Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all
over the news for a week now. It is patched on all Linux platforms but
has not yet shown up in FreeBSD's vulxml database. Does this mean:
A) FreeBSD versions prior to 3.26.0 are not vulnerable, or
B) the ports-secteam is not able to properly maintain the vulnerability
database?
If the latter perhaps someone from the security team could let us know
how such a significant vulnerability could go unflagged for so long and,
more importantly, what might be done to address the gap in reporting?
Roger Marquis
Hi, It?s sad to see that you are still as negative as you where not that long ago. I said before that If you rely on the information being up to date, you should sponsor the FF or pay someone to do the work for you. You keep forgetting that we (security-officer@ and ports-secteam@) are volunteers and that we do this in our free spare time. You cannot demand that we do things that you expect us to do without knowing how people lives are going at that same moment. If they have to choose between your whining and their kids or family, I would also choose the family. I do not think the others need to step in for this one, your constant negative attitude towards our ports-secteam people is getting annoying and a waste of our precious time. So either start sending patches, contribute, or understand that this is voluntarily and that their priorities might not be your priority. Thank you, once and for all, Remko.> On 16 Dec 2018, at 17:13, Roger Marquis <marquis at roble.com> wrote: > > Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all > over the news for a week now. It is patched on all Linux platforms but > has not yet shown up in FreeBSD's vulxml database. Does this mean: > > A) FreeBSD versions prior to 3.26.0 are not vulnerable, or > > B) the ports-secteam is not able to properly maintain the vulnerability > database? > > If the latter perhaps someone from the security team could let us know > how such a significant vulnerability could go unflagged for so long and, > more importantly, what might be done to address the gap in reporting? > > Roger Marquis-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20181216/d702daf3/attachment.sig>
> It?s sad to see that you are still as negative as you where not that long > ago.Apologies for being negative Remko, but isn't it the implications for those running FreeBSD that are negative rather than someone pointing them out? Or do we have different interpretations of the scope or threat profile of this particular issue? (considering that sqlite has been installed by default on every FreeBSD host and jail for a few years now)> I said before that If you rely on the information being up to date, you > should sponsor the FF or pay someone to do the work for you. You keep > forgetting that we (security-officer@ and ports-secteam@) are volunteers > and that we do this in our free spare time.This is a good answer to my question regarding what might be done to address the gap in reporting. I am in no position to financially sponsor anyone but certainly the FreeBSD Foundation is. Maybe someone from the board could weigh-in regarding the feasibility of funding this critical function? According to <www.freebsdfoundation.org/about/financials/> more than $3M is available, a small portion of which, if applied on an ongoing basis, would bring FreeBSD up to the 3rd party application security standards of its competitors (Android aside) and make the OS infinitely easier for us to advocate, admin and develop for. On that note, does anyone on this list have experience applying for FreeBSD Foundation grants? If so please contact me off-list. OTOH it may also be a matter of team size and/or policies that would be more effective in the short term. Would be great if other sec team and or board members could comment (ideally without shooting the messenger).> I do not think the others need to step in for this one, your constant > negative attitude towards our ports-secteam people is getting annoying and > a waste of our precious time. So either start sending patches, contribute, > or understand that this is voluntarily and that their priorities might not > be your priority.I don't know Remko. It seems like too far-reaching of an issue to ignore. Most of us don't see it as negative or positive but simply a means of keeping end-users safe and making everyone's contribution to the project more effective. Roger Marquis
You're being a jerk. This is a volunteer project. It owes you nothing. On Sun, Dec 16, 2018, 16:42 Roger Marquis <marquis at roble.com wrote:> Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all > over the news for a week now. It is patched on all Linux platforms but > has not yet shown up in FreeBSD's vulxml database. Does this mean: > > A) FreeBSD versions prior to 3.26.0 are not vulnerable, or > > B) the ports-secteam is not able to properly maintain the vulnerability > database? > > If the latter perhaps someone from the security team could let us know > how such a significant vulnerability could go unflagged for so long and, > more importantly, what might be done to address the gap in reporting? > > Roger Marquis > _______________________________________________ > freebsd-security at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org > " >
https://mikemcquaid.com/2018/03/19/open-source-maintainers-owe-you-nothing/ On Sun, Dec 16, 2018, 16:42 Roger Marquis <marquis at roble.com wrote:> Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all > over the news for a week now. It is patched on all Linux platforms but > has not yet shown up in FreeBSD's vulxml database. Does this mean: > > A) FreeBSD versions prior to 3.26.0 are not vulnerable, or > > B) the ports-secteam is not able to properly maintain the vulnerability > database? > > If the latter perhaps someone from the security team could let us know > how such a significant vulnerability could go unflagged for so long and, > more importantly, what might be done to address the gap in reporting? > > Roger Marquis > _______________________________________________ > freebsd-security at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org > " >
Since you may not read that essay on open source software, here is the salient point for you: - For users: remember when filing an issue, opening a pull request or making a comment on a project to be grateful that people spend their free time to build software you get to use for free. Keep your frustrations and non-actionable negativity to yourself (or at least offline and out of earshot). Don?t expect anyone to fix your issues or help you if you?re unwilling to dedicate more time to helping yourself than you ask of others. This means reading all the documentation and trying to resolve your own issues before ever asking for any help. On Sun, Dec 16, 2018, 16:42 Roger Marquis <marquis at roble.com wrote:> Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all > over the news for a week now. It is patched on all Linux platforms but > has not yet shown up in FreeBSD's vulxml database. Does this mean: > > A) FreeBSD versions prior to 3.26.0 are not vulnerable, or > > B) the ports-secteam is not able to properly maintain the vulnerability > database? > > If the latter perhaps someone from the security team could let us know > how such a significant vulnerability could go unflagged for so long and, > more importantly, what might be done to address the gap in reporting? > > Roger Marquis > _______________________________________________ > freebsd-security at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org > " >
On Sun, Dec 16, 2018 at 08:13:59AM -0800, Roger Marquis wrote:> Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all > over the news for a week now. It is patched on all Linux platforms but > has not yet shown up in FreeBSD's vulxml database. Does this mean: > > A) FreeBSD versions prior to 3.26.0 are not vulnerable, or > > B) the ports-secteam is not able to properly maintain the vulnerability > database? > > If the latter perhaps someone from the security team could let us know > how such a significant vulnerability could go unflagged for so long and, > more importantly, what might be done to address the gap in reporting?Almost certainly: C) This vunerability was reported in a random blog post on a Sunday without any details so people haven't caught up with it yet. -- Brooks -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20181217/1c17ad68/attachment.sig>