsa reasoning and sponsored packages
Hi, labeling it "minor issues" when the real reason is "sponsors needed" sounds wrong to me. I'd say "minor issues" is right for minor issues. And "sponsors needed" is a legitimate, helpful additional information. It seems to me, that it's not uncommon to Debian to search for a sponsor of a package: https://mentors.debian.net/sponsors Ingo Am 08.04.19 um 21:51 schrieb Salvatore Bonaccorso: > Hi LTS contributors, > > Recently I noticed that for a no-dsa (either for no-dsa or the > stronger ignored) as explanation was started to be used e.g. "not used > by any sponsor". > > If LTS is meant as Debian project, then I would suggest not to start > to use those formulations, which I think are fine for ELTS, which is a > dedicated project not on Debian directly. Saying something is not DSA > worthy or is going to be ignored, because it's not used by a LTS > sponsor will give a signal to others that indeed, Debian LTS is not a > generic Debian project. > > Just stick to "Minor issue" in such cases if something is not DSA > worthy because the issue is minor, but do not make it depdendent on if > a paying LTS sponsor is using it or not. > > Thanks for reading, > > Regards, > Salvatore > -- Linuxhotel GmbH, Geschäftsführer Dipl.-Ing. Ingo Wichmann HRB 20463 Amtsgericht Essen, UStID DE 814 943 641 Antonienallee 1, 45279 Essen, Tel.: 0201 8536-600, http://www.linuxhotel.de
Re: LTS, no-dsa reasoning and sponsored packages
> If LTS is meant as Debian project, then I would suggest not to start > to use those formulations, which I think are fine for ELTS, which is a > dedicated project not on Debian directly. Saying something is not DSA > worthy or is going to be ignored, because it's not used by a LTS > sponsor will give a signal to others that indeed, Debian LTS is not a > generic Debian project. ...not to mention that "Not used by any sponsor" is only true at a moment t. Not necessarily at t+1. Sponsors might use new packages, new sponsors might come or some might leave. Not sure we want to introduce such uncertain information in the tracker anyways. -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: LTS, no-dsa reasoning and sponsored packages
Am 08.04.19 um 21:51 schrieb Salvatore Bonaccorso: > Hi LTS contributors, > > Recently I noticed that for a no-dsa (either for no-dsa or the > stronger ignored) as explanation was started to be used e.g. "not used > by any sponsor". > > If LTS is meant as Debian project, then I would suggest not to start > to use those formulations, which I think are fine for ELTS, which is a > dedicated project not on Debian directly. Saying something is not DSA > worthy or is going to be ignored, because it's not used by a LTS > sponsor will give a signal to others that indeed, Debian LTS is not a > generic Debian project. "Not used by any sponsor" is often used internally in commit messages as an additional comment, reason and clarification why a certain issue is marked no-dsa or ignored, mostly intended for those people who work on LTS. Of course we always take into consideration how useful a fix is and on what we should spend our time on. This should come to no surprise to everyone who followed LTS in the past. Debian LTS is only possible because of this sponsorship and of course it is part of Debian. > Just stick to "Minor issue" in such cases if something is not DSA > worthy because the issue is minor, but do not make it depdendent on if > a paying LTS sponsor is using it or not. If you prefer "Minor issue" without further additional comments, we can certainly do that. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: LTS, no-dsa reasoning and sponsored packages
Hi, On 08/04/2019 21:56, Holger Levsen wrote: > On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote: >> Recently I noticed that for a no-dsa (either for no-dsa or the >> stronger ignored) as explanation was started to be used e.g. "not used >> by any sponsor". That sounds related to my triage of libpodofo today. Firstly, as an aside, it seemed to me that was not stronger, but more precise than (a "sub-state" as documented at https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory ). Let me know if you prefer we use >> If LTS is meant as Debian project, then I would suggest not to start >> to use those formulations, which I think are fine for ELTS, which is a >> dedicated project not on Debian directly. Saying something is not DSA >> worthy or is going to be ignored, because it's not used by a LTS >> sponsor will give a signal to others that indeed, Debian LTS is not a >> generic Debian project. > thanks for bringing this up. FWIW, I agree with you. Secondly, being my first go at triaging, I looked at past triages, and the first occurrence of "not used by any sponsor" is from last August, so I believed that was a good reason to document it as an additional reason (the main reason being it's a caught exception / basic DoS, not a crash with memory overwrite & cie, plus a low popcon for Jessie). But I'll leave that out from now on. >> Just stick to "Minor issue" in such cases if something is not DSA >> worthy because the issue is minor, but do not make it depdendent on if >> a paying LTS sponsor is using it or not. > (or dont mark it "Minor issue" if it's not minor. This should also > hopefully make it more likely someone picks it up as a volunteer efford, > eg when proofing one is captable of lts work...) FWIW I like when we justify why it is minor. Cheers! Sylvain
