2021-06-01 15:07:51 incidentally, trivy is probably the best scanner for scanning alpine (and its creator does want to contribute back) 2021-06-01 15:08:05 clair really sucks :D 2021-06-01 15:08:23 well 2021-06-01 15:08:28 it is not as bad as some others 2021-06-01 15:08:37 anchore grype was the worst one i tested 2021-06-01 15:08:46 it had about a gazillion false positives 2021-06-01 15:08:52 Wasnt that person asking on the ML from trivy / aquasec? 2021-06-01 15:08:57 yes 2021-06-01 15:09:12 i am willing to recognize that security companies hire idiots :P 2021-06-01 15:09:19 heh 2021-06-01 15:10:04 but in terms of the performance of the scanners, trivy was the best one i've seen so far 2021-06-01 15:10:18 in terms of showing alpine vulnerability data 2021-06-02 08:46:33 i thikn snyk has contributed back, at least in form of bug reports etc 2021-06-02 15:07:45 yes, snyk is also pretty good 2021-06-02 15:17:31 (and expensive af) 2021-06-02 15:18:25 right, i'm largely talking about the free ones :P 2021-06-03 08:54:17 https://iximiuz.com/en/posts/thick-container-vulnerabilities/ 2021-06-03 08:58:54 nice 2021-06-03 10:27:07 that's a really neat tool, the last one i used to inspect individual layers was https://github.com/wagoodman/dive 2021-06-03 10:29:22 apparently this _is_ dive? 2021-06-03 15:13:33 oh, wut 2021-06-03 20:23:20 we should figure out if we want to participate on distros list 2021-06-04 05:20:00 it should be an obvious 'yes' and i don't see anything against it, so it's a yes from me 2021-06-04 08:14:57 +1 from me 2021-06-04 13:57:03 danieli: well the question is whether we are willing to accept the lack-of-transparency requirements 2021-06-04 13:57:28 i am personally fundamentally opposed to embargos 2021-06-04 13:57:51 however, if the alpine security team thinks being on distros is good 2021-06-04 13:58:00 then we should do it i guess 2021-06-04 13:58:20 then don't, at the end of the day it's your call 2021-06-04 13:58:38 we don't share that opposition though - i believe that if there were no embargos, things would be way, way more chaotic 2021-06-04 13:58:48 isn't a short embargo better than the "here is the vuln, it's 3am, good luck have fun"? 2021-06-04 13:59:37 i'm fine with coordinated disclosure, the embargos i have issues with are the ones which prohibit actually fixing an issue until disclosure time 2021-06-04 13:59:56 i think if there is a known vuln it should be fixed ASAP 2021-06-04 14:00:00 right, there's a lot of unnecessary red tape around many embargos 2021-06-04 14:00:23 so my question is, what do the embargos on distros list look like? 2021-06-04 14:00:31 do we actually get anything from being on it 2021-06-04 14:00:34 guess we won't know until we see it 2021-06-04 14:01:03 at the very least we get a "heads up" about what will have to be focused on once vulns *are* disclosed 2021-06-04 14:01:21 ...there are other ways to get those "heads up", that list is very leaky :) 2021-06-04 14:01:35 yup, but it's more reliable than gossip 2021-06-04 14:01:38 and leaks 2021-06-04 14:01:57 i have happened to be going for strolls in my neighborhood and had random trucks pass by with the juicy ones 2021-06-04 14:02:04 ;) 2021-06-04 14:03:02 lol 2021-06-04 14:04:18 so have i, but still it's not reliable and not necessarily trustworthy 2021-06-04 14:14:19 well the thing is 2021-06-04 14:14:36 if we get it from a leak and mitigate it early, that's Not Our Problem right now 2021-06-04 14:14:54 if we join the distros list, we would have to, not do that 2021-06-04 14:15:12 If we cannot fix things before the embargo ends, does it realy help us? 2021-06-04 14:15:54 What does the early disclosure help then? 2021-06-04 14:16:11 s/what/how 2021-06-04 14:18:16 yes, i think the early disclosure helps people like Linode more than it does help us 2021-06-04 14:18:22 because they can stage the updates 2021-06-04 14:19:31 At most we could make hidden MRs 2021-06-04 14:31:02 right, we technically aren't even allowed to share the details with maintainers 2021-06-04 14:31:20 Gentoo gets around that by making developers agree to an NDA with the security team 2021-06-04 14:31:33 i wish i were kidding 2021-06-04 14:35:39 and so the question i have is, right now, we have freedom to fix whatever we find out about immediately 2021-06-04 14:36:04 is it worth trading that for something that is ultimately antithetical to free software ideals 2021-06-04 14:36:59 Personally I see little benefit 2021-06-04 14:37:03 https://github.com/distributedweaknessfiling/securitylist 2021-06-04 14:37:10 this looks interesting 2021-06-04 14:37:28 vs the NVD one 2021-06-04 14:37:28 i'm going to build some tooling around it and look at switching to this feed 2021-06-04 14:45:05 i especially don't want to be in the awkward position of having to tell a maintainer NOT to fix something BECAUSE we are bound to some embargo 2021-06-04 14:52:42 i think it is somewhat a feature actually, that we do security 100% in the open 2021-06-04 14:54:52 anyway, maybe we should schedule a meeting next week to actually talk about the distros list and conclude what the pros and cons are 2021-06-04 14:55:10 i think it is a feature that we are 100% in the open, but i can be convinced otherwise of course 2021-06-04 15:24:06 nice that yandex is asking about the license of the sec fixes data 2021-06-04 15:24:24 i dont think anyone else has asked about it 2021-06-04 15:24:40 Not that I'm aware of 2021-06-04 15:26:26 Something like CC-BY? 2021-06-04 15:29:00 I wonder who even owns the copyright on it 2021-06-04 15:29:05 It's a generated document 2021-06-04 15:31:06 yeah good questions 2021-06-04 15:33:05 CC-BY seems fine to me 2021-06-04 15:33:47 and SA? 2021-06-04 15:33:53 CC-BY-SA? 2021-06-04 15:42:29 also fine 2021-06-07 02:30:46 TIL: the alpine secdb is used by a bunch of vendors to train their CPE mapping rules 2021-06-07 02:31:13 apparently alpine secdb is a very high quality corpus for that 2021-06-07 04:29:47 nice 2021-06-07 06:48:12 hah! why am i not surprised 2021-06-08 06:59:31 Anchore's scanner is really good, it found things we missed :s 2021-06-08 16:14:35 ikke: https://gitlab.alpinelinux.org/alpine/infra/docker/secdb/-/merge_requests/5 2021-06-09 13:36:51 ncopa: if ^ is alright with you, I'll merge + deploy it 2021-06-09 13:45:21 ok with me 2021-06-09 14:06:19 gitlab is replacing its container scanner, going from Clair to Trivy 2021-06-09 20:46:22 https://www.phoronix.com/scan.php?page=news_item&px=Fedora-Yescrypt-PW-Hashing 2021-06-11 05:27:42 https://www.openwall.com/lists/oss-security/2021/06/10/9, but it's still reserved on cve.mitre.org, and no entry yet on nvd 2021-06-11 05:30:38 yep 2021-06-11 05:30:51 i’ve been digging into it 2021-06-11 05:32:50 ok 2021-06-14 13:44:11 https://gitlab.alpinelinux.org/alpine/aports/-/issues/12754 2021-06-14 13:50:17 i think we should check that from CI 2021-06-14 19:08:53 J0WI has been killing it but yes sometimes he has missed some things 2021-06-15 07:33:41 hi guys. I was wondering the worflow that is now in place to get CVE packages fixed 2021-06-15 07:34:31 afaict, compared with previous "workflow", where a user was creating issue with the CVE and related patch, not this part is automatized with the tools written by Ariadne 2021-06-15 07:34:40 so we have now security.alpinelinux.org. 2021-06-15 07:35:25 As maitnainer, what shoud I do now? Going trough the packages that appears to be vulnerable according with security.alpinelinux.org, verify them, and apply the patch? 2021-06-15 07:35:51 ofc putting the sec-fixes: info inside the APKBUILD 2021-06-15 07:36:14 is this all what is needed, or there something that I'm missing? 2021-06-15 07:37:33 fcolista: no, that's it 2021-06-15 07:37:45 in the future, the goal is to have issues automatically created 2021-06-15 07:38:42 ok. So it's up to me writing a script that alerts me when a new vul package appears in security.alpinelinux.org :) 2021-06-15 07:41:51 curl -H 'Accept: application/ld+json' https://security.alpinelinux.org/branch/edge-main 2021-06-15 07:42:50 yeah..I saw that at the bottom of s.a.o. page. Thanks ikke 2021-06-15 07:43:41 But, I the goal is to have automatic issues, so that not everyone has to create their own scripts :) 2021-06-15 07:44:48 correct...just in the meanwhile ;) 2021-06-15 10:26:10 basically, the workflow i envision is something like this 2021-06-15 10:26:34 - if the security team can handle fixing the package directly, we will just do a non-maintainer update 2021-06-15 10:26:50 - if the security team needs the assistance of the maintainer, then we open a bug 2021-06-15 10:28:22 (the reason why is, i'd rather just fix the CVEs, and there's quite a few packages i need to keep an eye on directly as LF stuff like tinkerbell or EVE, or other notable downstream projects like pmOS depend on them) 2021-06-15 10:29:29 thats why i haven't gotten around to writing a bot to sync issues with the tracker yet 2021-06-15 10:30:03 in most cases, we don't need to open an issue because we can just spend 5 extra minutes after the research phase and just fix the package 2021-06-15 10:30:24 so i want to make sure we get that right first 2021-06-15 10:30:32 also, we've been working on getting 3.14 out the door :P 2021-06-16 19:19:33 3.14 is available on security.a.o 2021-06-18 19:07:40 https://github.com/slsa-framework/slsa 2021-06-18 19:08:05 The README.md file talks through curl-in-an-Alpine-container as an example 2021-06-19 09:26:08 Ariadne: i think we are having secscanner issues again 2021-06-19 09:26:31 looks like some go based scanner that is ripping secdb.a.o 2021-06-19 09:26:57 as in were being flooded with fetches? 2021-06-19 09:26:58 already 8TiB of data has already gone 2021-06-19 09:27:21 causing constant 20 mbit traffic out 2021-06-19 09:27:21 individual clients fetching it 2021-06-19 09:27:21 yes 2021-06-19 09:27:21 looking at the log is like looking into the matrix 2021-06-19 09:27:34 do we know what secscanner :D 2021-06-19 09:27:41 just the go client 2021-06-19 09:27:44 maybe we should implement a policy 2021-06-19 09:27:53 199.184.*.* - - [19/Jun/2021:09:24:53 +0000] "GET /v3.9/main.yaml HTTP/1.1" 200 50021 "-" "Go-http-client/2.0" "199.184.*.*" 2021-06-19 09:27:53 i was thinking we should write an article on www 2021-06-19 09:27:54 where the secscanners have to use 2021-06-19 09:28:11 an http agent that identifies itself 2021-06-19 09:29:05 cause on the ml it wont get much attention 2021-06-19 09:30:12 we could also host it on github and let them deal with it :) 2021-06-19 09:31:05 i think, we should not do that 2021-06-19 09:31:18 i am open to running the secdb service on my machines though 2021-06-19 09:31:21 20mbps is nothing 2021-06-19 09:31:24 however, 2021-06-19 09:31:26 it was a joke 2021-06-19 09:31:37 i think these scanners should be identifying themselves 2021-06-19 09:31:37 It's just the principle 2021-06-19 09:31:40 when downloading the data 2021-06-19 09:31:41 but we need to do something about it 2021-06-19 09:31:46 so, my suggestion is 2021-06-19 09:31:57 we ban go-http-client/2.0 useragent after july 1 2021-06-19 09:32:03 first it was cgit, now its secdb 2021-06-19 09:32:20 that should be possible in nginx 2021-06-19 09:32:28 We already have it for cgit 2021-06-19 09:32:32 if ($http_user_agent ~/go-http-client/) { return 403; } 2021-06-19 09:32:36 even if you ban it, the go code is probably not soon to disappear, and you still need to drop the connections. 2021-06-19 09:32:42 true 2021-06-19 09:32:49 and thats taking already lots of cpu 2021-06-19 09:33:03 well thats all i have :p 2021-06-19 09:33:11 theres no identifying info 2021-06-19 09:33:14 in the requests 2021-06-19 09:33:21 I hope blocking it leads to users complaining to the secfix scanner 2021-06-19 09:33:24 i wonder how many connections its doing now, and it it will get any crazier. 2021-06-19 09:33:33 if* 2021-06-19 09:33:41 anyway, we should block go-http-client 2021-06-19 09:33:45 replace with message saying 2021-06-19 09:33:51 fuck off 2021-06-19 09:33:51 ? 2021-06-19 09:33:52 generic user-agent headers are banned 2021-06-19 09:33:56 yes, basically :) 2021-06-19 09:34:05 https://httpstatuses.com/429 2021-06-19 09:34:22 well, our goal is to get security scanners 2021-06-19 09:34:25 to identify themselves 2021-06-19 09:34:30 so we can figure out who behaves badly, right? 2021-06-19 09:34:41 yes 2021-06-19 09:34:49 we could do that 2021-06-19 09:34:55 not sure who wants to implement it 2021-06-19 09:34:56 i know that trivy is fine 2021-06-19 09:35:09 something like a http header identification or similar 2021-06-19 09:35:12 they collect and cache all the security databases 2021-06-19 09:35:24 clandmeter: just change User-Agent field to something other than Go-http-client/2.0 :) 2021-06-19 09:35:34 like 2021-06-19 09:35:44 Trivy v1.2.3 (Go-http-client/2.0) 2021-06-19 09:35:46 or whatever 2021-06-19 09:35:49 thats what we want 2021-06-19 09:35:58 because then we can figure out who owns the product that is spamming us 2021-06-19 09:36:18 so what to do when somebody does not follow that idea 2021-06-19 09:36:24 and uses a very common user agent 2021-06-19 09:36:31 block it 2021-06-19 09:36:35 you cant 2021-06-19 09:36:43 only on layer 7 2021-06-19 09:36:45 you cant just block everything 2021-06-19 09:37:32 rate limiting per user agent 2021-06-19 09:37:34 we can implement rate limits 2021-06-19 09:37:36 :D 2021-06-19 09:37:42 if you use some generic shit 2021-06-19 09:37:45 you get throttled 2021-06-19 09:38:00 if we rate limit this go client, other go clients will have no way of getting in. 2021-06-19 09:38:05 true 2021-06-19 09:38:10 but 2021-06-19 09:38:16 i think the only way 2021-06-19 09:38:27 there is no ideal solution 2021-06-19 09:38:29 is to have a transitional period 2021-06-19 09:38:34 e.g. 2021-06-19 09:38:36 so we have to get by with the means we have 2021-06-19 09:38:48 we announce that clients MUST set a user-agent that identifies the software/whatever 2021-06-19 09:39:02 and then in X months, we block the generic ones or rate limit or whatever 2021-06-19 09:39:16 beyond that, i don't really have any ideas 2021-06-19 09:39:22 maybe we can put the database behind fastly? 2021-06-19 09:39:39 thats an idea yes 2021-06-19 09:40:01 if it does not go down 2021-06-19 09:40:03 :p 2021-06-19 09:40:05 :D 2021-06-19 09:40:10 too soon 2021-06-19 09:40:52 if somebody wants to set it up, not sure i have energy to do it. 2021-06-19 09:41:12 and ikke has too much hooi on his fork already 2021-06-19 09:41:15 ;-) 2021-06-19 09:42:06 gonna paint the house, bbl 2021-06-19 09:42:18 clandmeter: i can do it next week if somebody tells me what needs to be done 2021-06-19 09:43:52 I guess we need a fastly config that points to the origin 2021-06-19 09:44:36 and check if we can add another entrypoint? 2021-06-19 09:46:13 We can create a new service 2021-06-19 09:48:01 the problem i assume is actually the TLS connections 2021-06-19 09:56:01 You mean causing CPU usage? 2021-06-19 09:59:45 clandmeter already setup letsencrypt for dl-cdn 2021-06-19 09:59:47 on fastly 2021-06-19 10:00:57 The issue is cache invalidation 2021-06-19 10:01:07 The filenames will always be the same 2021-06-19 10:05:51 I guess just set a TTL not too long 2021-06-19 10:21:06 i mean the CPU use of all the TLS connections already fetching secdb data :p 2021-06-19 10:21:27 right 2021-06-19 10:21:43 load is not that hight to be honest 2021-06-19 10:21:50 it's mostly the traffic 2021-06-19 10:21:58 I mean, secdb data itself is static 2021-06-19 10:22:05 with cgit, we had more issues 2021-06-23 04:34:41 anjan │ is there a security advisory anounce email for alpine's security issues? 2021-06-23 07:06:16 soon(tm) 2021-06-25 04:41:50 working on security rejections database 2021-06-25 04:41:59 so we can stop doing 0: - CVE-whatever 2021-06-25 04:43:50 alright 2021-06-25 09:21:55 good morning. i wonder if security team could take over the alpine linux ca-certificates packaging? 2021-06-25 09:22:01 https://gitlab.alpinelinux.org/alpine/ca-certificates/-/issues/1 2021-06-25 11:50:47 yes 2021-06-25 12:15:50 thanks 2021-06-25 12:32:35 what is the current blocker on https://gitlab.alpinelinux.org/alpine/infra/docker/secdb/-/merge_requests/5 ? 2021-06-25 13:04:59 Me being annoyed it's not easy to share runners in forks 2021-06-25 13:24:41 well, main reason is, i have had some inquiries 2021-06-25 13:26:51 OK, will handle it tonight 2021-06-26 06:19:42 secdb now includes a last-update file as well 2021-06-29 19:58:30 ikke: if you are still around, can you make https://gitlab.alpinelinux.org/kaniini/security-rejections public 2021-06-29 20:00:33 done 2021-06-29 20:06:30 thanks 2021-06-29 22:35:40 https://gitlab.alpinelinux.org/alpine/infra/docker/secfixes-tracker/-/merge_requests/4 2021-06-30 11:18:12 deployed 2021-06-30 13:39:07 thanks 2021-06-30 13:39:12 can i get an invite to the other channel 2021-06-30 13:39:21 i switched to irccloud because i got tired of quassel lagging 2021-06-30 20:45:49 https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/22648