[arch-general] Fwd: A plea for communication from Arch devs & maintainers

Jonas Witschel diabonas at archlinux.org
Wed Nov 3 10:42:06 UTC 2021 

On 2021-11-02 20:19, Sam Mulvey via arch-general wrote:
> > I've maintained a lot of local package updates for security fixes where the
> > maintainer went missing or ignored emails about it. Unfortunately this
> > seems to be a requirement for anyone wanting an up-to-date Arch system
> > these days.
> 
> This seems like something that could be informally organized in a way that
> would make it easier for maintainers to interface with.

We keep track of the open security issues in our security tracker [1]. If you
want to help out getting some of these fixed, the most effective way would be
going through this list and opening reports in our bug tracker for packages
where a fix is available. In contrast to trying emailing the individual
maintainers without any involvement of the security team [2], this allows us to
easily see when package updates are required for security.

Opening a bug report with the necessary information is very simple, just select
the corresponding Arch Vulnerability Group (AVG) in the security tracker [1]
and click on the "Create Ticket" button. This will open our bug tracker with a
pre-filled template. The only additional information you need to provide is the
"Guidance" section, i.e. a suggestion on how to fix the issues (upgrading the
package to a more recent version, applying certain patches and where to find
these, etc.).
Please make sure to only open bug reports where a fix is actually available: we
keep track of a lot of issues where no resolution is available yet, spamming
the bug tracker with reports about these does not help as there is nothing we
can do in this case.

If you are aware of any open security issues that are not yet included in the
security tracker, we would love to hear about them! The easiest way to get in
touch is the #archlinux-security IRC channel on Libera Chat, but see [2] for
more ways of contact.
We are also always looking for more security team members to help keeping track
and fixing newly disclosed vulnerabilities. If that sounds interesting to you,
the IRC channel would also be the best place to start.

Finally, I would like to contest the assertion that users would need "a lot of
local package updates for security fixes" in order to keep a secure system:
looking at the open security issues in [1], the vast majority of these are
unresolved upstream, so no package update will solve them. There is indeed a
non-zero number of packages that could be version-bumped or patched to fix some
issues, but overall we seem to be able to keep up with security vulnerabilities
relatively fine.

Best,
Jonas

[1] https://security.archlinux.org/
[2] https://wiki.archlinux.org/title/Arch_Security_Team

-- 
Jonas Witschel
Arch Linux Developer, Trusted User and security team member
PGP key: FE2E6249201CA54A4FB90D066E80CA1446879D04
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20211103/de40cd7e/attachment.sig>

More information about the arch-general mailing list