Report – FAD 1 Nov 2014 – theme security

Hello,

Last weekend I participated in a Fedora Activity Day(FAD) aimed at introducing participants to the Fedora Security Team, its mission and activities. This post is a retrospective review of the day and lessons learned.

Day began with me introducing the participants to the Fedora Security Team, the current security features offered by Fedora and why we need to do much more to make sure that Fedora users are secure by default.

    See -> https://pjp.fedorapeople.org/fedorasec.html

This introductory talk was followed by triaging of open security bugs; There are more than 500 of them. Security bugs are marked by Keywords: Security. It means the said bug might have security implications and could facilitate unauthorised/undue access to users. I started triaging with the oldest bugs to figure out why were they open. This in turn leads us to see possible lapses which allow such bugs to remain unattended for longer than they should be.

Why do security bugs stay open and unattended…?

  • Appropriate fixes are unavailable, ie. patches do not exist at all. BZ#864897
  • Appropriate fixes are available, but the maintainer does not know. BZ#782620, BZ#851773, BZ#887451
  • Appropriate fixes are available, but the package is due its retirement, thus ignored BZ#838162. The package is _not_ retired.

These bugs were unattended for more than 2 years and have severe implications like Man in The Middle (MiTM) attack, Arbitrary Code Execution(ACE) and Denial of Service(DoS).

How do we address these lapses…?

The 2’nd and 3’rd case above, wherein the due patches are available, I think we can address them by hounding the maintainers with periodic ‘[NEEDINFO]’ pings till the time they push an update. It won’t be as easy as it sounds, but is an option nonetheless.

It is the 1st case, wherein the due patches are not available, that intrigues and interests me more. So, why aren’t these patches made available? One of the comment BZ#864897#c12 says the fix requires a functionality from OpenSSL 1.1 to be back ported to currently used versions – OpenSSL 1.0.1i. I opened a bug against OpenSSL BZ#1160172, but it was closed(deferred) saying it is not likely to happen any time soon. So the only option is for application to do the TLS certificate validation by itself, which the package maintainer is unable to do. This leads me to an another _grave_ concern that has been cropping up in recent times ie. – dwindling contributor base for some of the widely used & deployed FOSS projects.

This was discussed at Linuxcon last year or the year before; As the average age of subsystem maintainers is rising towards late 30s. At this stage they are likely to be occupied with families and other things in life and hence are unable to spend as much time on their projects. Siddhesh recently mentioned that becoming a parent could drop your productive time by as much as 30%. In yet another conversation I heard this applies to OpenSSL too. Upstream OpenSSL maintainers are well in their 40s and are a close-knit group, which is not welcoming enough to the new entrants(reminds me of Mr drepper and glibc few years ago).

It is high time that we(Fedora) start taking measures towards grooming new contributors and package maintainers. In corporate parlance it is known as succession planning. It should be done by each individual project leader. As for the bugs and tasks that I come across, I have started posting them to the dgplug students list

    See -> http://lists.dgplug.org/pipermail/users-dgplug.org/2014-November/thread.html

It has a lesser hit ratio, but I hope it improves going forward. If not, we’ll keep dousing the same fire again and again.

    See -> Cybersecurity experts discover lapses in Heartbleed bug fix.

Advertisements