I don't think we should delay the release to fix security.
You have your reasons for not voting and I respect that.
Fixing security isn't technically difficult and I have fixes available, I'm
hoping for collaborative development, so they receive peer review /
modification / alternate solutions / suggestions / feedback / rejection etc.
I haven't been successful communicating / discussing security and I think that
will take some time to sort out.
The ability to take down servers using dos is annoying and easily demonstrated
(I've started writing some code to do so), however Gadget attacks allow an
attacker to take over systems, steal data etc, but are less easily
demonstrated. While there are existing known gadget attacks, the ones I'm
aware of have fixes, so I'll be looking for a zero day to demonstrate. While
whack a mole is one approach to fixes, it would be better to provide an api to
support input validation.
http://frohoff.github.io/appseccali-marshalling-pickles/
Gadget attacks create object graphs using existing local classes to create
execution paths that perform malicious actions during deserialization, this is
a relatively recent development. Security advisories recommend against
deserializing from untrusted sources.
The intent of the vote request is to determine whether fixing security issues
is an option in future.
If the result is no, it's my intention is to focus on getting River off svn
into git, so it's easier to maintain my own branch while sharing and
contributing to a common code base.
If yes then I'll work on improving my communication skills for discussing
security related issue's.
Discussing this won't hold up a release as the time windows available for me to
work on producing a release are weekends only. I'm going to have to create the
release artifacts on MSWindows, so need to check the scripts work properly and
understand recent build changes.
I also have other goals, I'll be ready to set up a public service registrar,
discoverable over ipv6 in the near future.
If the no vote wins, I promise not to mention security on this list again.
Regards,
Peter.
Sent from my Samsung device.
Include original message
Original message
From: Patricia Shanahan
Sent: 08/04/2016 06:34:23 am
To: dev@river.apache.org
Subject: [DISCUSS] [vote] should we fix security flaws?
I am not prepared to vote on this.
First of all, I would need, on a private list where we can go into
details of security issues, to get a feeling for the seriousness of the
flaws in question. A denial of service is, in many contexts, less
serious than file corruption.
We may want to consider investigating the actual and proposed use-cases
for River before deciding this.
Do you feel any of the security flaws in question are release-blockers
for River 3.0? How long would fixing them first delay the release?
On 4/7/2016 12:36 PM, Peter wrote:
> How do people on this project feel about security flaws?
>
> Should we be fixing them?
>
> I can provide evidence of vulnerabilities, I'm not proposing my fixes be
>adopted.
>
> Vote:
>
> +1 Yes we should aim to fix security flaws.
> 0 don't care.
> -1 No.
>
> Regards,
>
> Peter.
>
>
>
> Sent from my Samsung device.
>
>