Re: [OE-core] CVE work synchronization proposal
On Fri, Oct 20, 2023 at 4:18 PM Michael Opdenacker wrote: > > Hi Marta > > On 20.10.23 at 10:36, Marta Rybczynska wrote: > > Hello everyone, > > We have a constant flow of work on pending CVEs. During my discussion > > with multiple people, there is a common need for synchronization of > > this work to avoid duplication or forgotten fixes. > > > > We have a decision on the tooling to make: do we want to create a > > Bugzilla entry for each new open CVE? An alternative is to use a wiki > > page (this has been prototyped by Ross) with heavy scripting to > > automate the tedious part. > > > > Today I propose you to use a special wiki page and the following procedure: > > > > On the wiki page, always add all additional information after a ; sign > > to allow scripting. The first part of each line (until ";" ) will be > > auto-generated. The second part contains information about the issue, > > like who is investigating or what the situation is. > > > > There is a separate list for each branch, as we realize that people > > concentrate on various branches. > > > > Workflow: > > > > * Mark name of a person preparing a patch for each branch > > * If you have additional information (like a link to a patch), add it > > to the record > > * If a patch is posted to the mailing list, post a link to it (this > > will be automated) > > * When a patch reaches the "next" branch, mark it too (this will be > > automated too) > > * When the patch reaches the final branch, the line of the CVE is > > automatically removed (this is already automated) > > * The list is (re)generated every day > > > > > > Please have a look at the procedure proposal and how the tracking > > might look like: > > > > https://wiki.yoctoproject.org/wiki/Synchronization_CVEs > > > This looks very useful. Thanks! > If I understand correctly, the fact that the beginning of each line is > generated automatically is a way to make sure nobody with Wiki write > rights can hide a vulnerability by removing it from the list, right? > Hello Michael, The auto-generation has multiple benefits: * no removing by error or any other reason, while the vulnerability is still there -> it will be re-added the next day * less time spent to review the list Regards, Marta -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189669): https://lists.openembedded.org/g/openembedded-core/message/189669 Mute This Topic: https://lists.openembedded.org/mt/102077364/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] CVE work synchronization proposal
Hi Marta On 20.10.23 at 10:36, Marta Rybczynska wrote: Hello everyone, We have a constant flow of work on pending CVEs. During my discussion with multiple people, there is a common need for synchronization of this work to avoid duplication or forgotten fixes. We have a decision on the tooling to make: do we want to create a Bugzilla entry for each new open CVE? An alternative is to use a wiki page (this has been prototyped by Ross) with heavy scripting to automate the tedious part. Today I propose you to use a special wiki page and the following procedure: On the wiki page, always add all additional information after a ; sign to allow scripting. The first part of each line (until ";" ) will be auto-generated. The second part contains information about the issue, like who is investigating or what the situation is. There is a separate list for each branch, as we realize that people concentrate on various branches. Workflow: * Mark name of a person preparing a patch for each branch * If you have additional information (like a link to a patch), add it to the record * If a patch is posted to the mailing list, post a link to it (this will be automated) * When a patch reaches the "next" branch, mark it too (this will be automated too) * When the patch reaches the final branch, the line of the CVE is automatically removed (this is already automated) * The list is (re)generated every day Please have a look at the procedure proposal and how the tracking might look like: https://wiki.yoctoproject.org/wiki/Synchronization_CVEs This looks very useful. Thanks! If I understand correctly, the fact that the beginning of each line is generated automatically is a way to make sure nobody with Wiki write rights can hide a vulnerability by removing it from the list, right? Thanks again Michael. -- Michael Opdenacker, Bootlin Embedded Linux and Kernel engineering https://bootlin.com -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189538): https://lists.openembedded.org/g/openembedded-core/message/189538 Mute This Topic: https://lists.openembedded.org/mt/102077364/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] CVE work synchronization proposal
Hello everyone, We have a constant flow of work on pending CVEs. During my discussion with multiple people, there is a common need for synchronization of this work to avoid duplication or forgotten fixes. We have a decision on the tooling to make: do we want to create a Bugzilla entry for each new open CVE? An alternative is to use a wiki page (this has been prototyped by Ross) with heavy scripting to automate the tedious part. Today I propose you to use a special wiki page and the following procedure: On the wiki page, always add all additional information after a ; sign to allow scripting. The first part of each line (until ";" ) will be auto-generated. The second part contains information about the issue, like who is investigating or what the situation is. There is a separate list for each branch, as we realize that people concentrate on various branches. Workflow: * Mark name of a person preparing a patch for each branch * If you have additional information (like a link to a patch), add it to the record * If a patch is posted to the mailing list, post a link to it (this will be automated) * When a patch reaches the "next" branch, mark it too (this will be automated too) * When the patch reaches the final branch, the line of the CVE is automatically removed (this is already automated) * The list is (re)generated every day Please have a look at the procedure proposal and how the tracking might look like: https://wiki.yoctoproject.org/wiki/Synchronization_CVEs Kind regards, Marta -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189510): https://lists.openembedded.org/g/openembedded-core/message/189510 Mute This Topic: https://lists.openembedded.org/mt/102077364/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
