[arch-dev-public] Get involved with tracking security issues in Arch Linux packages
Allan McRae
allan at archlinux.org
Sun Mar 9 00:56:57 EST 2014
Hi all,
A bit of background first! There are two main classes of security
issues that our packages can suffer from:
- a security issue disclosed and fixed by an update
- a security issue that requires backporting of patches
As a rolling release, we are fairly good at updating our software
quickly, so the first type is a minimal issue in Arch. The second type
of issue requires monitoring various mailing lists and noting which
packages are affected by an issue and getting the patch into the Arch
package.
We have had some great help in this area by a user 'RbN' who has been
filing bug reports about CVEs with links to the patches fixing the
issue. However, it is not a one person job, and they can not keep up alone.
So, I have created some infrastructure for tracking public security
issues in Arch packages. We now have a public mailing list
(arch-security at archlinux.org) and IRC channel (#archlinux-security on
freenode).
The initial purpose of these lists to get the Arch community helping the
developers to track new security issues and create bug reports with all
the needed information. It is NOT a general all purpose security
discussion board (at least at this stage). *Any posts about SELinux,
Tomoyo, etc, will result in the user being heavily moderated.*
I'm not sure how we are going to arrange everything to share the load
across people. Perhaps a wiki page with a list of CVEs for the month
and who is investigating them with a bug report or package version with
the fix. Things to figure out!
Note all private security reports should continue to be sent to
security at archlinux.org or the the Arch developer of the package involved.
Allan
More information about the arch-dev-public
mailing list