From owner-freebsd-security@freebsd.org Thu Jul 4 04:06:13 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 62E6E15E8A7F; Thu, 4 Jul 2019 04:06:13 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7C65877EF0; Thu, 4 Jul 2019 04:06:12 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd42.google.com with SMTP id e5so5613789iok.4; Wed, 03 Jul 2019 21:06:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=jNRuH5mOxaD+sUVMiJP+Bim8OjxnfZmPgqSPt4bhh68=; b=FWZ7CvcSAaY+ML0f/hbZW5NWh9ChYTcsToYytm6cb4aUr1TnrvOUnieOszmnpTR+1f CJXJAbNlJ59GBD3lRxWgXx/ze1kh2hzR3lcte8md97c3anqYD35yrxkF8k9mC6kchXmt A8QccPm11D9Ols4Pqi+tkv/fIn6zKdyjQ8A/a4XD66l7iC2sKvmICrIy92+d/BJOurwX GWWFaf1h5Bj4XgSygICxCf7J6pe+PppsYSMXoaRZR4TbLXpguyByggvGlWHQ2+AQs47h Xwt8Drt6Cu/rOFBHjRZCKYlMjaWYWdZ7WA4E+lVpK1GLDZHfjKPodRcWzE66Qcy0POlY 8pQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=jNRuH5mOxaD+sUVMiJP+Bim8OjxnfZmPgqSPt4bhh68=; b=mAgG6mzLVZmLD8avk3JP9RSBOH71SG0bIFcPL0LVR3nY7s4Jm0quOWhOVkgwhicUeT As+RMsRXw15LDQlGCquq1SIVbmOWp7ephTiuuWknLexRw/QQxtI7sdMNw9g0nXzZTJBK I++Xmrg5vDRHqlPbavT5PQ1TW94uEMDEaFKjFLTxk5birZNh0c8i8bWglYrefP9/Nq0P 9Lh/62P2OpicJFhsVyyh6nzoG+RcseXxJ+t/n8o7rQ1O7kDhVbOr9dblOJj7LA57+xF1 8G29BaOS7zE+H46bokPuQtrqKwHNEkCBka+ubvD2i5Vj81IXiBMEuYeU+SWN06K/I6Qs CC/Q== X-Gm-Message-State: APjAAAX2N6mllE9hRNuxJUUkQam3UTdN9l74jCKm//VMQ9Yj+JE6cefE AgK5pOVCwq28Uhijg7LiaCwIqy8iq839IsxdIl+rE6gG X-Google-Smtp-Source: APXvYqxbmoXPC/tW3JkmPfPMEDuoe4MrIovEaYBBbxgaFvYxgSu3+yOfR4J01PHROAVhtibtmlFRK7InMQSDIqekGj8= X-Received: by 2002:a5e:8618:: with SMTP id z24mr13860677ioj.174.1562213171574; Wed, 03 Jul 2019 21:06:11 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:81c6:0:0:0:0:0 with HTTP; Wed, 3 Jul 2019 21:06:10 -0700 (PDT) From: grarpamp Date: Thu, 4 Jul 2019 00:06:10 -0400 Message-ID: Subject: Review of FreeBSD Security Advisory Process: Incl Heads Up, Dates, Etc [cont: 5599 SACK} To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 7C65877EF0 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=FWZ7CvcS; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::d42 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-4.35 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; IP_SCORE(-0.81)[ip: (1.58), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.39), country: US(-0.06)]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; RCVD_IN_DNSWL_NONE(0.00)[2.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; NEURAL_HAM_SHORT(-0.54)[-0.540,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-Mailman-Approved-At: Thu, 04 Jul 2019 10:42:54 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jul 2019 04:06:13 -0000 Continued from beginnings in: https://lists.freebsd.org/pipermail/freebsd-security/2019-June/009996.html > I don't generally document a timeline of events from our side. There would be benefit to further transparency with some new data fields in FreeBSD advisories, leading to metrics analysis by userbase and project, appropriate resource allocation efficacies, etc. Date_Discovered: Date of original discovery by discoverer. Date_Received: Date project received notification (or observed any info), regardless from external or internal source. Issue should also be posted heads up to lists at this Received time. For apprise those users wishing or needing to performing necessary local review and action prior to formal fix from FreeBSD upstream. And for putting out to community the call to fix. Date_Advisory: Already present as "Announced:" fix. Also ends up being a bit more efficient as fewer cycles need spent on deciding and managing what to witholding timing sched contracts, under whatever questionable premises readily found searching net from thread above. To the extent any of this have possibly applied in the past. Heads Up on receipt, and include targeted fix timeframe guideline for readers based on expected class of fix difficulty selected from prior convened and published policy guide table of difficulties and dependencies. Heads Up and interim are naturally not expected to be a polished Advisory. > This > particular disclosure was a bit unusual as it wasn't external but > instead was an internal FreeBSD developer the security team often works > with. Seems this SACK Discovery was came from Netflix while in that external dev role, not from in purely internal to FreeBSD dev role. And Received was from not Netflix official team role, but by this liason. Fine and moot though, as datestream handling above should apply to all cases. > As such, our process was a bit out of sync with normal (as much as > we have a normal with our current processes). All of that said, we got > notice in early June, about 10 days before public disclosure. Community can ascertain visit any needs adjustments therein with by inclusion of dates and passthrough above. >> Were any FreeBSD derivatives given advanced notice? If so, which ones? > > They were not. I would like to get to a point where we feel we could > give some sort of heads up for downstream, but we aren't there yet. Whether push, or pull via subscribe, derivative third parties are a bit secondary to the closer FreeBSD community processes. ie: Does Linux Kernel push to all 1000 linux distro teams? Probably not, a bit out of scope, so they pull (distro being the derivative depend of kernel there). Again mooted simplicity with better date and passthrough above.