Re: [gentoo-dev] Re: News item: GRUB security update
Rich Freeman wrote: > On Sat, Dec 19, 2015 at 8:24 AM, Tobias Heinlein > wrote: >> Hi, >> >> On 18.12.2015 21:06, Mike Gilbert wrote: >>> Hi, please review the news item below. >> thanks for drafting this news item. However, the usual way to inform >> users about security flaws is by sending a GLSA. :) >> >> Based on your news item, we have drafted a GLSA now. It's currently >> pending review by one other member of the security team and we will send >> it in a few hours. >> > << SNIP >> > 2. Users probably don't regularly read GLSAs, since for the most part > it just tells them to update packages they've probably already > updated. How do we make ones that actually have instructions beyond > updating stand out? > > I know I stopped reading GLSAs ages ago, because they tended to tell > me to update to a package I had updated to a week before, and when > they said something else 90% of the time it was because there was an > error in the GLSA (usually this happened with subslots and the GLSA > just said of ranges that were vulnerable vs fixed). Granted, I have caught one > or two episodes over the years where the actual package might not have > been completely addressed and an older slot needed fixing. > > I guess my point isn't that GLSAs are a bad thing, but users need a > really high S/N ratio if we want them to pay attention. We need to > separate the mundane from the important. > +1. Given all the changes that have been done, I don't even know how to read them any more because I stopped a long time ago. I might add, I also don't read blogs about this sort of thing. About the only time I read a blog is if it is linked to here or on -user. Other than that, rarely if ever. All things considered, if it isn't a news item or something I follow on this list, I may never know about it. I really depend on the news items. Just keep the noise down or folks will start to ignore them too, although y'all are good at it only telling us about things that affect us. Dale :-) :-)
Re: [gentoo-dev] Re: News item: GRUB security update
On Sat, Dec 19, 2015 at 8:44 AM, Rich Freeman wrote: > On Sat, Dec 19, 2015 at 8:24 AM, Tobias Heinlein > wrote: >> Hi, >> >> On 18.12.2015 21:06, Mike Gilbert wrote: >>> Hi, please review the news item below. >> >> thanks for drafting this news item. However, the usual way to inform >> users about security flaws is by sending a GLSA. :) >> >> Based on your news item, we have drafted a GLSA now. It's currently >> pending review by one other member of the security team and we will send >> it in a few hours. >> > > The only concerns I have with this approach are: > 1. In this case timing is fine, but sometimes GLSAs have a > significant delay, especially when minor archs are involved in > stabilization. > 2. Users probably don't regularly read GLSAs, since for the most part > it just tells them to update packages they've probably already > updated. How do we make ones that actually have instructions beyond > updating stand out? > > I know I stopped reading GLSAs ages ago, because they tended to tell > me to update to a package I had updated to a week before, and when > they said something else 90% of the time it was because there was an > error in the GLSA (usually this happened with subslots and the GLSA > just said of ranges that were vulnerable vs fixed). Granted, I have caught one > or two episodes over the years where the actual package might not have > been completely addressed and an older slot needed fixing. > > I guess my point isn't that GLSAs are a bad thing, but users need a > really high S/N ratio if we want them to pay attention. We need to > separate the mundane from the important. I had that same thought when keytoaster first replied to this. Realistically, I suspect very few Gentoo users are using authentication in GRUB. Those who do are certainly more security conscious than the average user, and more likely to read GLSAs and other security announcements. I think the pkg_postinst message and the GLSA are sufficient coverage for this issue.
[gentoo-dev] Re: News item: GRUB security update
On 12/19/2015 02:44 PM, Rich Freeman wrote: > On Sat, Dec 19, 2015 at 8:24 AM, Tobias Heinlein > wrote: >> Hi, >> >> On 18.12.2015 21:06, Mike Gilbert wrote: >>> Hi, please review the news item below. >> .. > > I guess my point isn't that GLSAs are a bad thing, but users need a > really high S/N ratio if we want them to pay attention. We need to > separate the mundane from the important. > This sounds like something that might be appropriate for gentoo blog of some sort (GWN on a more ad-hoc basis?) linking to the GLSA. Even a blog in private blog as part of Planet Gentoo would likely work (but official blog would work nicer). -- Kristian Fiskerstrand Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 signature.asc Description: OpenPGP digital signature
[gentoo-dev] Re: News item: GRUB security update
On Sat, Dec 19, 2015 at 8:24 AM, Tobias Heinlein wrote: > Hi, > > On 18.12.2015 21:06, Mike Gilbert wrote: >> Hi, please review the news item below. > > thanks for drafting this news item. However, the usual way to inform > users about security flaws is by sending a GLSA. :) > > Based on your news item, we have drafted a GLSA now. It's currently > pending review by one other member of the security team and we will send > it in a few hours. > The only concerns I have with this approach are: 1. In this case timing is fine, but sometimes GLSAs have a significant delay, especially when minor archs are involved in stabilization. 2. Users probably don't regularly read GLSAs, since for the most part it just tells them to update packages they've probably already updated. How do we make ones that actually have instructions beyond updating stand out? I know I stopped reading GLSAs ages ago, because they tended to tell me to update to a package I had updated to a week before, and when they said something else 90% of the time it was because there was an error in the GLSA (usually this happened with subslots and the GLSA just said
[gentoo-dev] Re: News item: GRUB security update
Hi, On 18.12.2015 21:06, Mike Gilbert wrote: > Hi, please review the news item below. thanks for drafting this news item. However, the usual way to inform users about security flaws is by sending a GLSA. :) Based on your news item, we have drafted a GLSA now. It's currently pending review by one other member of the security team and we will send it in a few hours. Thanks! Cheers, Tobias signature.asc Description: OpenPGP digital signature