Since SearchSecurity’s ranking is dragging some attention, I’d like to share my opionion. Though being part of the security team I can only present my personal point of view (as always in this blog .-).
You can doubt or disagree with the ranking in any form you like, and there may be some strange points in there. But that, frankly, is not important.
What is important is to ask how good we do compared to how good we can do . And then make changes accordingly
First of all, note that we will not be able to deal with vulnerabilities like Ubuntu. Or other companies that pay their employees for doing that stuff. We’re community-based. People spend their time digging into vulnerabilities, getting new ebuilds ready and testing them in their free time.
Second, we do have a lot more architectures than other distros to care about. Not all are supported security-wise, but still, it’s a nice list if you want to make an impression.
Third, fixes are often available way ahead of any GLSA. That is not true for every arch, it is not true for any case, and it is not generally true .-) Still, users who update often are indeed not so seldomly protected even if no GLSA has been issued yet. The GLSA is only the last step in the whole process.
That being said, it should be clear we are not aiming to be #1 on that list.
But there’s things we could make better.
- Work faster. That’s kinda hideous to say to somebody who is spending his free time on a project, of course. At least it applies evenly to sec team, herds and arch teams :] The latest vulnerabilities in the Mozilla products were a good example that shows a nice mix of problems:
- The mozilla herd recently reformed itself and was thus hampered in action.
- Arch teams can’t always stabilize on time regarding the vulnerability policy.
- Sec team isn’t always as fast as can be. (In this case the GLSA could have been ready once the last arch went stable, but it wasn’t. I do admit, for example, that I had not commented on the GLSA at that point in time yet, as I should have.)
- Collect a little love for Security. Security bugs are fascinating to those who discover them, try to exploit them or try to defend against them. For developers interested in the progression of a piece software, they are a boring nuisance that blocks the way ahead. Still we might want remind everybody that there is the Vulnerability Treatment Policy, and it’s agreed upon to be an important part of Gentoo.
- Enforce the policy. Another hideous suggestion, I know. But we might want to adhere stricter to our own rules. We might want to mask apps with vulnerabilites that don’t get fixed in due time. This is of course bad, because it will break things. A lot. And I hate broken things.
All this may, of course, be complete bull from someone who hasn’t been around long enough, at least from a dev’s perspective. And I don’t want all that “in there” like I wrote it. Nevertheless it might get one or two of you to think about it, poke me in the eye and suggest something better. Please!
I’m not a dev, so take this with a grain of salt, but I don’t think your comments are out of line at all. Volunteer-based or not, I don’t know any people who can stand up and say, “there’s nothing we can do better than we do now.” This applies to virtually every avenue of life.
Software development might be the first concern, but the development of good practices and processes shouldn’t be overlooked or disregarded as less important. Security could even be improved by more planning and more auditing before something is released into the tree, just by that small act of being more careful.
Like I said, though, i’m not a dev. It just seems common sense to tread lightly and be thoughtful rather than reactionary and quick to decide…as long as it’s not at a Debian pace :p