On Wed, Jul 14, 2021 at 12:04:34AM +0200, Andreas K. Huettel wrote: > <snip> > > The package was masked due to a miscommunication with the Gentoo > > Security project. > > > > While it is true that the way opentmpfiles is currently implemented > > allows for certain races, from the security point of view, you always > > have to classify the vulnerability in context of your threat model > > because security depends on multiple layers (onion model). > <snip> > > I would like to respectfully point out that this makes > > 1) either the severity assignment of this bug by the Security project as B1 > wrong (i.e. it should have been classified "harmless") >
The Gentoo model is not perfect and should be overhauled. However, it works for most things and sometimes bugs fall between the cracks. The package shouldn't have been masked either based on a bug that was purposely ignored for many years simply because they want to disband the package now and found a "security reason" to add to the mask. > 2) or the entire classification of severity levels according to the Security > project pointless (i.e. you can't base any actions on them because a mystery > onion needs to be taken into account). > I am not sure if this is sarcasm, but every bug must be considered through the correct aperture. That is, based on your environment, protections in place, defense in depth, and other buzzwords... hence the onion analogy. -Aaron
signature.asc
Description: PGP signature
