[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages with a history of security issues and whose packaged version is not up to date

On Mon, Feb 17, 2025 at 09:42:21PM -0500, Paul R. Tagliamonte wrote:
>    CVEs are not perfect. CVE count is, charitably, a proxy for how much
>    security attention / research it gets (hopefully that is, in turn, a proxy
>    for how important a package is). Not so charitably, it's perhaps a proxy
>    for how many people who want to build a reputation as an expert have spent
>    time finding something that would pass minimal scrutiny as a security
>    issue.

This is really the central point of the issue. In the instances I have
observed, we are usually talking about a *real* issue, but most often
not one that deserves to be considered a CVE, and even less deserves
some arbitrarily inflated CVSS score. Fixing the issue is good, but
dealing with all the CVE and CVSS noise is a pain.

>    There are plenty of security issues that are solved via normal bugfixes by
>    people who never realize the security implications of their bugfixes. In
>    important security sensitive places, too!

In theory, any abnormal program behavior has the potential to carry a
security implication. And in one project I have actually seen where
there was a push to retroactively designate CVEs for past bug fixes that
it turned out had some kind of specific security vulnerability
associated with them. It was very bizarre, and I took it as a sign that
the "everything has to have a CVE and every CVE must be fixed" mentality
is infecting more and more parts of the software development world.

>    Updating to the latest upstreams is a good idea for lots of reasons, but I
>    don't totally understand the nexus to CVE here. Don't let me dissuade you
>    from doing good work here, but I reckon CVE counting is likely going to
>    lead to a lot of very weird non-security related biases which you may or
>    may not actually want.
>    FWIW this will solve one real problem: Lots of companies complain
>    endlessly and mindlessly about CVEs based on package version(s) without
>    regards to the issue being exploitable or even reachable (or built into
>    the binary, in some cases!). Closing CVEs out will no doubt make them
>    complain less, which sounds nice.

I have seen lots of mindless complaining based on package versions, and
I agree that something like this effort is likely to reduce the
occurence of that sort of thing. And, yes, CVE is probably not a great
proxy. But Santiago has discussed this with quite a few of us on the LTS
team at various points along the way, and a better proxy hasn't been
found.

Regards,

-Robeto
-- 
Roberto C. Sánchez
Reply to: