Page MenuHomeFreeBSD

Prepare to add more information about our triaging of items.
Needs ReviewPublic

Authored by emaste on Nov 1 2017, 7:43 PM.
Tags
None
Referenced Files
Unknown Object (File)
Jan 12 2024, 11:27 AM
Unknown Object (File)
Dec 20 2023, 7:39 AM
Unknown Object (File)
Jun 15 2023, 2:11 PM
Unknown Object (File)
Jan 13 2023, 2:24 AM
Subscribers

Details

Reviewers
None
Group Reviewers
secteam
Summary

We need to be more clear about when we do security advisories and
what categorisation we use. This diff should start with addressing
that.

Diff Detail

Repository
rD FreeBSD doc repository - subversion
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 12389
Build 12665: arc lint + arc unit

Event Timeline

Generally looks good. Mostly grammar nits and some clarification needed.

en_US.ISO8859-1/htdocs/security/security.xml
59

This shouldn't be a new sentence, just merge it into the previous sentence.

66

disclosure

70

From should be capitalized for consistency. I think I would drop the trailing punctuation as these are sentence fragments.

80

What does unassisted mean in this context?

88

The last sentence seems rather negative. Should we say something like:

"Items that are not on this list are looked into individually and it will be determined then whether or not it will receive a Security Advisory or an Errata Notice."

And just drop the last sentence?

I have updated all requested changes and I will be updating the diff to reflect that.

en_US.ISO8859-1/htdocs/security/security.xml
80

Unassisted means that you can break into a kernel without needing helper tools. So for example that you can "jexec" directly into a running jail without additional need for ehm "Squid" running within the jail (just to name one random application).

Update with feedback from Gordon

remko marked 5 inline comments as done.Nov 2 2017, 6:25 AM
emaste added inline comments.
en_US.ISO8859-1/htdocs/security/security.xml
68

What does the "either" refer to?

en_US.ISO8859-1/htdocs/security/security.xml
68

Perhaps that summary can be better like:

From either:

  • The kernel;
  • or a privileged process;
  • or a process owned by another user

Or something?

en_US.ISO8859-1/htdocs/security/security.xml
68

"Either" implies one of two; probably

From one of:

  • The kernel
  • A privileged process
  • A process owned by another user

We ought to add some guidance on when how we handle issues - when they're kept secret until SA, vs committed to HEAD, MFC'd, and then rolled into a SA or EN.

Depending on the severity of the issue and on external constraints a patch may be (kept secret? embargoed?) until the SA is released. For lower severity issues the change may be committed directly to HEAD and merged to stable branches before appearing in a SA or EN.

en_US.ISO8859-1/htdocs/security/security.xml
85

We should probably drop "very likely" since we give no indication of when it might not happen. Maybe just something like "A Security Advisory will be issued for (important? serious? exploitable?) issues that fall into one of these categories."

emaste added a reviewer: remko.

We'll need to redo this after the Ascidoc conversion, there might be some outstanding items but we should at least do this as an interim step.

-@remko, who has retired from FreeBSD