Changeset View
Standalone View
documentation/content/en/books/porters-handbook/security/_index.adoc
Show First 20 Lines • Show All 76 Lines • ▼ Show 20 Lines | |||||||||||
Update the port promptly with respect to the author's fix. | Update the port promptly with respect to the author's fix. | ||||||||||
If the fix is delayed for some reason, either crossref:porting-dads[dads-noinstall,mark the port as `FORBIDDEN`] or introduce a patch file to the port. | If the fix is delayed for some reason, either crossref:porting-dads[dads-noinstall,mark the port as `FORBIDDEN`] or introduce a patch file to the port. | ||||||||||
In the case of a vulnerable port, just fix the port as soon as possible. | In the case of a vulnerable port, just fix the port as soon as possible. | ||||||||||
In either case, follow crossref:port-upgrading[port-upgrading,the standard procedure for submitting changes] unless having rights to commit it directly to the ports tree. | In either case, follow crossref:port-upgrading[port-upgrading,the standard procedure for submitting changes] unless having rights to commit it directly to the ports tree. | ||||||||||
[IMPORTANT] | [IMPORTANT] | ||||||||||
==== | ==== | ||||||||||
Being a ports committer is not enough to commit to an arbitrary port. | Being a ports committer is not enough to commit to an arbitrary port. | ||||||||||
Remember that ports usually have maintainers, must be respected. | Remember that ports usually have maintainers, who must be respected. | ||||||||||
==== | ==== | ||||||||||
Please make sure that the port's revision is bumped as soon as the vulnerability has been closed. | Please make sure that the port's revision is bumped as soon as the vulnerability has been closed. | ||||||||||
That is how the users who upgrade installed packages on a regular basis will see they need to run an update. | That is how the users who upgrade installed packages on a regular basis will see they need to run an update. | ||||||||||
Besides, a new package will be built and distributed over FTP and WWW mirrors, replacing the vulnerable one. | Besides, a new package will be built and distributed over FTP and WWW mirrors, replacing the vulnerable one. | ||||||||||
Bump `PORTREVISION` unless `DISTVERSION` has changed in the course of correcting the vulnerability. | Bump `PORTREVISION` unless `DISTVERSION` has changed in the course of correcting the vulnerability. | ||||||||||
That is, bump `PORTREVISION` if adding a patch file to the port, but do not bump it if updating the port to the latest software version and thus already touched `DISTVERSION`. | That is, bump `PORTREVISION` if adding a patch file to the port, but do not bump it if updating the port to the latest software version and thus already touched `DISTVERSION`. | ||||||||||
Please refer to the crossref:makefiles[makefile-naming-revepoch,corresponding section] for more information. | Please refer to the crossref:makefiles[makefile-naming-revepoch,corresponding section] for more information. | ||||||||||
[[security-notify]] | [[security-notify]] | ||||||||||
== Keeping the Community Informed | == Keeping the Community Informed | ||||||||||
[[security-notify-vuxml-db]] | [[security-notify-vuxml-db]] | ||||||||||
=== The VuXML Database | === The VuXML Database | ||||||||||
A very important and urgent step to take as early after a security vulnerability is discovered as possible is to notify the community of port users about the jeopardy. | A very important and urgent step to take as early after a security vulnerability is discovered as possible is to notify the community of port users about the jeopardy. | ||||||||||
Such notification serves two purposes. | Such a notification serves two purposes. | ||||||||||
grahamperrin: The order of words is strange (for example, //as early after a security vulnerability is… | |||||||||||
Done Inline ActionsAgreed to both, but out of scope. pauamma_gundo.com: Agreed to both, but out of scope. | |||||||||||
Done Inline ActionsOn second thought, fixing syntax. The other one is above my pay grade. pauamma_gundo.com: On second thought, fixing syntax. The other one is above my pay grade. | |||||||||||
First, if the danger is really severe it will be wise to apply an instant workaround. | First, if the danger is really severe it will be wise to apply an instant workaround. | ||||||||||
For example, stop the affected network service or even deinstall the port completely until the vulnerability is closed. | For example, stop the affected network service or even deinstall the port completely until the vulnerability is closed. | ||||||||||
Second, a lot of users tend to upgrade installed packages only occasionally. | Second, a lot of users tend to upgrade installed packages only occasionally. | ||||||||||
They will know from the notification that they _must_ update the package without delay as soon as a corrected version is available. | They will know from the notification that they _must_ update the package without delay as soon as a corrected version is available. | ||||||||||
Given the huge number of ports in the tree, a security advisory cannot be issued on each incident without creating a flood and losing the attention of the audience when it comes to really serious matters. | Given the huge number of ports in the tree, a security advisory cannot be issued on each incident without creating a flood and losing the attention of the audience when it comes to really serious matters. | ||||||||||
Therefore security vulnerabilities found in ports are recorded in https://vuxml.freebsd.org/[the FreeBSD VuXML database]. | Therefore security vulnerabilities found in ports are recorded in https://vuxml.freebsd.org/[the FreeBSD VuXML database], which Security Team members also monitor for issues requiring their intervention. | ||||||||||
Done Inline Actions
Security Officer is not a team. Also, conciseness. grahamperrin: Security Officer is not a team.
Also, conciseness. | |||||||||||
Done Inline ActionsGenerally, here and all the other places in the doc: I'd mention both the Security Team (#t-secteam) and Ports Security Team(#t-ports-secteam). Our vuxml page (https://vuxml.freebsd.org/freebsd/index.html) contains both base system and ports vulnerabilities. riggs: Generally, here and all the other places in the doc: I'd mention both the Security Team (#t… | |||||||||||
Done Inline ActionsDo you mean mention both where either is mentioned? Otherwise there's only here, unless I missed something. pauamma_gundo.com: Do you mean mention both where either is mentioned? Otherwise there's only here, unless I… | |||||||||||
Not Done Inline Actions
Be explicit, so that the first sight of _Security Team_ in the context of porting is not misinterpreted as the FreeBSD Ports Security Team. grahamperrin: Be explicit, so that the first sight of _Security Team_ in the context of porting is not… | |||||||||||
Done Inline ActionsI can't reconcile your request with the one above it by @riggs, which I think asks me to mention Ports Security instead. Which should it be? pauamma_gundo.com: I can't reconcile your request with the one above it by @riggs, which I think asks me to… | |||||||||||
Done Inline Actions
*ping* @riggs @grahamperrin pauamma_gundo.com: > I can't reconcile your request with the one above it by @riggs, which I think asks me to… | |||||||||||
The Security Officer Team members also monitor it for issues requiring their intervention. | |||||||||||
Committers can update the VuXML database themselves, assisting the Security Officer Team and delivering crucial information to the community more quickly. | Committers can update the VuXML database themselves, assisting the Security Team and delivering crucial information to the community more quickly. | ||||||||||
Not Done Inline ActionsDo you mean, a bug report with a summary line something like what's below?
grahamperrin: Do you mean, a bug report with a summary line something like what's below?
> security/vuxml… | |||||||||||
Done Inline ActionsYes. pauamma_gundo.com: Yes. | |||||||||||
Done Inline Actions
Security Officer is not a team. grahamperrin: Security Officer is not a team. | |||||||||||
Those who are not committers or have discovered an exceptionally severe vulnerability should not hesitate to contact the Security Officer Team directly, as described on the https://www.freebsd.org/security/#how[FreeBSD Security Information] page. | Port maintainers can create VuXML entries for their vulnerable ports and file bugs requesting security/vuxml updates. | ||||||||||
Those who are not committers or have discovered an exceptionally severe vulnerability should not hesitate to contact the link:https://www.freebsd.org/administration.html#t-ports-secteam[FreeBSD Ports Security Team] first. | |||||||||||
Done Inline Actions
grahamperrin: | |||||||||||
Done Inline ActionsDone as 2 sentences. pauamma_gundo.com: Done as 2 sentences. | |||||||||||
Done Inline Actionshttps://www.freebsd.org/security/#how is wrong. Nearby https://www.freebsd.org/security/#reporting might be better, however it contradicts what's drafted here; there's no mention of the FreeBSD Ports Security Team. grahamperrin: <https://www.freebsd.org/security/#how> is wrong.
Nearby <https://www.freebsd. | |||||||||||
Done Inline ActionsMade it clearer that "as described on..." applies to contacting the security team only, not the ports security team. pauamma_gundo.com: Made it clearer that "as described on..." applies to contacting the security team only, not the… | |||||||||||
If needed, also contact the link:https://www.freebsd.org/administration.html#t-secteam[FreeBSD Security Team] as described on the link:https://www.freebsd.org/security/#reporting[FreeBSD Security Information] page. | |||||||||||
Done Inline Actions
Security Officer is not a team. grahamperrin: Security Officer is not a team. | |||||||||||
Not Done Inline Actions
Sorry: I'm mistaken here (and might have made the same mistake elsewhere). I learnt to treat https://www.freebsd.org/administration/#t-secteam as authoritative, there's no Officer Team. Later discovered, Security Officer Team does exist at https://gitlab.com/FreeBSD/freebsd-doc/-/blob/9587d12749acb8edfdb8ea771e72631592050900/shared/en/teams.adoc?plain=1#L86-88: text :security-officer-name: Security Officer Team :security-officer-email: security-officer@FreeBSD.org :security-officer: {security-officer-name} <{security-officer-email}> Historically (2002): https://cgit.freebsd.org/doc/commit/?id=798336ef5cff10c92f5ba3d06b21f633734a7e1e
grahamperrin: > Security Officer is not a team.
Sorry: I'm mistaken here (and might have made the same… | |||||||||||
Not Done Inline Actions
grahamperrin: | |||||||||||
The VuXML database is an XML document. | The VuXML database is an XML document. | ||||||||||
Its source file [.filename]#vuln.xml# is kept right inside the port package:security/vuxml[]. | Its source file [.filename]#vuln.xml# is kept right inside the port package:security/vuxml[]. | ||||||||||
Therefore the file's full pathname will be [.filename]#PORTSDIR/security/vuxml/vuln.xml#. | Therefore the file's full pathname will be [.filename]#PORTSDIR/security/vuxml/vuln.xml#. | ||||||||||
Each time a security vulnerability is discovered in a port, please add an entry for it to that file. | Each time a security vulnerability is discovered in a port, please add an entry for it to that file. | ||||||||||
Until familiar with VuXML, the best thing to do is to find an existing entry fitting the case at hand, then copy it and use it as a template. | Until familiar with VuXML, the best thing to do is to find an existing entry fitting the case at hand, then copy it and use it as a template. | ||||||||||
[[security-notify-vuxml-intro]] | [[security-notify-vuxml-intro]] | ||||||||||
▲ Show 20 Lines • Show All 193 Lines • Show Last 20 Lines |
The order of words is strange (for example, as early after a security vulnerability is discovered as possible).
Also, re: discovery, port users should be notified only if a vulnerability is already publicly disclosed.