{"id":6,"date":"2006-08-07T19:50:50","date_gmt":"2006-08-07T19:42:44","guid":{"rendered":""},"modified":"2017-03-07T16:21:43","modified_gmt":"2017-03-07T16:21:43","slug":"while_we_re_at_it_security_and_speed","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/frilled\/2006\/08\/07\/while_we_re_at_it_security_and_speed\/","title":{"rendered":"While we&#8217;re at it &#8230; security and speed"},"content":{"rendered":"<p>Since <a href=\"http:\/\/searchsecurity.techtarget.com\/originalContent\/0,289142,sid14_gci1202417,00.html\">SearchSecurity&#8217;s ranking<\/a> is dragging some attention, I&#8217;d like to share my opionion. Though being part of the security team I can only present my personal point of view (as always in this blog .-).<\/p>\n<p>You can doubt or disagree with the ranking in any form you like, and there may be some strange points in there. But that, frankly, is not important.<\/p>\n<p>What <em>is<\/em> important is to ask how good we <em>do<\/em> compared to how good we <em>can do<\/em> . And then make changes accordingly<\/p>\n<p>First of all, note that we will not be able to deal with vulnerabilities like Ubuntu. Or other companies that pay their employees for doing that stuff. We&#8217;re community-based. People spend their time digging into vulnerabilities, getting new ebuilds ready and testing them in their free time.<\/p>\n<p>Second, we do have a lot more architectures than other distros to care about. Not all are supported security-wise, but still, it&#8217;s a nice list if you want to make an impression.<\/p>\n<p>Third, fixes are often available way ahead of any GLSA. That is not true for every arch, it is not true for any case, and it is not generally true .-) Still, users who update often are indeed not so seldomly protected even if no GLSA has been issued yet. The GLSA is only the last step in the whole process.<\/p>\n<p>That being said, it should be clear we are not aiming to be #1 on that list.<\/p>\n<p>But there&#8217;s things we could make better.<\/p>\n<ul>\n<li>Work faster. That&#8217;s kinda hideous to say to somebody who is spending his free time on a project, of course. At least it applies evenly to sec team, herds and arch teams :] The latest vulnerabilities in the Mozilla products were a good example that shows a nice mix of problems:\n<ul>\n<li>The mozilla herd recently reformed itself and was thus hampered in action.<\/li>\n<li>Arch teams can&#8217;t always stabilize on time regarding the vulnerability policy.<\/li>\n<li>Sec team isn&#8217;t always as fast as can be. (In this case the GLSA could have been ready once the last arch went stable, but it wasn&#8217;t. I do admit, for example, that I had not commented on the GLSA at that point in time yet, as I should have.)<\/li>\n<\/ul>\n<\/li>\n<li>Collect a little love for Security. Security bugs are fascinating to those who discover them, try to exploit them or try to defend against them. For developers interested in the progression of a piece software, they are a boring nuisance that blocks the way ahead. Still we might want remind everybody that there <em>is<\/em> the <a href=\"http:\/\/www.gentoo.org\/security\/en\/vulnerability-policy.xml\">Vulnerability Treatment Policy<\/a>, and it&#8217;s agreed upon to be an important part of Gentoo.<\/li>\n<li>Enforce the policy. Another hideous suggestion, I know. But we might want to adhere stricter to our own rules. We might want to mask apps with vulnerabilites that don&#8217;t get fixed in due time. This is of course bad, because it will break things. A lot. And I hate broken things.<\/li>\n<\/ul>\n<p>All this may, of course, be complete bull from someone who hasn&#8217;t been around long enough, at least from a dev&#8217;s perspective. And I don&#8217;t want all that &#8220;in there&#8221; like I wrote it. Nevertheless it might get one or two of you to think about it, poke me in the eye and suggest something better. Please!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since SearchSecurity&#8217;s ranking is dragging some attention, I&#8217;d like to share my opionion. Though being part of the security team I can only present my personal point of view (as always in this blog .-). You can doubt or disagree with the ranking in any form you like, and there may be some strange points &hellip; <a href=\"https:\/\/blogs.gentoo.org\/frilled\/2006\/08\/07\/while_we_re_at_it_security_and_speed\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">While we&#8217;re at it &#8230; security and speed<\/span><\/a><\/p>\n","protected":false},"author":49,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/frilled\/wp-json\/wp\/v2\/posts\/6"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/frilled\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/frilled\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/frilled\/wp-json\/wp\/v2\/users\/49"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/frilled\/wp-json\/wp\/v2\/comments?post=6"}],"version-history":[{"count":1,"href":"https:\/\/blogs.gentoo.org\/frilled\/wp-json\/wp\/v2\/posts\/6\/revisions"}],"predecessor-version":[{"id":20,"href":"https:\/\/blogs.gentoo.org\/frilled\/wp-json\/wp\/v2\/posts\/6\/revisions\/20"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/frilled\/wp-json\/wp\/v2\/media?parent=6"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/frilled\/wp-json\/wp\/v2\/categories?post=6"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/frilled\/wp-json\/wp\/v2\/tags?post=6"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}