[Bug 2089690] Re: [MIR] rust-sequoia-sq, rust-sequoia-sqv
I'm gonna drop sq and the chameleon out of this bug scope, to focus on sqv for now ** No longer affects: rust-sequoia-sq (Ubuntu) ** Changed in: rust-sequoia-chameleon-gnupg (Ubuntu) Status: Expired => Won't Fix ** Summary changed: - [MIR] rust-sequoia-sq, rust-sequoia-sqv + [MIR] rust-sequoia-sqv -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2089690 Title: [MIR] rust-sequoia-sqv To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2089690/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2089690] Re: [MIR] rust-sequoia-sq, rust-sequoia-sqv
Sorry I'll keep finishing the MIR template here there will be some more description updates -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2089690 Title: [MIR] rust-sequoia-sq, rust-sequoia-sqv To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2089690/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2089690] Re: [MIR] rust-sequoia-sq, rust-sequoia-sqv
** Description changed: [Availability] The packages rust-sequoia-sq and rust-sequoia-sqv are already in universe; they build for all architectures. Link to package https://launchpad.net/ubuntu/+source/rust-sequoia-sq Link to package https://launchpad.net/ubuntu/+source/rust-sequoia-sqv [Rationale] Sequoia is becoming the standard OpenPGP implementation in competing Linux distributions such as RHEL. - The package rust-sequoia-sq will generally be useful for a large part of - our user base; users coming from RHEL 10 expect it to be there. + our user base; users coming from RHEL 10 expect it to be there. - The package rust-sequoia-sqv is required in Ubuntu main for apt [Security] - RULE: The security history and the current state of security issues in the - RULE: package must allow us to support the package for at least 9 months (120 - RULE: for LTS+ESM support) without exposing its users to an inappropriate level - RULE: of security risks. This requires checking of several things: - RULE: - Search in the National Vulnerability Database using the PKG as keyword - RULE: https://cve.mitre.org/cve/search_cve_list.html - RULE: - check OSS security mailing list (feed into search engine - RULE: 'site:www.openwall.com/lists/oss-security ') - RULE: - Ubuntu CVE Tracker - RULE: https://ubuntu.com/security/cve?package= - RULE: - Debian Security Tracker - RULE: https://security-tracker.debian.org/tracker/source-package/ + TODO-A: - Had #TBD security issues in the past TODO-A: - TBD links to such security issues in trackers TODO-A: - TBD to any context that shows how these issues got handled in TODO-A: the past TODO-B: - No CVEs/security issues in this software in the past - RULE: - Check for security relevant binaries, services and behavior. - RULE: If any are present, this requires a more in-depth security review. - RULE: Demonstrating that common isolation/risk-mitigation patterns are used - RULE: will help to raise confidence. For example a service running as root - RULE: open to the network will need to be considered very carefully. The same - RULE: service dropping the root permissions after initial initialization, - RULE: using various systemd isolation features and having a default active - RULE: apparmor profile is much less concerning and can speed up acceptance. - RULE: This helps Ubuntu, but you are encouraged to consider working with - RULE: Debian and upstream to get those security features used at wide scale. - RULE: - It might be impossible for the submitting team to check this perfectly - RULE: (the security team will), but you should be aware that deprecated - RULE: security algorithms like 3DES or TLS/SSL 1.1 are not acceptable. - RULE: If you think a package might do that it would be great to provide a - RULE: hint for the security team like "Package may use deprecated crypto" - RULE: and provide the details you have about that. - TODO: - no `suid` or `sgid` binaries - TODO-A: - no executables in `/sbin` and `/usr/sbin` - TODO-B: - Binary TBD in sbin is no problem because TBD - TODO-A: - Package does not install services, timers or recurring jobs - TODO-B: - Package does install services, timers or recurring jobs - TODO-B: TBD (list services, timers, jobs) + + - no `suid` or `sgid` binaries + - no executables in `/sbin` and `/usr/sbin` + - Package does not install services, timers or recurring jobs + TODO: - Security has been kept in mind and common isolation/risk-mitigation TODO: patterns are in place utilizing the following features: TODO: TBD (add details and links/examples about things like dropping TODO: permissions, using temporary environments, restricted users/groups, TODO: seccomp, systemd isolation features, apparmor, ...) - TODO-A: - Packages does not open privileged ports (ports < 1024). - TODO-B: - Packages open privileged ports (ports < 1024), but they have - TODO-B: a reason to do so (TBD) - TODO-A: - Package does not expose any external endpoints - TODO-B: - Package does expose an external endpoint, it is - TODO-B: TBD endpoint + TBD purpose - TODO: - Packages does not contain extensions to security-sensitive software - TODO: (filters, scanners, plugins, UI skins, ...) - - RULE: The package should not use deprecated security algorithms like 3DES or - RULE: TLS/SSL 1.1. The security team is the one responsible to check this, - RULE: but if you happen to spot something it helps to provide a hint. - RULE: Provide whatever made you suspicious as details along that statement. - RULE: Or remove the following lines entirely if you did not spot anything. - TODO: - I've spotted what I consider deprecated algorithms, the security team - TODO: should have a more careful look please, details are: + - Packages does not open privileged ports (ports < 1024). + - Package does not expose any external endpoints [Quality assurance - function/usage] - RULE:
[Bug 2089690] Re: [MIR] rust-sequoia-sq, rust-sequoia-sqv
** Description changed: - TBD - - Foundations should probably make a case for replacing GnuPG with Sequoia - in "main", filing corresponding MIRs for the needed sequoia components. + [Availability] + The packages rust-sequoia-sq and rust-sequoia-sqv are already in universe; they build for all architectures. + + Link to package https://launchpad.net/ubuntu/+source/rust-sequoia-sq + Link to package https://launchpad.net/ubuntu/+source/rust-sequoia-sqv + + [Rationale] + Sequoia is becoming the standard OpenPGP implementation in competing Linux distributions such as RHEL. + + - The package rust-sequoia-sq will generally be useful for a large part of + our user base; users coming from RHEL 10 expect it to be there. + - The package rust-sequoia-sqv is required in Ubuntu main for apt + + [Security] + RULE: The security history and the current state of security issues in the + RULE: package must allow us to support the package for at least 9 months (120 + RULE: for LTS+ESM support) without exposing its users to an inappropriate level + RULE: of security risks. This requires checking of several things: + RULE: - Search in the National Vulnerability Database using the PKG as keyword + RULE: https://cve.mitre.org/cve/search_cve_list.html + RULE: - check OSS security mailing list (feed into search engine + RULE: 'site:www.openwall.com/lists/oss-security ') + RULE: - Ubuntu CVE Tracker + RULE: https://ubuntu.com/security/cve?package= + RULE: - Debian Security Tracker + RULE: https://security-tracker.debian.org/tracker/source-package/ + TODO-A: - Had #TBD security issues in the past + TODO-A: - TBD links to such security issues in trackers + TODO-A: - TBD to any context that shows how these issues got handled in + TODO-A: the past + TODO-B: - No CVEs/security issues in this software in the past + + RULE: - Check for security relevant binaries, services and behavior. + RULE: If any are present, this requires a more in-depth security review. + RULE: Demonstrating that common isolation/risk-mitigation patterns are used + RULE: will help to raise confidence. For example a service running as root + RULE: open to the network will need to be considered very carefully. The same + RULE: service dropping the root permissions after initial initialization, + RULE: using various systemd isolation features and having a default active + RULE: apparmor profile is much less concerning and can speed up acceptance. + RULE: This helps Ubuntu, but you are encouraged to consider working with + RULE: Debian and upstream to get those security features used at wide scale. + RULE: - It might be impossible for the submitting team to check this perfectly + RULE: (the security team will), but you should be aware that deprecated + RULE: security algorithms like 3DES or TLS/SSL 1.1 are not acceptable. + RULE: If you think a package might do that it would be great to provide a + RULE: hint for the security team like "Package may use deprecated crypto" + RULE: and provide the details you have about that. + TODO: - no `suid` or `sgid` binaries + TODO-A: - no executables in `/sbin` and `/usr/sbin` + TODO-B: - Binary TBD in sbin is no problem because TBD + TODO-A: - Package does not install services, timers or recurring jobs + TODO-B: - Package does install services, timers or recurring jobs + TODO-B: TBD (list services, timers, jobs) + TODO: - Security has been kept in mind and common isolation/risk-mitigation + TODO: patterns are in place utilizing the following features: + TODO: TBD (add details and links/examples about things like dropping + TODO: permissions, using temporary environments, restricted users/groups, + TODO: seccomp, systemd isolation features, apparmor, ...) + TODO-A: - Packages does not open privileged ports (ports < 1024). + TODO-B: - Packages open privileged ports (ports < 1024), but they have + TODO-B: a reason to do so (TBD) + TODO-A: - Package does not expose any external endpoints + TODO-B: - Package does expose an external endpoint, it is + TODO-B: TBD endpoint + TBD purpose + TODO: - Packages does not contain extensions to security-sensitive software + TODO: (filters, scanners, plugins, UI skins, ...) + + RULE: The package should not use deprecated security algorithms like 3DES or + RULE: TLS/SSL 1.1. The security team is the one responsible to check this, + RULE: but if you happen to spot something it helps to provide a hint. + RULE: Provide whatever made you suspicious as details along that statement. + RULE: Or remove the following lines entirely if you did not spot anything. + TODO: - I've spotted what I consider deprecated algorithms, the security team + TODO: should have a more careful look please, details are: + + [Quality assurance - function/usage] + RULE: - After installing the package it must be possible to make it working with + RULE: a reasonable effort of configuration and documentation reading. + TODO-A: - The packag
[Bug 2089690] Re: [MIR] rust-sequoia-sq, rust-sequoia-sqv
** Summary changed: - [MIR] rust-sequoia-sq + [MIR] rust-sequoia-sq, rust-sequoia-sqv -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2089690 Title: [MIR] rust-sequoia-sq, rust-sequoia-sqv To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2089690/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
