[ovs-dev] [PATCH RFC] SECURITY: New document describing proposed security process for OVS.

Tue Jan 6 18:11:07 UTC 2015

On Tue, Jan 6, 2015 at 11:58 AM, Ben Pfaff <blp at nicira.com> wrote:

> On Mon, Jan 05, 2015 at 09:29:47AM -0600, Kyle Mestery wrote:
> > On Mon, Jan 5, 2015 at 9:23 AM, Jiri Benc <jbenc at redhat.com> wrote:
> >
> > > On Fri, 2 Jan 2015 17:57:14 -0800, Ben Pfaff wrote:
> > > >     1) Consider provisions for ensuring privacy and integrity of
> > > >     communications around disclosure (eg, use PGP for all comms).
> > >
> > > That never hurts. I'd argue that's not strictly required though, as the
> > > code speaks for itself and anybody can verify the patch does what it
> > > does and the reasoning is correct.
> > >
> > > >     2) Consider provisions for handling the vuln info to prevent it
> from
> > > >     being leaked / stolen from developers (this info can often be
> worth a
> > > >     lot of money to certain parties with a lot of interest and
> > > motivation to
> > > >     get hold of them). This means keeping info in some sort of
> secured
> > > >     enclaves, and perhaps mixing patch code with other commits to
> > > obfuscate
> > > >     the presence of the flaw.
> > >
> > > I strongly disagree with that. Distributions need to be able to cherry
> > > pick the security fixes, any kind of obfuscation and mixing commits for
> > > different things makes the life of distro maintainers harder, leading
> > > to more mistakes, thus less security for those who use ovs via a
> > > distro. Such thing would not improve security of the ovs project anyway
> > > --the yet undiscovered bugs do not have a patch to obfuscate, and
> > > discovered and patched bugs are, well, patched. Anybody running on the
> > > latest code base has the fix applied; for backports, a clear patch to
> > > backport is needed.
> > >
> > > >     Parts of OVS are in kernel space, making it a
> > > >     quite an “interesting” target, so I wouldn’t take this one
> lightly.
> > >
> > > The kernel patches will need to go through the kernel security
> > > reporting process:
> > >
> > >
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/SecurityBugs
> > >
> > > Which is maybe a good idea to include in the documentation?
> > >
> > > ++
> >
> > I think including a link to the kernel security reporting process is
> > necessary here.
>
> I added the following paragraph under "Reception".  Comments welcome.
>
>     The Linux kernel has its own vulnerability management process:
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/SecurityBugs
>     Handling of vulnerabilities that affect both the Open vSwitch tree and
>     the upstream Linux kernel should be reported through both processes.
>     Please send your report as a single email to both the kernel and OVS
>     security teams to allow those teams to most easily coordinate among
>     themselves.
>

This reads quite well to me, thanks for adding this Ben.