Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

What's going on with advisory for phpmyadmin?

2 views
Skip to first unread message

Piotr Roszatycki

unread,
Oct 28, 2005, 11:10:10 AM10/28/05
to
Why my report was ignored? I've reported the problem 3 days ago and I had no
reply.

Details about security flaw in phpmyadmin are at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=335306
--
.''`. Piotr Roszatycki, Netia SA
: :' : mailto:Piotr_Ro...@netia.net.pl
`. `' mailto:dex...@debian.org
`-


--
To UNSUBSCRIBE, email to debian-secu...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

John Goerzen

unread,
Oct 28, 2005, 11:20:14 AM10/28/05
to
On Fri, Oct 28, 2005 at 04:42:31PM +0200, Piotr Roszatycki wrote:
> Why my report was ignored? I've reported the problem 3 days ago and I had no
> reply.

This seems to be a very frequent problem going on for awhile now.

Could someone from the security team comment on what the problem is?

Steve Kemp

unread,
Oct 28, 2005, 11:30:19 AM10/28/05
to
On Fri, Oct 28, 2005 at 10:16:03AM -0500, John Goerzen wrote:
> On Fri, Oct 28, 2005 at 04:42:31PM +0200, Piotr Roszatycki wrote:
> > Why my report was ignored? I've reported the problem 3 days ago and I had no
> > reply.
>
> This seems to be a very frequent problem going on for awhile now.
>
> Could someone from the security team comment on what the problem is?

The problem is that we receive a lot of reports, each of which may
involve a significant amount of time to attend to.

New entries are pushed onto the stack almost daily. Whilst some
are simple and can be dealt with easily some are more complex and
obviously we cannot disclose them publically.

If it is useful I could begin sending out a form response, something
like "Yes we recieved your report, yes we will fix it, please have
patience".

However a useful response such as "Yes we've got your package report
and we'll update an advisory after we've done openssh, mozilla, the
kernel." is not going to happen. Even estimating an advisory date
is going to be non-trivial.

(NOTE: Package names above are chosen at random ...)

Sometimes an issue will be responded to, fixed, and uploaded all in the
same day. Sometimes it takes longer to:

* Confirm the problme.
* Produce a patch.
* Communicate with the package maintainer to discover when the Sid
version will be tested.
* Communicate with other Linux distributions to make sure that the
package can be updated by multiple distributions in a coordinated fashion.
* Communicate with the upstream developers to let them know, if
they don't so far.
* Allocate and assign a unique ID for the issue.

The best thing that you can do when reporting problems is:

a) Be detailed.
b) Ideally have a patch, or a pointer to one.
c) Be patient.
d) Don't file reports which are already in the BTS.
e) Be patient.
f) Be patient.

All reports are read and responded to *in time*. Be patient.

None of this is news.

Steve
--

signature.asc

Florian Weimer

unread,
Oct 28, 2005, 12:00:35 PM10/28/05
to
* Steve Kemp:

> However a useful response such as "Yes we've got your package report
> and we'll update an advisory after we've done openssh, mozilla, the
> kernel." is not going to happen.

The web pages state that you aim for a fix within 48 hours. Maybe
this sentence should be removed? See the patch below.

Please note that I don't think this is the fault of the security team.
Debian has grown since this promise, and the complexity of the
distribution has increased significantly. Another indicator is that
since the release of sarge, a CVE-worthy vulnerability has been fixed
every 20 hours. I don't think any other software vendor currently
matches that pace.

Index: index.wml
===================================================================
RCS file: /cvs/webwml/webwml/english/security/index.wml,v
retrieving revision 1.77
diff -u -u -r1.77 index.wml
--- index.wml 17 Oct 2005 21:54:18 -0000 1.77
+++ index.wml 28 Oct 2005 15:40:46 -0000
@@ -2,8 +2,7 @@
#use wml::debian::recent_list
#include "$(ENGLISHDIR)/releases/info"

-<P>Debian takes security very seriously. Most security problems brought
-to our attention are corrected within 48 hours.</P>
+<P>Debian takes security very seriously.</P>

<P>Experience has shown that "security through obscurity" does not work. Public
disclosure allows for more rapid and better solutions to security problems. In

Martin Schulze

unread,
Oct 28, 2005, 12:00:37 PM10/28/05
to
John Goerzen wrote:
> On Fri, Oct 28, 2005 at 04:42:31PM +0200, Piotr Roszatycki wrote:
> > Why my report was ignored? I've reported the problem 3 days ago and I had no
> > reply.
>
> This seems to be a very frequent problem going on for awhile now.
>
> Could someone from the security team comment on what the problem is?

The problem in this case is confusing reports and patches with
arbitrary changes that don't belong into security updates.

Regards,

Joey

--
Life is too short to run proprietary software. -- Bdale Garbee

Steve Kemp

unread,
Oct 28, 2005, 12:30:38 PM10/28/05
to
On Fri, Oct 28, 2005 at 11:01:29AM -0500, John Goerzen wrote:

> > > Could someone from the security team comment on what the problem is?
> >
> > The problem is that we receive a lot of reports, each of which may
> > involve a significant amount of time to attend to.
>

> Well, that's a symptom. Isn't the root problem not enough people on the
> team in this case?

That is almost certainly the case, however adding more members is still
not going to result in immediate updates.

(Things like timezones, coordination, and other practicalities come
into play with more members. Not to mention waiting for other vendors,
upstream etc, is not something that will be helped by more members).

Steve
--

signature.asc

John Goerzen

unread,
Oct 28, 2005, 12:30:39 PM10/28/05
to
On Fri, Oct 28, 2005 at 04:26:43PM +0100, Steve Kemp wrote:
> > This seems to be a very frequent problem going on for awhile now.
> >
> > Could someone from the security team comment on what the problem is?
>
> The problem is that we receive a lot of reports, each of which may
> involve a significant amount of time to attend to.

Well, that's a symptom. Isn't the root problem not enough people on the
team in this case?


Horms

unread,
Oct 29, 2005, 12:10:10 AM10/29/05
to
On Fri, Oct 28, 2005 at 04:26:43PM +0100, Steve Kemp wrote:
> On Fri, Oct 28, 2005 at 10:16:03AM -0500, John Goerzen wrote:
> > On Fri, Oct 28, 2005 at 04:42:31PM +0200, Piotr Roszatycki wrote:
> > > Why my report was ignored? I've reported the problem 3 days ago and I had no
> > > reply.
> >
> > This seems to be a very frequent problem going on for awhile now.
> >
> > Could someone from the security team comment on what the problem is?
>
> The problem is that we receive a lot of reports, each of which may
> involve a significant amount of time to attend to.
>
> New entries are pushed onto the stack almost daily. Whilst some
> are simple and can be dealt with easily some are more complex and
> obviously we cannot disclose them publically.
>
> If it is useful I could begin sending out a form response, something
> like "Yes we recieved your report, yes we will fix it, please have
> patience".
>
> However a useful response such as "Yes we've got your package report
> and we'll update an advisory after we've done openssh, mozilla, the
> kernel." is not going to happen. Even estimating an advisory date
> is going to be non-trivial.

I think some sort of confirmation would be invaluable.

--
Horms

Holger Levsen

unread,
Oct 29, 2005, 5:10:07 AM10/29/05
to
Hi,

On Saturday 29 October 2005 05:53, Horms wrote:
> On Fri, Oct 28, 2005 at 04:26:43PM +0100, Steve Kemp wrote:
> > If it is useful I could begin sending out a form response, something
> > like "Yes we recieved your report, yes we will fix it, please have
> > patience".

> I think some sort of confirmation would be invaluable.

/me nods.

The form should include the note, that it's a form, but send manually.


regards,
Holger

0 new messages