Security/support status of packages
 

Hi,

in the last development meeting the issue of security support in
universe came up. The universe security support is less active than
the one for main and this may lead to vulnerabilities not being fixed
quickly.

One of the solutions for the future might be a automatic generation of
cve reports based on the data from
https://code.edge.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
onto a location like changelogs.ubuntu.com. This could then be used by
update-manager to check against the installed packages. Input from the
security team if this is feasible would be welcome.

As a solution that can be implemented for hardy we discussed a new
view in synaptic that would allow sorting package by their support
status. This would allow the user to more easily find packages
installed but not in main. I was considering just putting it under the
"Status" view in synaptic and adding a new emblem to add/remove
(gnome-app-install) that tells about the support timeframe. What do
you think?

Thanks,
Michael


--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Security/support status of packages
 

On Wednesday 06 February 2008 15:10, Michael Vogt wrote:

> As a solution that can be implemented for hardy we discussed a new
> view in synaptic that would allow sorting package by their support
> status. This would allow the user to more easily find packages
> installed but not in main. I was considering just putting it under the
> "Status" view in synaptic and adding a new emblem to add/remove
> (gnome-app-install) that tells about the support timeframe. What do
> you think?

But support status is more complex than that. One example is that desktop
packages in Main fall out of support two years before server packages in Main
do.

Scott K

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Security/support status of packages
 

On Wed, Feb 06, 2008 at 09:10:15PM +0100, Michael Vogt wrote:
> in the last development meeting the issue of security support in
> universe came up. The universe security support is less active than
> the one for main and this may lead to vulnerabilities not being fixed
> quickly.
>
> One of the solutions for the future might be a automatic generation of
> cve reports based on the data from
> https://code.edge.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
> onto a location like changelogs.ubuntu.com. This could then be used by
> update-manager to check against the installed packages. Input from the
> security team if this is feasible would be welcome.

This would be more interesting as a tool for the security team than for end
users. I think it is far preferable to ensure that the user knows the
maintenance status of their installed software than to tell them after the
fact when a vulnerability appears.

> As a solution that can be implemented for hardy we discussed a new
> view in synaptic that would allow sorting package by their support
> status. This would allow the user to more easily find packages
> installed but not in main. I was considering just putting it under the
> "Status" view in synaptic and adding a new emblem to add/remove
> (gnome-app-install) that tells about the support timeframe. What do
> you think?

How would this differ from the existing emblem (Ubuntu logo) in Synaptic and
Add/Remove which provides this information? I suppose easier sorting would
be useful if this is not much work to add.

--
- mdz

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Security/support status of packages
 

On Thu, Feb 07, 2008 at 10:51:05AM +0000, Matt Zimmerman wrote:
> > One of the solutions for the future might be a automatic generation of
> > cve reports based on the data from
> > https://code.edge.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
> > onto a location like changelogs.ubuntu.com. This could then be used by
> > update-manager to check against the installed packages. Input from the
> > security team if this is feasible would be welcome.
>
> This would be more interesting as a tool for the security team than for end
> users. I think it is far preferable to ensure that the user knows the
> maintenance status of their installed software than to tell them after the
> fact when a vulnerability appears.
>
Though, I do not think it's a bad idea to tell a user via Synaptic or even an
update notifier bubble "One or more of your packages from the community
maintained repositories has a security vulnerability". Sure highly nontechnical
users could care less about this information, but there's plenty of us here that
would like to know when this is the case.

Either that, or a Synaptic emblem or filter that shows all Universe packages
installed or to be installed that are afflicted with a vulnerability. Kind of
like what portaudit does on FreeBSD.

If it's not a total pain to implement, I'd love to see this feature on Hardy.

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Security/support status of packages
 

On Thu, Feb 07, 2008 at 09:17:57AM -0500, John Dong wrote:
> On Thu, Feb 07, 2008 at 10:51:05AM +0000, Matt Zimmerman wrote:
> > > One of the solutions for the future might be a automatic generation of
> > > cve reports based on the data from
> > > https://code.edge.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
> > > onto a location like changelogs.ubuntu.com. This could then be used by
> > > update-manager to check against the installed packages. Input from the
> > > security team if this is feasible would be welcome.
> >
> > This would be more interesting as a tool for the security team than for end
> > users. I think it is far preferable to ensure that the user knows the
> > maintenance status of their installed software than to tell them after the
> > fact when a vulnerability appears.
> >
> Though, I do not think it's a bad idea to tell a user via Synaptic or even an
> update notifier bubble "One or more of your packages from the community
> maintained repositories has a security vulnerability". Sure highly nontechnical
> users could care less about this information, but there's plenty of us here that
> would like to know when this is the case.

I disagree; highlighting a problem without a solution makes the user feel
worse, not better.

The best response we could offer would be to provide a button to uninstall
the vulnerable application, but would that actually help?

> Either that, or a Synaptic emblem or filter that shows all Universe packages
> installed or to be installed that are afflicted with a vulnerability. Kind of
> like what portaudit does on FreeBSD.
>
> If it's not a total pain to implement, I'd love to see this feature on Hardy.

Feature freeze for 8.04 is one week away, and I'm sure Michael has higher
priority work to do on the features which are already planned.

--
- mdz

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Security/support status of packages
 

On Wed, 06 Feb 2008, Michael Vogt wrote:

> One of the solutions for the future might be a automatic generation of
> cve reports based on the data from
> https://code.edge.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
> onto a location like changelogs.ubuntu.com. This could then be used by
> update-manager to check against the installed packages. Input from the
> security team if this is feasible would be welcome.

Technically this is possible, as it is just a different type of report
we could generate.

>
> As a solution that can be implemented for hardy we discussed a new
> view in synaptic that would allow sorting package by their support
> status. This would allow the user to more easily find packages
> installed but not in main. I was considering just putting it under the
> "Status" view in synaptic and adding a new emblem to add/remove
> (gnome-app-install) that tells about the support timeframe. What do
> you think?
>
I am not sure this is the best idea as it could be confusing and/or
upsetting to the user.

That said, the security team is addressing the root problem (slow
community updates) by:

1. Providing html reports generated by ubuntu-cve-tracker (implemented,
but not public yet)
2. Building the Ubuntu security community [1]. We have already had our
first IRC meeting, and it went quite well. :)

Hopefully these will address the need for being more transparent as well
as building the community.

Jamie

[1] https://wiki.ubuntu.com/SecurityTeam

--
Email: jamie@ubuntu.com
IRC: jdstrand
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Security/support status of packages
 

Matt Zimmerman [2008-02-07 14:58 +0000]:
> I disagree; highlighting a problem without a solution makes the user feel
> worse, not better.

But the alternative is to not highlight the problem at all, which is
even worse. At least the user would be aware that he has an
unsupported and potentially dangerous package installed.

I saw a lot of complaints from users who installed some universe
packages like clamav and were absolutely surprised (and furious) when
they got to know that these had a ton of unfixed vulns. This sheds a
very bad light at us, since we do not communicate clearly which
packages are actually 'safe' to install, but we do enable
universe/multiverse by default now.

> The best response we could offer would be to provide a button to
> uninstall the vulnerable application, but would that actually help?

Most users who don't care will keep it, but at least they are aware of
it and we do not hide the problem from them.

We cannot solve the problem properly, because there is too much crack
in universe which is unmaintainable security-wise (which is one of the
reason why we have the main/universe boundary and MIR checks). So I
agree that the best thing we can do is to properly communicate it.

Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Security/support status of packages
 

Hi,

Michael Vogt [2008-02-06 21:10 +0100]:
> As a solution that can be implemented for hardy we discussed a new
> view in synaptic that would allow sorting package by their support
> status. This would allow the user to more easily find packages
> installed but not in main. I was considering just putting it under the
> "Status" view in synaptic and adding a new emblem to add/remove
> (gnome-app-install) that tells about the support timeframe. What do
> you think?

I'd also appreciate a list of currently installed unsupported
packages. Such a list is surprisingly hard to create (and impossible
for a nontechnical user).

Martin

--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Security/support status of packages
 

On Thu, Feb 07, 2008 at 02:58:51PM +0000, Matt Zimmerman wrote:
> On Thu, Feb 07, 2008 at 09:17:57AM -0500, John Dong wrote:
> > On Thu, Feb 07, 2008 at 10:51:05AM +0000, Matt Zimmerman wrote:
> > > > One of the solutions for the future might be a automatic generation of
> > > > cve reports based on the data from
> > > > https://code.edge.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
> > > > onto a location like changelogs.ubuntu.com. This could then be used by
> > > > update-manager to check against the installed packages. Input from the
> > > > security team if this is feasible would be welcome.
> > >
> > > This would be more interesting as a tool for the security team than for end
> > > users. I think it is far preferable to ensure that the user knows the
> > > maintenance status of their installed software than to tell them after the
> > > fact when a vulnerability appears.
> > >
> > Though, I do not think it's a bad idea to tell a user via Synaptic or even an
> > update notifier bubble "One or more of your packages from the community
> > maintained repositories has a security vulnerability". Sure highly nontechnical
> > users could care less about this information, but there's plenty of us here that
> > would like to know when this is the case.
>
> I disagree; highlighting a problem without a solution makes the user feel
> worse, not better.

So educating users about vulnerabilities that have a workaround would
be ok?

- Alexander


--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Security/support status of packages
 

On Fri, Feb 08, 2008 at 10:13:42AM +0100, Alexander Sack wrote:
> On Thu, Feb 07, 2008 at 02:58:51PM +0000, Matt Zimmerman wrote:
> > On Thu, Feb 07, 2008 at 09:17:57AM -0500, John Dong wrote:
> > > On Thu, Feb 07, 2008 at 10:51:05AM +0000, Matt Zimmerman wrote:
> > > > > One of the solutions for the future might be a automatic generation of
> > > > > cve reports based on the data from
> > > > > https://code.edge.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
> > > > > onto a location like changelogs.ubuntu.com. This could then be used by
> > > > > update-manager to check against the installed packages. Input from the
> > > > > security team if this is feasible would be welcome.
> > > >
> > > > This would be more interesting as a tool for the security team than for end
> > > > users. I think it is far preferable to ensure that the user knows the
> > > > maintenance status of their installed software than to tell them after the
> > > > fact when a vulnerability appears.
> > > >
> > > Though, I do not think it's a bad idea to tell a user via Synaptic or even an
> > > update notifier bubble "One or more of your packages from the community
> > > maintained repositories has a security vulnerability". Sure highly nontechnical
> > > users could care less about this information, but there's plenty of us here that
> > > would like to know when this is the case.
> >
> > I disagree; highlighting a problem without a solution makes the user feel
> > worse, not better.
>
> So educating users about vulnerabilities that have a workaround would
> be ok?

Yes, or if we offer them the option of solving the problem brutally (i.e.
removing the package).

We shouldn't just say "look out! you're vulnerable!" because users who don't
know what to do will panic.

--
- mdz

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel