Page MenuHomeFreeBSD

Prepare to add more information about our triaging of items.
Needs ReviewPublic

Authored by remko on Nov 1 2017, 7:43 PM.

Details

Reviewers
None
Group Reviewers
secteam
Summary

We need to be more clear about when we do security advisories and
what categorisation we use. This diff should start with addressing
that.

Diff Detail

Repository
rD FreeBSD doc repository
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 12389
Build 12665: arc lint + arc unit

Event Timeline

remko created this revision.Nov 1 2017, 7:43 PM
gordon added a subscriber: gordon.Nov 1 2017, 8:18 PM

Generally looks good. Mostly grammar nits and some clarification needed.

en_US.ISO8859-1/htdocs/security/security.xml
59

This shouldn't be a new sentence, just merge it into the previous sentence.

66

disclosure

70

From should be capitalized for consistency. I think I would drop the trailing punctuation as these are sentence fragments.

80

What does unassisted mean in this context?

88

The last sentence seems rather negative. Should we say something like:

"Items that are not on this list are looked into individually and it will be determined then whether or not it will receive a Security Advisory or an Errata Notice."

And just drop the last sentence?

remko added a comment.Nov 2 2017, 6:24 AM

I have updated all requested changes and I will be updating the diff to reflect that.

en_US.ISO8859-1/htdocs/security/security.xml
80

Unassisted means that you can break into a kernel without needing helper tools. So for example that you can "jexec" directly into a running jail without additional need for ehm "Squid" running within the jail (just to name one random application).

remko updated this revision to Diff 34658.Nov 2 2017, 6:24 AM

Update with feedback from Gordon

remko marked 5 inline comments as done.Nov 2 2017, 6:25 AM
emaste added a subscriber: emaste.Jan 2 2018, 6:53 PM
emaste added inline comments.
en_US.ISO8859-1/htdocs/security/security.xml
68

What does the "either" refer to?

remko added inline comments.Jan 2 2018, 7:04 PM
en_US.ISO8859-1/htdocs/security/security.xml
68

Perhaps that summary can be better like:

From either:

  • The kernel;
  • or a privileged process;
  • or a process owned by another user

Or something?

emaste added inline comments.Mar 22 2018, 3:34 PM
en_US.ISO8859-1/htdocs/security/security.xml
68

"Either" implies one of two; probably

From one of:

  • The kernel
  • A privileged process
  • A process owned by another user

We ought to add some guidance on when how we handle issues - when they're kept secret until SA, vs committed to HEAD, MFC'd, and then rolled into a SA or EN.

Depending on the severity of the issue and on external constraints a patch may be (kept secret? embargoed?) until the SA is released. For lower severity issues the change may be committed directly to HEAD and merged to stable branches before appearing in a SA or EN.

en_US.ISO8859-1/htdocs/security/security.xml
85

We should probably drop "very likely" since we give no indication of when it might not happen. Maybe just something like "A Security Advisory will be issued for (important? serious? exploitable?) issues that fall into one of these categories."