Re: [opinion] CVE-patching is not sufficient for package security patching

[Leo Famulari <leo@famulari.name>]

[-- Attachment #1: Type: text/plain, Size: 3198 bytes --]

On Tue, Mar 16, 2021 at 12:10:26PM +0100, Léo Le Bouter wrote:
> For these reasons, I suggest that we always strive to update packages
> to their latest versions and that I think it is security relevant to
> always do so. Of course, new code could *introduce* new vulnerabilities
> but I am not trying to debate this, it's that to the best of the
> upstream's knowledge chances are that the latest version will contain
> more security fixes than older versions (if that upstream is actually
> maintaining the project).

I agree that every new release can be considered to have fixed security
problems.

Please read the rest of my message while keeping in mind that I have
spent *a lot* of time working on security in Guix over the years.

We must keep in mind that there are other values besides security.
Additionally, this kind of "security" mindset is a somewhat narrow way
of considering the problem of secure computing. It's important to
remember that security can be modeled with 3 factors: confidentiality,
integrity, and availability. The 3rd factor is often overlooked.

In terms of making a distro, there is a spectrum of approaches.

At one end of the spectrum, there is something like PyPi, which is just
a clearinghouse for upstream projects to distribute their code.
Everything is always updated to the latest version. It does not provide
a working system, even within the narrow world of "just Python"; there
are broad incompatibilities among the latest versions of Python
programs.

On the other end is the approach of Red Hat and Debian. They laboriously
filter the upstream software to provide stable operating systems.  They
do fix security bugs, but only after extensive validation that
functionality is not changed. The result is useful but the cost is very
high.

Guix has always been in the middle, along with other rolling release
distros, and I think that's a good place for us to be. With our superior
tooling we can be "more stable than rolling release" while also "moving
faster than stable".

It's instructive to consider the Linux kernel. They release about once a
week, and every release fixes serious but unpublicized bugs. At the time
they are announcing the release, they are already aware of other serious
bugs, that might be fixed in the next release. It sounds terrible, and
yet Linux is by far the most popular and useful general-purpose
operating system. The world of computing, which is based on Linux,
continues to serve our civilization well. That's because the most
important thing value in Linux development is to not break anything for
users; security is not the top priority, but just another important
thing to consider.

I think that, as an operating system distro, we must adopt a similar
mindset, and be careful not to sacrifice too much for an abstract sense
of security based on fixing CVEs, which are an arbitrary system that
have little bearing on utility or safety in the real world, which is
where security matters. Of course we should fix CVEs, but we must also
recognize that rushing too much reduces stability and availability. We
have to weigh the costs and benefits every time.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]