From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id aJ4lGogPUWAgeAAA0tVLHw (envelope-from ) for ; Tue, 16 Mar 2021 20:05:28 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id qGH5FYgPUWDjSAAA1q6Kng (envelope-from ) for ; Tue, 16 Mar 2021 20:05:28 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id BC287152E3 for ; Tue, 16 Mar 2021 21:05:27 +0100 (CET) Received: from localhost ([::1]:59012 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMFwU-0006OY-Tf for larch@yhetil.org; Tue, 16 Mar 2021 16:05:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48936) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMF9o-00071t-MW for guix-devel@gnu.org; Tue, 16 Mar 2021 15:15:08 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:50329) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMF9m-0006wZ-Ph for guix-devel@gnu.org; Tue, 16 Mar 2021 15:15:08 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id E86FB5C0032; Tue, 16 Mar 2021 15:15:05 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Tue, 16 Mar 2021 15:15:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=h+xApzFAeW1WI2dGQ9glQTKc kdP3/vmqAfmCNjcfQhg=; b=O0uf/g2qhdYypKDUL1Y8y5492sbq8zcL5zO0hlqO xEJ/6Vs5QgEh/e30n6PzqgxDl31xQns91P15ILaQSvSDtPndURNRCxiCvsAVf/sL T08jBJ79gkmYchjTZDAZH2fRGUd+hrk1RPblOeVEWT4xWfpdGNFETUk5wnq7d6Gn 9VE= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=h+xApz FAeW1WI2dGQ9glQTKckdP3/vmqAfmCNjcfQhg=; b=RXazKOWMjRgQTPQ7dXcy73 ZUzwgzKqgH7DKzlivuE0Rr5NTyfIa/zAMH9yiUE9bELd5yM015UeZviAkegCUeZb 6BMdCpuDEyFV3moY5rS4jRT2bdKATruAWSTKSKM/wHWinGgxUSzF5D6znzVVJl2C O0mtiDbqA/3GNsDDaFJrxC2nyoSmcSuXE07/UgwmdOWTwFGXE831mcbsi8WTcAvS 81jpqzwEaJmsDVqzJMU7Q6hde6gLSOZnlUSwHDmC5mD0wkr6lkyDLz5I+n181P1E I/l0ugKj7Uw+WFQc0eohUU58P9VKDe7bZMgOiHqJcY+TVjnCHxJryrRcWTXs96Fg == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudefvddguddvfecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehgtd erredttddunecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeduhfffveehtdfgjeevleefueekhf dtvdffteegueeigfevvdekfeeijeffgfffleenucfkphepuddttddruddurdduieelrddu udeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplh gvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 12DE61080063; Tue, 16 Mar 2021 15:15:05 -0400 (EDT) Date: Tue, 16 Mar 2021 15:15:03 -0400 From: Leo Famulari To: =?iso-8859-1?B?TOlv?= Le Bouter Subject: Re: [opinion] CVE-patching is not sufficient for package security patching Message-ID: References: <9b9a43a584e2dc70488482fce5931b46abd0e006.camel@zaclys.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Z+aTMVy6XL0KnS6b" Content-Disposition: inline In-Reply-To: <9b9a43a584e2dc70488482fce5931b46abd0e006.camel@zaclys.net> Received-SPF: pass client-ip=66.111.4.28; envelope-from=leo@famulari.name; helo=out4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615925128; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=h+xApzFAeW1WI2dGQ9glQTKckdP3/vmqAfmCNjcfQhg=; b=j1Ui1wSPQfMxeTf0sBqB3+slgJpy2cqppv8PP/HHmLd84To/57UV6Rbyby2EOWrWRSQUMO N9zNNzUJ0Fc1rXa1qDavVjKFiTG4Ljbzt4P98FaiM9Jj1tczkaUgG/E/DA+Py+DcrdknZ4 Lt/xr3TfkPuFrWX9GyOtsEfMKE6uakPHY4gaG3FXJh2WKTSeDPhqUw98T0XcJ7g2iK4x6H 29W4xRGBi93BkHhh/sb+BUt6FALOr7IuWSkFJLA+yXoTKz0jtJ38L0pqZu2WXyI8r6JC7T AZElJR0jfj746Vh46XJRU/LIl3zoZxB9sMKh1ih5DjJ5YBUfz7D7OgkNrFzesQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615925128; a=rsa-sha256; cv=none; b=YeuDx8WyljpuejSzpSxKV9ZW90GPj4H0sjpdDshU+z6ZAr2/9ItA5oWm6Glxt9xw+8uGVr kdhOxLwDlFdgWtFv7P+JDzd1jS636WewkzwF45pJzfsSMhQzG9ULQYiil4sUisQYimBjf8 W78ZslBCwrpHPQzy/iJYvQrGmWYnLKmaf0hGuQRkR6aOoEAYHCxP2caaozf4+nSjZsi+Lg mtNhVyB0nKUqOOo/iThig0tvOKJMYxXuj1G4b+sewZy52ajPQLOoj5Ss3uQyo1kEu7GAyw 8hUW+wFA0919uWBCCqrdmROQLzNbyEnjqmR0t/R+ujS/uThAQDST9OruKtEMEA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=famulari.name header.s=mesmtp header.b="O0uf/g2q"; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=RXazKOWM; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -4.70 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=famulari.name header.s=mesmtp header.b="O0uf/g2q"; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=RXazKOWM; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: BC287152E3 X-Spam-Score: -4.70 X-Migadu-Scanner: scn0.migadu.com X-TUID: qhjY+e0GI3mr --Z+aTMVy6XL0KnS6b Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 16, 2021 at 12:10:26PM +0100, L=E9o Le Bouter wrote: > For these reasons, I suggest that we always strive to update packages > to their latest versions and that I think it is security relevant to > always do so. Of course, new code could *introduce* new vulnerabilities > but I am not trying to debate this, it's that to the best of the > upstream's knowledge chances are that the latest version will contain > more security fixes than older versions (if that upstream is actually > maintaining the project). I agree that every new release can be considered to have fixed security problems. Please read the rest of my message while keeping in mind that I have spent *a lot* of time working on security in Guix over the years. We must keep in mind that there are other values besides security. Additionally, this kind of "security" mindset is a somewhat narrow way of considering the problem of secure computing. It's important to remember that security can be modeled with 3 factors: confidentiality, integrity, and availability. The 3rd factor is often overlooked. In terms of making a distro, there is a spectrum of approaches. At one end of the spectrum, there is something like PyPi, which is just a clearinghouse for upstream projects to distribute their code. Everything is always updated to the latest version. It does not provide a working system, even within the narrow world of "just Python"; there are broad incompatibilities among the latest versions of Python programs. On the other end is the approach of Red Hat and Debian. They laboriously filter the upstream software to provide stable operating systems. They do fix security bugs, but only after extensive validation that functionality is not changed. The result is useful but the cost is very high. Guix has always been in the middle, along with other rolling release distros, and I think that's a good place for us to be. With our superior tooling we can be "more stable than rolling release" while also "moving faster than stable". It's instructive to consider the Linux kernel. They release about once a week, and every release fixes serious but unpublicized bugs. At the time they are announcing the release, they are already aware of other serious bugs, that might be fixed in the next release. It sounds terrible, and yet Linux is by far the most popular and useful general-purpose operating system. The world of computing, which is based on Linux, continues to serve our civilization well. That's because the most important thing value in Linux development is to not break anything for users; security is not the top priority, but just another important thing to consider. I think that, as an operating system distro, we must adopt a similar mindset, and be careful not to sacrifice too much for an abstract sense of security based on fixing CVEs, which are an arbitrary system that have little bearing on utility or safety in the real world, which is where security matters. Of course we should fix CVEs, but we must also recognize that rushing too much reduces stability and availability. We have to weigh the costs and benefits every time. --Z+aTMVy6XL0KnS6b Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBRA7cACgkQJkb6MLrK fwj52A/+N+4SuMXSZqGGJGq8wjLQ8pM5o/2xspP4jh4Uk5gnzpuGkvdna17l6UQR 79nGTkefYf0GuBZAXg11/haJ5MugCG2GACO0SjYvnoOCqyFbbaUo5cA6VOt6hgsn WYcHtka46nAdmggSrcMVoQTd3tYBfijiSc5LPCQ6jmqrTjlhlUZ2lHIu/Ldrucje NsyIs+cUbn24mgKNiTKpxU+QmiHl/couhMz4IFBUjR3leP9zSaVM0vJ1r+kyDvhr veH+0uobYCnv9WOUgVCMDeFF94EZCpdYwD7dq61Rk4zzY2XfVrrkbL9XpGRG594D HmNoXpr9w8r/7NnovXsDme7XmQZsgQG6kG9NkRsXqoOtQ2iCYc7wkri6Rwh4Y3WC JMH1Ie1s0j7v9rgI10XZlglUFldBo/wq+7CbyFgHQBVWJ3fRqoUPmwy/uhyARBoW ziJgZFRjm2YbF1sGrqPjxZTYgs+ayGIJhdzEzpdOt0Tqrb0sI8R1lJj1AS2pQfL7 R5BGHKyDCSkc2iJXPesMskeRcc3hlHmIGa0FwupttRUsAGul5Vmf1ED5HQHcFsmX a/3g9HaAJujPv+3bdOD4ONqkdMC1DgBKGl9sykmBk2clM4JQsPAC7d2xrSOO5kgn Na+mr2R5mWEBv1lGQZG9QSLwRJEV+uSCfRuK8iDy0azEzFek/m0= =pn8r -----END PGP SIGNATURE----- --Z+aTMVy6XL0KnS6b--