Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

Ralf Mardorf
Hi,

I understand that users should decide on their own, if they wish to
install high risk vulnerable software, so I'm not writing because a
deletion request was rejected.

I want to make a suggestion.

A pinned comment could warn about the high security risk and
assuming that upstream of the original software shouldn't fix
vulnerabilities, at least recommend to ask upstream of software that
requires such software as a dependency, to get rid of this dependency,
instead of installing the vulnerable software.

I'm not sure if everybody is aware of the risks a package like

https://aur.archlinux.org/pkgbase/webkitgtk/
https://aur.archlinux.org/packages/webkitgtk2/

does cause.

When providing such a PKGBUILD, is speaking anything against a
short pinned comment?

Regards,
Ralf

--
Vote for apulse!
echo $(w3m https://aur.archlinux.org/packages/apulse |grep 'Votes:    ')
Votes: 81                         Updated: Sun Jul  2 09:03:52 CEST 2017
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

tur-users mailing list
On 07/02/2017 03:09 AM, Ralf Mardorf wrote:

> Hi,
>
> I understand that users should decide on their own, if they wish to
> install high risk vulnerable software, so I'm not writing because a
> deletion request was rejected.
>
> I want to make a suggestion.
>
> A pinned comment could warn about the high security risk and
> assuming that upstream of the original software shouldn't fix
> vulnerabilities, at least recommend to ask upstream of software that
> requires such software as a dependency, to get rid of this dependency,
> instead of installing the vulnerable software.
>
> I'm not sure if everybody is aware of the risks a package like
>
> https://aur.archlinux.org/pkgbase/webkitgtk/
> https://aur.archlinux.org/packages/webkitgtk2/
>
> does cause.
>
> When providing such a PKGBUILD, is speaking anything against a
> short pinned comment?
... That is entirely up to the maintainer of said package.

Even if it weren't entirely up to the maintainer to pin comments, who
are you proposing should be responsible for determining what packages
should come with warnings, and then providing such warnings? And what
makes you think people will *see* those warnings for packages that are
typically not installed on their own, but as dependencies for something
else?

Next!

--
Eli Schwartz


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

Ralf Mardorf
On Sun, 2 Jul 2017 03:49:10 -0400, Eli Schwartz via aur-general wrote:
>... That is entirely up to the maintainer of said package.

Hi,

yes and this shouldn't change. I just want to suggest to be responsible
and add a note.

>Even if it weren't entirely up to the maintainer to pin comments, who
>are you proposing should be responsible for determining what packages
>should come with warnings, and then providing such warnings? And what
>makes you think people will *see* those warnings for packages that are
>typically not installed on their own, but as dependencies for something
>else?
>
>Next!

Apart from the risks mentioned, if you e.g. google for webkit+CVE+linux
and similar search terms, we could assume that if a package gets
dropped from official Arch repositories and from other distros as well
for security reasons, those reasons are high security risks that never
or much to seldom get fixed.

If upstream is aware of such issues, they usually try to get rid of
such a dependency or at least allow to build without webkit or any
other high risk vulnerable software, so Arch repositories provide
claw-mail without the fancy plugin, provide guitaerix2 compiled without
webkit and browsers based upon webkit are removed from the Arch Wiki
lists of applications,
https://wiki.archlinux.org/index.php/List_of_applications/Internet#WebKit-based ,
even while they still might be available by the AUR, at least xombrero
still is. So AUR PKGBUILDs like qtwebkit, webkitgtk and webkitgtk2 are
easy to identify as objectively highly risky. If other high risk
vulnerable software is provided, it would be easy for the maintainer to
identify this software as well.

If software, as the mentioned webkit is discussed for more than a year
and they e.g. were on an Arch phasing out todo list, before they were
completely removed from official repositories, it's not that much a
subjective opinion.

Ok, using an AUR helper like yaourt would displays the latest
comments only, but not pinned comments. With or without an AUR helper,
it doesn't harm to care a little bit about comments, as well as pinned
comments, instead of building everything without care. Maybe a comment
add to the PKGBUILD of high risk vulnerable software could be
done, too.

Note
"Warning: Carefully check all files. Carefully check the PKGBUILD and
any .install file for malicious commands." -
https://wiki.archlinux.org/index.php/Arch_User_Repository#Build_and_install_the_package

So we could assume that users tend to take a look at the PKGBUILD and
would notice a warning. The PKGBUILD even could provide a msg. Messages
not necessarily are limited to information such as

  msg "applying patch-${_pkgver}"

it also could provide a warning.

Regards,
Ralf
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

tur-users mailing list
On Sun, Jul 2, 2017 at 4:56 PM, Ralf Mardorf <[hidden email]>
wrote:

> On Sun, 2 Jul 2017 03:49:10 -0400, Eli Schwartz via aur-general wrote:
>
> >Even if it weren't entirely up to the maintainer to pin comments, who
> >are you proposing should be responsible for determining what packages
> >should come with warnings, and then providing such warnings?
>

This is the primary question here. If it's the maintainer then... what is
this email thread even for?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

Ralf Mardorf
On Tue, 4 Jul 2017 13:25:09 +0800, Oon-Ee Ng via aur-general wrote:
>This is the primary question here. If it's the maintainer then... what
>is this email thread even for?

It's about sense of responsibility. As already pointed out,
something like the webkit PKGBUILDs are objectively PKGBUILDs with a
very serious high security risk. Users might not be aware of it,
they might think it's software, that was dropped from official
repositories for harmless maintenance issues. For example, a Heartbleed
affected SSL is not the same as an discontinued Sudoko game without
internet access, even if such a Sudoko game might come with
minor security issues, too.

Regards,
Ralf
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

tur-users mailing list
On Tue, Jul 4, 2017 at 1:47 PM, Ralf Mardorf <[hidden email]>
wrote:

> On Tue, 4 Jul 2017 13:25:09 +0800, Oon-Ee Ng via aur-general wrote:
> >This is the primary question here. If it's the maintainer then... what
> >is this email thread even for?
>
> It's about sense of responsibility. As already pointed out,
> something like the webkit PKGBUILDs are objectively PKGBUILDs with a
> very serious high security risk. Users might not be aware of it,
> they might think it's software, that was dropped from official
> repositories for harmless maintenance issues. For example, a Heartbleed
> affected SSL is not the same as an discontinued Sudoko game without
> internet access, even if such a Sudoko game might come with
> minor security issues, too.
>

And as you've already pointed out, this is the responsibility of the
maintainer. You could suggest it on the package's AUR page.

By sending it to the ML, it looks like you're trying to discuss or push for
a general decision. That's not going to happen on this issue, I don't
think.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

Ralf Mardorf
On Tue, 4 Jul 2017 14:00:50 +0800, Oon-Ee Ng via aur-general wrote:
>You could suggest it on the package's AUR page.

Hi,

yes, I could ask to do it for dependent packages such as
https://aur.archlinux.org/packages/xombrero/ even while I'm not using
it.

I could ask to do it for https://aur.archlinux.org/packages/qtwebkit/ ,
https://aur.archlinux.org/packages/webkitgtk/ /
https://aur.archlinux.org/packages/webkitgtk2 even while I'm not using
those packages.

Some maintainers simply are responsible without somebody mentioning it,
e.g. https://aur.archlinux.org/packages/claws-mail-git/, btw. the only
related PKGBUILD I'm using myself.

Another package maintainer disabld webkit usage, after I informed
about the issue and after I get in contact with upstream, who also will
fix the issue, https://aur.archlinux.org/packages/guitarix-git/ . I'm
not using this package, but install guitarix2 from official
repositories.

>By sending it to the ML, it looks like you're trying to discuss or
>push for a general decision.

Actually there could be PKGBUILDs where I'm not aware of the issue, so
I can't add a comment, that's why I ask on this list. It should not be
enforced by a rule, but maintainers of PKGBUILDs should become a sense
of responsibility, so I mentioned it on this list.

Regards,
Ralf

--
Vote for apulse!
echo $(w3m https://aur.archlinux.org/packages/apulse |grep 'Votes:    ')
Votes: 82                         Updated: Tue Jul  4 09:32:57 CEST 2017
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

Ralf Mardorf
On Tue, 4 Jul 2017 09:45:08 +0200, Ralf Mardorf wrote:

>On Tue, 4 Jul 2017 14:00:50 +0800, Oon-Ee Ng via aur-general wrote:
>>You could suggest it on the package's AUR page.  
>
>Hi,
>
>yes, I could ask to do it for dependent packages such as
>https://aur.archlinux.org/packages/xombrero/ even while I'm not using
>it.
>
>I could ask to do it for https://aur.archlinux.org/packages/qtwebkit/ ,
>https://aur.archlinux.org/packages/webkitgtk/ /
>https://aur.archlinux.org/packages/webkitgtk2 even while I'm not using
>those packages.
>
>Some maintainers simply are responsible without somebody mentioning it,
>e.g. https://aur.archlinux.org/packages/claws-mail-git/, btw. the only
>related PKGBUILD I'm using myself.
>
>Another package maintainer disabld webkit usage, after I informed
>about the issue and after I get in contact with upstream, who also will
>fix the issue, https://aur.archlinux.org/packages/guitarix-git/ . I'm
>not using this package, but install guitarix2 from official
>repositories.
>
>>By sending it to the ML, it looks like you're trying to discuss or
>>push for a general decision.  
>
>Actually there could be PKGBUILDs where I'm not aware of the issue, so
>I can't add a comment, that's why I ask on this list. It should not be
>enforced by a rule, but maintainers of PKGBUILDs should become a sense
>of responsibility, so I mentioned it on this list.
>
>Regards,
>Ralf
>

PS: Maybe Claws from git still builds using with webkit, if it#s
installed, but it's not a dependency.

--
Vote for apulse!
echo $(w3m https://aur.archlinux.org/packages/apulse |grep 'Votes:    ')
Votes: 82                         Updated: Tue Jul  4 09:48:53 CEST 2017
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

NicoHood-3
I want to point out another view from this situation:

What if an outdated package is moved to AUR and does not have a new
package with the replace=() variable? I personally had this several
times and those packages are still kept on the system.

This gave me some broken dependencies but also old software was kept on
my system. Beside the packages I manually installed from AUR this could
be a real security risk.

Shouldn't we warn the user when a package from the official repositories
move to AUR (or disappear completely)? Not every user checks his system
for dropped packages every day, so a warning in pacman would be nice.

About the original suggestion for the AUR:
I think its worth to have a pinned comment on the AUR page. The package
maintainer should add it if an user gives him the hint. If he doesnt
accept it a TU should check if the request is valid and pin the users
comment. This way we can help all the users. Maintainers unwilling to
fix security problems or ignoring/hiding them are not welcome to me.

~Nico


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

LoneVVolf
On 04-07-17 10:19, NicoHood wrote:

>
> About the original suggestion for the AUR:
> I think its worth to have a pinned comment on the AUR page. The package
> maintainer should add it if an user gives him the hint. If he doesnt
> accept it a TU should check if the request is valid and pin the users
> comment. This way we can help all the users. Maintainers unwilling to
> fix security problems or ignoring/hiding them are not welcome to me.
>
> ~Nico
>
Sounds like you propose an additional request type for AUR "add pinned
comment" ?
I kinda like this idea, maybe send it to aur-dev ?

Lone_Wolf
Loading...