whole pile o' updates

Thu Feb 14 15:53:09 UTC 2008

Hi Jake,

On Thu, 2008-02-14 at 08:25 -0700, Jake Edge wrote:
> (Josh Bressers suggested I send my questions here rather than asking him
> or someone else directly)
> 
> Yesterday you folks released an enormous number of security updates.
> While I could selfishly complain about it being done on a Wednesday, my
> real issues are the following:
> 
> - it seems deliberate that the same alert ID tag was reused
> (FEDORA-2008-1435 and FEDORA-2008-1535), it would seem to be a bit
> confusing to refer to multiple alerts with the same ID, take a peek at:
> 
> http://lwn.net/Alerts/Fedora/
> 
> to see what I mean.

Basically there are to be considered just two updates, 
FEDORA-2008-1535 for Fedora 8 gecko-libs issues and
FEDORA-2008-1435 for Fedora 7 gecko-libs issues.

What is confusing here is that the announcement was split across
separate mails for each package. We are currently tracking the problem
for the the update system [1].

[1] https://fedorahosted.org/fedora-infrastructure/ticket/392

> - those were all related to the same gecko vulnerabilites, which is what
> (I presume) motivated reusing the same IDs, but at least one (perhaps
> two, I can't remember for sure) of those, ruby-gnome2 also fixed a
> separate CVE that was unrelated to the mozilla pile
> 
> - How is it that so many packages were affected by these mozilla vulns?
>   Are they statically linked?  Reusing the code?  Have very restrictive
> dynamic library version numbers?  It just seems that a vulnerability in
> a component shouldn't necessarily have this kind of cascading effect.

Due to upstream (Mozilla) policy on ABI stability, all packages that are
dynamically linked to gecko libraries need to be rebuilt. (So basically
you were correct, it's the "restrictive dynamic library version
numbers"). This is definitely not ideal, but also not our fault --
situation is expected to improve a lot with advent of xulrunner in
Fedora 9 though. I'm not expert on this, I might redirect you to our
Mozilla guys if you need more information.

They are all pushed as a single update to prevent dependency breakage
and if the update contains a security fix it is marked as security
update. It is possible that attack vectors don't exist for many of the
packages.

> - Overall, we have been noticing a decline in the quality of Fedora
> security alerts.  They are often missing basic information about what
> bug they are fixing (other than perhaps a reference to bugzilla,
> sometimes a link to the CVE).  I think if you read a lot of those alerts
> as if you were just a plain old user, you would find that some provide
> very little useful information to try and determine what problem is
> being fixed.  I can provide examples if necessary.  Is there something
> that can be done to standardize the format a bit?

We are attempting to concentrate the detail of fixed issues in bugzilla,
while using descriptive titles of bugs. The update description relies
upon decision of the maintainers. I was personally convinced that it is
nod needed provided references to bugzilla are good enough.

What can be done is to motivate the maintainers to provide useful
descriptions. Luke: Would it be possible to complement "Notes:" in bodhi
with something like: "Please provide 2-3 sentences to briefly describe
nature of each of problems being fixed" or something like that?

Thanks,
-- 
Lubomir Kundrak (Red Hat Security Response Team)