From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id mHU6DUySUGAuZwAA0tVLHw (envelope-from ) for ; Tue, 16 Mar 2021 11:11:08 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id qNz0CEySUGCdDwAAbx9fmQ (envelope-from ) for ; Tue, 16 Mar 2021 11:11:08 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DA34217688 for ; Tue, 16 Mar 2021 12:11:07 +0100 (CET) Received: from localhost ([::1]:44958 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lM7bO-00054J-P4 for larch@yhetil.org; Tue, 16 Mar 2021 07:11:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53574) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lM7av-00053q-EF for guix-devel@gnu.org; Tue, 16 Mar 2021 07:10:38 -0400 Received: from mail.zaclys.net ([178.33.93.72]:49475) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lM7ar-0004jP-Dp for guix-devel@gnu.org; Tue, 16 Mar 2021 07:10:37 -0400 Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12GBAUFI048305 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 16 Mar 2021 12:10:30 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12GBAUFI048305 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1615893030; bh=90JTutQ6muEu0sN3QrqayKZ8jfaIoJypJPpo8N78iLA=; h=Subject:From:To:Date:From; b=qgslj0k6nfuFnewwf3nNycPTIniRstoORAiYQxX5RCFI53niOE2I/eLPxWg+sUKGE +hyamamIO+xjATf8Jy6om6GL7eWeOU72c/BXxPncslQIhKJgkdw4Ozp7hJ8pif3ayW PSFIs/QNzxC1DLsGWz9KATahAWJZvn7fOf7dZ0Jo= Message-ID: <9b9a43a584e2dc70488482fce5931b46abd0e006.camel@zaclys.net> Subject: [opinion] CVE-patching is not sufficient for package security patching From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: guix-devel@gnu.org Date: Tue, 16 Mar 2021 12:10:26 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-dAXkhfjLDPNBs4QvdKKR" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615893068; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=90JTutQ6muEu0sN3QrqayKZ8jfaIoJypJPpo8N78iLA=; b=twsdn99+siRk2k5lGh+oCG3lkmh0e1axsUxCe9b9atdTWd76mt0rl+IWhFhwaUq//3EsCP fbVV8xD8xhfpmqlbt7D1UEJjSVTf95y0bJ5OPC+9zogLNaQ1eyBFF6UM6A3NioOMKgNHz/ 6vuaWbaBxzCp/xOAVTiqy2143Hsd03vlY+teQ0Uxznfd7s5O6sMAfvz3LkieBmdW20bhAF aAa8AdnB20HJv7FHtmS5VB1fdUJUGFmHwfi/YG61jdGFgMQOYqDof/yrpvSm/YyIXb9qlc KIeQFnlS6QuE+Xqc+5lX3Qcy1+64aaCUhKUPFlxjIeX+mBIXWW4PIUlgmIpsaQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615893068; a=rsa-sha256; cv=none; b=GXyhhgp/g9qe5z5iegccgXHXcA6etv1xfPJ5JngkLyax8v/G0mJAJbD7i8j0aSc+e1wtp7 jCE44R//PJy80I0uoGqo0NASOU1d9SLMIx9NKIC9G/zOlYe+TkcbkxDC21ukT39mlUdV/y ghQ/W2b4IWijvO2rE9jJkgDF/Mnrwrpr2/FXhGi9zUxTBZ90LvFRWgG7Uapji3GRZJ/BTj X3KilKTNNs+4M86XNyZqP99K2yYNBw6/Es3TeLS9HVXvtfDWHa9J6Gk5NA7JExmi65TaoX ztjSE0GaYxlwYNyGBAOKeaQOHmf9OMQ18wt5cHg/J51z9g8XmBDfudsli2Xnmw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=qgslj0k6; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.20 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=qgslj0k6; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: DA34217688 X-Spam-Score: -5.20 X-Migadu-Scanner: scn0.migadu.com X-TUID: Z0HgUbVU4ZEs --=-dAXkhfjLDPNBs4QvdKKR Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello! I would like to share some opinion I have on CVE-patching for non- rolling release GNU/Linux distributions and why we should strive to always update to the latest available releases or always follow upstream supported release series and never backport patches ourselves in most cases (some upstreams may have really good practices but these are rare). A lot of security issues are patched silently in upstream projects without ever getting a CVE, security issues may not be labeled as such by upstreams for various reasons (fear of shame, belief to patch something with no security impact while it has, bizarre security through obscurity policy, ..). For these reasons, I suggest that we always strive to update packages to their latest versions and that I think it is security relevant to always do so. Of course, new code could *introduce* new vulnerabilities but I am not trying to debate this, it's that to the best of the upstream's knowledge chances are that the latest version will contain more security fixes than older versions (if that upstream is actually maintaining the project). In many cases, browsing through the commit history of some popular projects can uncover security issues not publicized through any security mailing lists or CVEs anywhere, this is unfortunately quite common. We cannot possibly monitor the commit history (and code) of every single project to backport fixes when we would need to. It is better for us to always strive to use the latest versions even when it requires us to do more far-reaching changes because of dependents/dependencies. Let me know what you think! L=C3=A9o --=-dAXkhfjLDPNBs4QvdKKR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQkiIACgkQRaix6GvN EKb3+A//a8EeBaaLj0UbAyJ4jHvBC0o5Ket25J80/NvOA3J/nulPVRZWJABLNG3j 4/7VaHPYbUTVo99UOA5LaEkV0Lr1dCbcssiEHvZXSeahGGWGBZLi8Z8c9tZ/ohgM l2y9lTJL9aUxUgGQFuWWesGTBjY8mvECottzlMnBS6WLZJ5i7Oeh/DJay/AAIrDr CZjrF1pqVLSvORrzG8TR/G/8Tq0GxzApnbUnLkIk8x8SozYCEO8T99/1syPTh+eX wKYS5IOW1YFbuchL/txjqhRfKDTqqMVSo78p0lFqYFvypwJB+5s6e1Q6VTb0p2Mj ykUdsTKgy34x8nmWOf41VHCQW4RSUfXp7ZcY6XbuG+FU9piNjEWvaGLvDdXndM55 +PHLrnxS8qHWxJhQBhz6OJ54ZXt+GbGPBKWMGVLfz7uNY7YXhKG4Zq2EM0739Phg NMhpg+/hmBdju7eC+wK5HQ+rzsuOaQ1rUlKA/8HURKtiD/pPRJX2+nPBebNyDQPv rhiSpyGdthucVo1ntIV4r1MQGaNkoo1WnfiH8QjvofTFnWlGDd7O69J7G8UKfTm3 S/ay/rxIv5KwAXPypMroYOOQIEVuzty1jn7s9Li+/9GW315yUsKFGo4pg6/SGHGy XhBJr427LET3jpTS4oXX8sL/7+XTVBcx3xX5SVvCE36GgwSjv/w= =V9pf -----END PGP SIGNATURE----- --=-dAXkhfjLDPNBs4QvdKKR--