daniel:// stenberg://

9 months ago

daniel:// stenberg://
9 months ago

Do you think this is fair?

"Problems that only trigger using legacy dependencies are not considered security problems."

github.com/curl/curl/pull/1608…

#curl

VULN-DISCLOSURE-POLICY: on legacy dependencies by bagder · Pull Request #16086 · curl/curl

^GitHub

#curl

Unknown parent

daniel:// stenberg://

Unknown parent 9 months ago

@ChrisUplus well, I don't know if people do it. The question is more: if we identify a problem in curl due to such a combination, how do we treat it.

@🌈 Kerblambuli 🦄

in reply to daniel:// stenberg://

Nemo_bis 🌈

in reply to daniel:// stenberg:// 9 months ago

I can't parse the sentence. Does the problem trigger the use of the dependency, or vice versa?

in reply to Nemo_bis 🌈

daniel:// stenberg://

in reply to Nemo_bis 🌈 9 months ago

@nemobis if there is a problem in curl, but it needs this legacy dependency to trigger

@Nemo_bis 🌈

in reply to daniel:// stenberg://

Mika Rautio

in reply to daniel:// stenberg:// 9 months ago

sounds like a fair policy and helps to focus investigations and mitigations in more relevant findings. I would assume that a component defined as "legacy dependency". or system using it, is having more vulnerabilities and issues that should be addressed as well

in reply to Mika Rautio

daniel:// stenberg://

in reply to Mika Rautio 9 months ago

@mrautio yes exactly. Users using those legacy things can in some ways be considered having "given up"

@Mika Rautio

in reply to daniel:// stenberg://

Winni Neessen

in reply to daniel:// stenberg:// 9 months ago

While I fully agree with the notion, I think the wording might be open to interpretation. For a component to be considered "legacy" does it need to match all 3 of the things in the list or just one of them? Maybe some clarification can be added.

in reply to Winni Neessen

daniel:// stenberg://

in reply to Winni Neessen 9 months ago

@winni good feedback. I will clarify

@Winni Neessen

in reply to daniel:// stenberg://

Wolf480pl

in reply to daniel:// stenberg:// 9 months ago

are the three criteria combined with an AND or with an OR?

in reply to daniel:// stenberg://

:thonk:

in reply to daniel:// stenberg:// 9 months ago

if these deps are below the minimum specified version of the curl release, then it's not your problem
@bagder

@daniel:// stenberg://

in reply to daniel:// stenberg://

Stephen Paulger

in reply to daniel:// stenberg:// 9 months ago

if it’s a supported version of the dependency then the issue should be reported to the dependency. If it’s not supported then there’s nothing for you or the dependency’s developer to fix.

Your conditions are such that there should be very few people affected. So it seems to me entirely reasonable, maybe there are exceptions you would encounter but you still have the ability to decide to do something in those exceptional cases.

in reply to Stephen Paulger

daniel:// stenberg://

in reply to Stephen Paulger 9 months ago

I want to avoid the question "what is supported" because it is hard to keep such info up to date. So I try to find a line in the sand of what is definitely not used by anyone who cares.

This entry was edited (9 months ago)

in reply to daniel:// stenberg://

Stephen Paulger

in reply to daniel:// stenberg:// 9 months ago

I meant more if the dependency’s developer says it’s supported. If you don’t know then I think your 10 year window is sufficiently cautious.

in reply to daniel:// stenberg://

truh

in reply to daniel:// stenberg:// 9 months ago

Legacy for the sake of it or legacy but still widely in use?

in reply to truh

daniel:// stenberg://

in reply to truh 9 months ago

@truh hence the attempt to define it in the text...

@truh

in reply to daniel:// stenberg://

abadidea

in reply to daniel:// stenberg:// 9 months ago

sounds reasonable; “doctor, it hurts when I link against libraries that even Debian on its stablest day would consider too old to support”

in reply to daniel:// stenberg://

👾cosmicvisitors

in reply to daniel:// stenberg:// 9 months ago

sounds fair enough, if you want someone to maintain legacy stuff they should get paid / some sort of support contract be put in place. Also the upgrade route is free.

in reply to daniel:// stenberg://

Christen Lofland

in reply to daniel:// stenberg:// 9 months ago

if the company I work for is doing this, they will keep doing it and insist it must be done for some stupid reason. If you issue a CVE about it, my company will be forced, due to required external audits, to stop doing this.
So yes, making a CVE is a public good because it will call out poor practices more clearly and label them with a reason to stop that isn’t easy to ignore.

in reply to daniel:// stenberg://

Joshua J. Drake

in reply to daniel:// stenberg:// 9 months ago

how about refusing to compile with such an outdated dependency?

Unknown parent

daniel:// stenberg://

Unknown parent 9 months ago

@berrange support for our releases is a different beast. We do not do support for old releases at all if the problem is not also still around in latest.

@Daniel P. Berrangé 📷 🎨 🔭 📡

⇧

daniel:// stenberg:// 9 months ago • •

daniel:// stenberg://
9 months ago