Security announcements?

foxbunny · 2008-05-12 10:10:04

Does Arch Linux team publish any security announcements anywhere? I sometimes look at the Announcements section of the BBS, but I don't recall an _explicit_ channel for security announcements... Damn, been using Arch for about 1.5 years now and I still don't know stuff like that.

Allan · 2008-05-12 10:13:38

Well, there is a section of the forums called "Announcements, Package and Security Advisories"...

Someone used to maintain a security mailing list but it must have disappeared at some stage because I don't remember seeing anything from it in a while.

foxbunny · 2008-05-12 16:03:50

The Announcements section is, kinda, untidy for my taste. I was hoping there would be a ML or something, but I see there is none... Thanks anyway.

Misery · 2008-05-12 16:30:18

I like to see a security ML for that, too. So every vulnerability of a package could be announced and discussed there. Also users could send a hint to that ML if a package has a security issue. Just a "package is outdated"-button isn't enough for my taste.

Last edited by Misery (2008-05-12 16:30:55)

shining · 2008-05-12 17:11:15

Misery wrote:

I like to see a security ML for that, too. So every vulnerability of a package could be announced and discussed there. Also users could send a hint to that ML if a package has a security issue. Just a "package is outdated"-button isn't enough for my taste.

Just report a bug.

Misery · 2008-05-12 17:50:43

shining wrote:

Just report a bug.

That isn't an alternative. :-)
I won't watch every day for security bug reports in flyspray. Or does it can sent every security bug to my email-address automatically if I'm not the reporter and I didn't click 'watch report'?
A Security-ML would be a nice "add-on" to bug-reports.... and a security team of course.

carlocci · 2008-05-12 19:08:19

I think he meant report a feature request.

Maybe you could exploit other distros like gentoo or slackware for security announcements?
The programs are the same in the end

shining · 2008-05-12 19:27:34

No, I was just replying to the second part : "a package is outdated button is not enough".

peets · 2008-05-12 19:28:10

Since Arch packagers don't modify the software much, it's more logical to look for security announcements at your installed softwares' respective bug-tracking systems / mailing lists. This can be a lot of work (I don't do it), but probably possible if you pick which programs to monitor (kernel, web browser, other internet-related-progs, etc)

Misery · 2008-05-12 19:28:40

Oh, ok.. a feature request. ;-) Maybe....

Yes, I already have some subscriptions for security issues. But I think that ML for Arch should also give infos for Arch's packages that needs an upgrade. I don't care if Gentoo fixes that issue ... I need a fix in Arch. Of course... I could take a patch and compile it by myself - that is what I do at the moment. But sometimes I didn't know that a package in Arch is vulnerable.
That could be "fixed" if there is a little security team (just some users that will give infos about new securits issues).

Well... I don't know how to explain it. I think everyone knows what a security ML should do. ;-)
Most distros have a separate group for security bugs. They will inform users about that bugs, give patches and fixes that packages with a higher priority.

I could help with that. ;-)

dolby · 2008-05-12 20:25:08

I guess you mean something like http://slackware.com/security/list.php? … ity&y=2008 . I think its cool having one as long as the reported issues get fixed in a short period of time and someone is willing to maintain it of course.
To be perfectly honest i have tried browsing http://cve.mitre.org/ in order to get security notifications for security issues in my email. Although i admit i didnt try that hard, i failed. MAybe Danimoth can share some of his experience with that. I seem to remember he had a page up dedicated to that but cant seem to be able to find it

Misery · 2008-05-12 20:56:17

Yes, something like that ML or [1] but with public access for Arch users so they can give hints for forgotten issues.
I'm willing to help with that security list and to fix those issues.

[1] https://lists.ubuntu.com/archives/ubunt … -announce/
(yeah, I know.. many people don't like Ubuntu here )

Anyone has interest in a ML like this? If I'm the only one I will shut up

shining · 2008-05-12 22:08:36

There was apparently a project that started 3 years ago and died :
http://bbs.archlinux.org/viewtopic.php? … 70#p333370
http://wiki.archlinux.org/index.php/Security_Task_Force

But it is never too late to go on, you just need to be really motivated

DaNiMoTh · 2008-05-19 10:31:21

I have stopped ALSWs because, in a distro like arch, they are useless. Ok, some things can be improved ( if there is a security bug open, it needs to be closed quickly ) but, with all included, the situation is not bad like Debian or similar

If there are someone that wants to resume this project, I could help.

DasWu · 2008-05-27 05:10:37

I don't know whether I should write this here or better make a new thread (so a mod may move this if I'm wrong).

I'm rather interested in security. But i'm not that experienced in detected wholes and stuff like that. I'm also interested in helping the ArchLinux team. That Security Team which as it seems does not exists would be a great opportunity to contribute. But at this very moment I don't see cleary what could by done. I see at the moment:

1. Having an eye on software security announcements, but that is not very specific for Arch, as the only thing is to get fixes as soon as possible to core or extra.
2. There is no Security section neither in the forum nor in the wiki. It maybe gets some redundancies with the server section, because many things that are on security are mostly used on servers,
3. Another thing is maybe some kind of Ubuntu Hardened for Arch, could contain stuff like SELinux, Apparmor or other stuff like this.

The question is whether there is a need to put time in things like that.

DasWu

Last edited by DasWu (2008-05-27 05:12:10)

byte · 2008-05-27 05:30:51

A rather KISS-approach I would take (if I would actually _read_ all those security mails I get...):
Simply flag the affected package out-of-date, with a "SECURITY" comment and a link to the advisory/patch.

This of course depends on packages actually having a maintainer, and also on that maintainer to read his mails in a timely fashion.

And it wouldn't account for issues for which no patch or new release is available. But announcements for stuff like the Debian OpenSSL desaster could still get handled with frontpage news and the arch-announce list.

I don't think you really have to invest a lot into new infrastructure, it's more an issue of persistance and dedication.

fukawi2 · 2008-05-27 06:49:34

DasWu wrote:

I'm rather interested in security. But i'm not that experienced in detected wholes and stuff like that. I'm also interested in helping the ArchLinux team. That Security Team which as it seems does not exists would be a great opportunity to contribute

+1 for me... I'd love to help out if someone tells me how I'm best utilized

iphitus · 2008-05-27 09:09:45

DaNiMoTh did actually do these for a while, they didnt get much attention, and they stopped.

To be honest, it's just reproducing work needlessly, most distros use the same packages, so just monitoring another distro's list should do the job.

Or better, LWN. Daily they post the new advisories from each distro:
http://lwn.net/
http://lwn.net/Articles/283788/

And if daily is too much, buy a subscription (they cost next to nothing) and get them weekly.

DasWu · 2008-05-27 09:54:50

In other words and to answer my question (even if not every part is covert by the responses) there is no need for such a team...

Wu

DaNiMoTh · 2008-05-27 13:04:15

byte wrote:

Simply flag the affected package out-of-date, with a "SECURITY" comment and a link to the advisory/patch.

And open a bug with tag Security in bug tracker.

foxbunny · 2008-05-28 12:55:45

I actually don't think security ML is a necessity anymore.

It should only make sense for packages that were modified in a way that could theoretically compromise security (such as deviation from default settings for a SQL server, etc), and if someone discovers that. But other than that, it should be perfectly reasonable for users to invest time in reading upstream announcements for intact packages.

Arch Linux

#1 2008-05-12 10:10:04

Security announcements?

#2 2008-05-12 10:13:38

Re: Security announcements?

#3 2008-05-12 16:03:50

Re: Security announcements?

#4 2008-05-12 16:30:18

Re: Security announcements?

#5 2008-05-12 17:11:15

Re: Security announcements?

#6 2008-05-12 17:50:43

Re: Security announcements?

#7 2008-05-12 19:08:19

Re: Security announcements?

#8 2008-05-12 19:27:34

Re: Security announcements?

#9 2008-05-12 19:28:10

Re: Security announcements?

#10 2008-05-12 19:28:40

Re: Security announcements?

#11 2008-05-12 20:25:08

Re: Security announcements?

#12 2008-05-12 20:56:17

Re: Security announcements?

#13 2008-05-12 22:08:36

Re: Security announcements?

#14 2008-05-19 10:31:21

Re: Security announcements?

#15 2008-05-27 05:10:37

Re: Security announcements?

#16 2008-05-27 05:30:51

Re: Security announcements?

#17 2008-05-27 06:49:34

Re: Security announcements?

#18 2008-05-27 09:09:45

Re: Security announcements?

#19 2008-05-27 09:54:50

Re: Security announcements?

#20 2008-05-27 13:04:15

Re: Security announcements?

#21 2008-05-28 12:55:45

Re: Security announcements?

Board footer