On 2021-11-02 20:19, Sam Mulvey via arch-general wrote:
I've maintained a lot of local package updates for security fixes where the maintainer went missing or ignored emails about it. Unfortunately this seems to be a requirement for anyone wanting an up-to-date Arch system these days.
This seems like something that could be informally organized in a way that would make it easier for maintainers to interface with.
We keep track of the open security issues in our security tracker [1]. If you want to help out getting some of these fixed, the most effective way would be going through this list and opening reports in our bug tracker for packages where a fix is available. In contrast to trying emailing the individual maintainers without any involvement of the security team [2], this allows us to easily see when package updates are required for security. Opening a bug report with the necessary information is very simple, just select the corresponding Arch Vulnerability Group (AVG) in the security tracker [1] and click on the "Create Ticket" button. This will open our bug tracker with a pre-filled template. The only additional information you need to provide is the "Guidance" section, i.e. a suggestion on how to fix the issues (upgrading the package to a more recent version, applying certain patches and where to find these, etc.). Please make sure to only open bug reports where a fix is actually available: we keep track of a lot of issues where no resolution is available yet, spamming the bug tracker with reports about these does not help as there is nothing we can do in this case. If you are aware of any open security issues that are not yet included in the security tracker, we would love to hear about them! The easiest way to get in touch is the #archlinux-security IRC channel on Libera Chat, but see [2] for more ways of contact. We are also always looking for more security team members to help keeping track and fixing newly disclosed vulnerabilities. If that sounds interesting to you, the IRC channel would also be the best place to start. Finally, I would like to contest the assertion that users would need "a lot of local package updates for security fixes" in order to keep a secure system: looking at the open security issues in [1], the vast majority of these are unresolved upstream, so no package update will solve them. There is indeed a non-zero number of packages that could be version-bumped or patched to fix some issues, but overall we seem to be able to keep up with security vulnerabilities relatively fine. Best, Jonas [1] https://security.archlinux.org/ [2] https://wiki.archlinux.org/title/Arch_Security_Team -- Jonas Witschel Arch Linux Developer, Trusted User and security team member PGP key: FE2E6249201CA54A4FB90D066E80CA1446879D04