Secure testing team - Dec 2009 - On the supportability of webkit

Hi all,

The number of open CVEs for webkit during lenny''s lifetime so far has
been incredibly high. Only rivaled by openjdk and the kernel (at
times), but those seem to get updates reasonably fast even though there
are a large number.  Guisseppe has done some good work fixing a large
number of webkit issues recently, which is great, but still another 19
remain.

The root of this problem is that debian does not have access to apple''s
private security list [0].  The thing is that they have already offered
access in the past (to anyone with a debian.org address) [1], but no one
stepped up to the plate.  I would take on the responsibility, but I am
not a DD.

So, I think at this point, webkit should be strongly considered for
removal in the next lenny point release (because I don''t forsee things
getting any better any time soon), and possibly from squeeze as well.
However, this concern could be rendered moot should someone volunteer
to gain access to the private webkit list.

Best wishes,
Mike

[0] http://webkit.org/security/
[1]
http://lists.alioth.debian.org/pipermail/secure-testing-team/2009-August/003008.html

Michael Gilbert a ?crit :
> Hi all,
> 
> The number of open CVEs for webkit during lenny''s lifetime so far
has
> been incredibly high. Only rivaled by openjdk and the kernel (at
> times), but those seem to get updates reasonably fast even though there
> are a large number.  Guisseppe has done some good work fixing a large
> number of webkit issues recently, which is great, but still another 19
> remain.
> 
> The root of this problem is that debian does not have access to
apple''s
> private security list [0].  The thing is that they have already offered
> access in the past (to anyone with a debian.org address) [1], but no one
> stepped up to the plate.  I would take on the responsibility, but I am
> not a DD.
> 
> So, I think at this point, webkit should be strongly considered for
> removal in the next lenny point release (because I don''t forsee
things
> getting any better any time soon), and possibly from squeeze as well.
> However, this concern could be rendered moot should someone volunteer
> to gain access to the private webkit list.
Were the webkit maintainers aware of that proposal?

Cheers,
-- 
Yves-Alexis

On Mon, Dec 21, 2009 at 06:10:08PM +0100, Yves-Alexis Perez
wrote:
> Michael Gilbert a ?crit :
> > Hi all,
> > 
> > The number of open CVEs for webkit during lenny''s lifetime so
far has
> > been incredibly high. Only rivaled by openjdk and the kernel (at
> > times), but those seem to get updates reasonably fast even though
there
> > are a large number.  Guisseppe has done some good work fixing a large
> > number of webkit issues recently, which is great, but still another 19
> > remain.
> > 
> > The root of this problem is that debian does not have access to
apple''s
> > private security list [0].  The thing is that they have already
offered
> > access in the past (to anyone with a debian.org address) [1], but no
one
> > stepped up to the plate.  I would take on the responsibility, but I am
> > not a DD.
> > 
> > So, I think at this point, webkit should be strongly considered for
> > removal in the next lenny point release (because I don''t
forsee things
> > getting any better any time soon), and possibly from squeeze as well.
> > However, this concern could be rendered moot should someone volunteer
> > to gain access to the private webkit list.
> 
> Were the webkit maintainers aware of that proposal?
No, and the main problem with webkit is that a lot of the CVE that are
supposedly affecting it are OSX-only or Safari-only issues. There is a
huge lack of *webkit* security tracking upstream.

Gustavo, since you are involved upstream, do you know if things are
moving for that ?

Mike

PS: removing webkit from squeeze is something that will not work. It
would remove important gnome applications.

On Mon, 21 Dec 2009 18:10:08 +0100 Yves-Alexis Perez wrote:
> Michael Gilbert a ?crit :
> > Hi all,
> > 
> > The number of open CVEs for webkit during lenny''s lifetime so
far has
> > been incredibly high. Only rivaled by openjdk and the kernel (at
> > times), but those seem to get updates reasonably fast even though
there
> > are a large number.  Guisseppe has done some good work fixing a large
> > number of webkit issues recently, which is great, but still another 19
> > remain.
> > 
> > The root of this problem is that debian does not have access to
apple''s
> > private security list [0].  The thing is that they have already
offered
> > access in the past (to anyone with a debian.org address) [1], but no
one
> > stepped up to the plate.  I would take on the responsibility, but I am
> > not a DD.
> > 
> > So, I think at this point, webkit should be strongly considered for
> > removal in the next lenny point release (because I don''t
forsee things
> > getting any better any time soon), and possibly from squeeze as well.
> > However, this concern could be rendered moot should someone volunteer
> > to gain access to the private webkit list.
> 
> Were the webkit maintainers aware of that proposal?
Not yet.  I wanted to start a conversation with the security team
first to determine a direction.  The ideal solution is simple since the
upstream webkit security team will grant anyone with a debian.org
address access to their private security list.  So, we just need
someone to volunteer to do that.  Any takers?

Mike

Hi,
* Michael Gilbert <michael.s.gilbert at gmail.com> [2009-12-22
01:14]:
> On Mon, 21 Dec 2009 18:10:08 +0100 Yves-Alexis Perez wrote:
> > Michael Gilbert a ?crit :
[...] 
> > > So, I think at this point, webkit should be strongly considered
for
> > > removal in the next lenny point release (because I don''t
forsee things
> > > getting any better any time soon), and possibly from squeeze as
well.
> > > However, this concern could be rendered moot should someone
volunteer
> > > to gain access to the private webkit list.
> > 
> > Were the webkit maintainers aware of that proposal?
> 
> Not yet.  I wanted to start a conversation with the security team
> first to determine a direction.  The ideal solution is simple since the
> upstream webkit security team will grant anyone with a debian.org
> address access to their private security list.  So, we just need
> someone to volunteer to do that.  Any takers?
It''s not only about having @debian.org, if it would be simple as that
we could
subscribe team at security.debian.org or setup a bot ;) It needs someone who
does
more than coordinating stuff and someone who is into this field of interest 
and has time to work on those issues. As we aren''t heavily staffed with
web
security people... Raphael, do you have the interest and time to do that?

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20091222/0346c74b/attachment.pgp>

Nico Golde wrote:
> 
> It''s not only about having @debian.org, if it would be simple as
that we
> could subscribe team at security.debian.org or setup a bot ;) It needs
> someone who does more than coordinating stuff and someone who is into this
> field of interest and has time to work on those issues. As we
aren''t
> heavily staffed with web security people... Raphael, do you have the
> interest and time to do that?
> 
On one hand, I''d like to stay away from webkit if possible. OTOH if
somebody
else is willing to help with the issues I could try to convince myself of
working on them just like any other software.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net