Talk:SecurityCommittee/Security Vulnerability Handling

From Globus

Comments from Alain

  1. As the person in charge of the VDT, I like to get patches as soon as possible so that I can deliver an upgrade swiftly. In my ideal world, I would release my security fixes simultaneously with your announcement. I'm worried that one day lead time is insufficient for me. Is it possible to make it longer? I'm worried that the fact that I'm on the security committee doesn't actually help me react a whole lot more quickly: only by one day. Maybe three business days? Is that too much?
  2. You always publish the fix as a new gpt bundle. I think it would be very useful to have it published in two other ways:
    1. A patch. I always immediately convert the bundle to a patch, and it lets me see what changed, and provides a simpler method to rebuild (given my build environment).
    2. A CVS tag: for people checking out from CVS, they might prefer a CVS tag instead of a new bundle. Perhaps each security fix should be tagged? (And this should be listed as part of the security advisory) For that matter, this page doesn't describe how the patch is provided: it should do so.
  3. If people delay commits to CVS (as described), there might be other conflicting changes to CVS after the security vulnerability is discovered but before the fix is committed. Is it useful to have a process to tell likely committers "please don't commit here for a while", or is that a bad idea, and the people fixing the problem just need to watch CVS carefully?
  4. As an active participant on the committee, I might be responsible one day for helping resolve the vulnerability. This is my only official connection to the Globus Alliance: If I start sending email to individual Globus developers encouraging them to work harder on the bug, will it be taken in the right way? How do I know who to talk to? I'm happy to help, but I'm worried about my ability to interact well as an outsider.
  5. One thing I don't like about the security advisories: There is no way for me to link to a specific advisory. I always say something like "see advisory for globus_gss_assist-2.33 on www.globus.org/..." Is it possible to have a unique URL for each advisory that doesn't change? From Charles: Actually, such a thing already exists. If you look at the source, there are "a name=" anchors for all the update packages. If you include the version (so that it will still work when the default version for the page changes), you're all set: http://www.globus.org/toolkit/advisories.html?version=4.0#globus_gss_assist-3.23 or http://www.globus.org/toolkit/advisories.html?version=3.2#globus_gss_assist-3.11 The name of the anchor is always equal to the text of the link that links to the FTP download.
  6. I see no process to evaluate the security risk. Many security advisories are not high risk. For example, I think that the recent gridmap bug was pretty low risk for most folks. I think that it would be useful for you to evaluate your perception of the risk. Yes, individuals still have to evaluate their perception of the risk, but I think that this is valuable information that you can provide to people.
  7. When you say "Note that Fridays or other days right before non-working days should be avoided for making announcements.", how do you determine non-working days. Is this US only? Will you annoy people if you release during a holiday in their country? I would keep it simple: release only on Monday-Thursday, unless it's rated as high risk. (High risk should come out as quickly as possible, with no regard to the day of the week.) In practice, people will know when they should delay a day or two in order to avoid inconvenience.
  8. I'm on the security committee mailing list, but I didn't know about the security alert mailing list. Should I be on it? Should it simply forward to the security committee? Or is it really a subset of the security committee that monitors that list? From Von: security-alert is an open list so that anyone can email to it. Which means it gets a lot of spam. Right now Rachana (and maybe someone else) is subscribed and filters out real content as a service to the right of us. Anyone who wants to is welcome to join them as far as I know.
  9. This discussion is on a closed list. Should it be on an open list? It makes sense for security vulnerability to be secret while they are being fixed, but discussion about the process should be open so others can chime in.
Retrieved from "http://dev.globus.org/wiki/Talk:SecurityCommittee/Security_Vulnerability_Handling"
Personal tools
Execution Projects
Information projects
Distribution Projects
Documentation Projects
Deprecated