gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
rajivr has joined #nixos-security
ris has quit [Ping timeout: 260 seconds]
justanotheruser has quit [Ping timeout: 272 seconds]
justanotheruser has joined #nixos-security
kalbasit_ has joined #nixos-security
kalbasit_ has quit [Ping timeout: 256 seconds]
elvishjerricco has quit [Ping timeout: 240 seconds]
elvishjerricco has joined #nixos-security
hax404 has quit [Ping timeout: 240 seconds]
hax404 has joined #nixos-security
ris has joined #nixos-security
<pie_> gchristensen: are embargod cves allowed to say when they wont be embargod
<pie_> whats this disclosure wg?
<Foxboron> pie_: embargoed CVEs should come with a disclosure time.
<pie_> i gave a wishlist of stuff i wish cve people did to a head of incident response once, though i imagine everyone has such wishlists :p
<pie_> aha thanks
<Foxboron> I imagine there is nothing surprising on that wishlist :)
<pie_> not that i have much experience dealing with uvlnerability management
<pie_> mostly process management tooling stuff :P (my nixos is showing)
<pie_> but i bet aint nobody got time to file quality cve information, and things like bundling vuln checking code with a cve would probably be weaponizable?
<pie_> not tht mtasploit etc doesnt already exist
<Foxboron> I'll wagerrr bundling vuln checking code is going to a nice in theory kind of thing, but fairly unreliable/not a good idea in practise
<Foxboron> wager*
<pie_> *shrugs cluelessly*
<Foxboron> And few people are going to be writing that code to begin with. So it's just more paperwork for potentially very little
<Foxboron> and considering most CVEs are proprietary stuff
<pie_> yes this is very hypotheticla because aint nobody got time fo dat, but i dunno, if there was quality scanning plugins for each cve you could do stuff like check against every version of things in nixpkgs automatically
<pie_> why do you think it would be unreliable / bad in practice?
<Foxboron> Because the CVE could very well be within some constrains of the software. Like the samba vuln only being accessible with a non-default config option.
<pie_> sight
<pie_> *right
<pie_> incident response -adjacent people are overencumbered already, let me make their work easier by giving them more work :ő
<pie_> * :p
<Foxboron> This mean you can't have one set of code to trigger the exploit. But sanity checking code for the environment. And considering we do have things nixos and traditional distros... this isn't going to be easy :)
<pie_> i think it could be pretty good to have a piece of code as opposed to some vague handwaving text, but *shrug*
<pie_> also sure, people dont _want_ to tell you exactly whats broken most of the time
<pie_> i imagine.
<pie_> if everybodys check code starts looking the same one might think theyre due some process improvements :p
<andi-> defects? No! My(!) software is perfect!
<andi-> ;-)
<pie_> well thats what the customers need to think :p
<MichaelRaskin> full-disclosure with example exploit code did not appear from nowhere!
<pie_> didnt know they did that on full-disclosure. neat.
<MichaelRaskin> Well, some people do attach example code to reports
<pie_> yeah i didnt think everyone did it
dywedir[m] has quit [Quit: Idle for 30+ days]
<__red__> well, that's always the fundamental issue and my there's embargos in the first place
<__red__> if you say there's an embargo on something - people look there
<__red__> same when MS releases patches, we're immediately bindiffing it
<__red__> It's a mess, I'm not sure anyone knows the answer
<__red__> but as you say, additional paperwork probably isn't the answer unless it does improve things in some way
sphalerite has quit [Quit: boot, boot, boot, boot, reboot the outdated server]
sphalerite has joined #nixos-security
rajivr has quit [Quit: Connection closed for inactivity]
<pie_> __red__: i think what i wanted would, its just more work
<pie_> and most security fixes probably dont even get a cve
<pie_> theyre just fixed silently as bugfixes
<MichaelRaskin> A lot of security fixes do not even get identified as such
<pie_> right thats what i meant
<MichaelRaskin> Which makes sense, if it is a memory corruption it should be fixed, who has time to wonder if it is security or not
<__red__> People who write offensive tools, that's who.
<pie_> :D