Hi Alexander, On Tue, Jul 23, 2024 at 09:23:10PM +0200, Solar Designer wrote: > Hi, > > I've finally reviewed the links and re-read the thread. Looks like > we're OK to proceed with adding CentOS Project's Hyperscale SIG as a > linux-distros member. > > Michel, please e-mail me off-list with PGP keys for all of you who need > to be subscribed for Hyperscale. I also need to know who will be > managing this subscription on your end (informing me of any changes in > who's to stay subscribed). > Thank you! I'll email once I have collected all the keys.
> On Wed, Jul 10, 2024 at 06:54:13PM -0500, Michel Lind wrote: > > All three of us are Fedora developers - but AIUI, we will not and can not > > use > > membership here to contribute Fedora patches - until the embargo is > > over. > > > > For Hyperscale itself we plan to use the head start to have local builds > > ready to go, and commit and do a public build as soon as the embargo is > > over; if it needs collaboration we can use private Git repos and E2EE > > private chats to discuss the fix among ourselves. > > > > This is, to the best of my knowledge, similar to how AlmaLinux handles > > embargoed security issues - the fix is ready to go but is only made > > available once the embargo is lifted. > > > > Now - wearing our Fedora hats, we certainly would try and help get this > > fixed in Fedora once the embargo is over (as we've done before) - and > > knowing a CVE is going to be made public would certainly help (e.g. > > trying to make sure one of us is around) - but we won't be participating > > in the list wearing our Fedora hat, or discuss embargoed issues with > > people not on the list. > > This understanding is correct. The membership and embargoed info is > only for the specific distro "except with the reporter's explicit > approval". This exception means that you may occasionally ask whoever > reported the issue to linux-distros for permission to use the > information e.g. also for preparing a fix for Fedora even though you're > subscribed for Hyperscale. To avoid miscoordination, please keep such > requests also CC'ed to the list. Uses of this exception have been very > rare so far, and it is expected that you wouldn't use it often, or else > it'd make more sense to discuss the additional distro becoming a member. > Thanks. Good to know this exception exists, but I'm hoping to prod Fedora to onboard itself as a member anyway. > FWIW, Fedora's fix for CVE-2024-6387 was quite timely as-is: > > commit dcbca7b947cf82c30d6f477a26efd2f765204fe6 > Author: Gordon Messmer <gordon.mess...@gmail.com> > AuthorDate: Mon Jul 1 20:49:16 2024 -0700 > Commit: Gordon Messmer <gordon.mess...@gmail.com> > CommitDate: Tue Jul 2 00:48:16 2024 -0700 > > Patch 9.6p1 for CVE-2024-6387 > > * Mon Jul 01 2024 Gordon Messmer <gordon.mess...@gmail.com> - 9.6p1-12 > - Patch 9.6p1 for CVE-2024-6387 > > On one hand, this confirms that Fedora cares. On the other, for an > issue with a trivial patch, I don't know if Fedora could have done much > or anything more to prepare. > It was timely .. but there was some scramble in Fedora's security room the morning the embargo was lifted. It turns out the development Rawhide branch was not in a buildable state at that moment - not a big deal, I pointed out at the time that it's more important to fix the stable releases - but with access to the embargo, someone could have fixed the Rawhide build in preparation I suppose. > OpenSSH 9.8 released on July 1 also fixed "Logic error in ssh(1) > ObscureKeystrokeTiming", which became CVE-2024-39894 by July 3: > > https://www.openwall.com/lists/oss-security/2024/07/03/6 > > Per upstream, this issue affects "9.5 through 9.7 (inclusive)", so I > guess Fedora's package based on 9.6p1 is vulnerable. There doesn't > appear to be a fix in the package yet. I see this is being tracked in: > > https://bugzilla.redhat.com/show_bug.cgi?id=2295615 > > which is assigned to Dmitry Belyavskiy, who is also the maintainer of > the OpenSSH package in RHEL and CentOS Stream. RHEL is not affected and > the issue is low severity, so will probably take a long while to fix in > Fedora via Red Hat. Maybe something the community could do quicker? > This is not directly related to possible linux-distros membership; this > issue wasn't even on linux-distros. > Yeah - the CVE fixes were done by a non-maintainer anyway (Dmitry understandably has his hands full with fixing RHEL and CentOS Stream). This is tangential - but having a well-coordinated security team in Fedora, that participates in this list and in linux-distros, would likely help - e.g. by ensuring that the ACL of key packages like openssh correlates to who often contributes to it, and by making sure issues like these get addressed sooner rather than later. -- _o) Michel Lind _( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
signature.asc
Description: PGP signature
