sjvn
FFmpeg to Google Fund Us or Stop Sending Bugs: https://thenewstack.io/ffmpeg-to-google-fund-us-or-stop-sending-bugs/ by @sjvn
The clash between small volunteer-driven, open-source projects, such as FFmpeg & the billion-dollar companies built on their work, which demand rapid security patches, is heating up.
Wolf480pl
@sjvn I think it's unclear what's preventing ffmpeg devs from just ignoring these bug reports.
Like, if GPZ were to publish the details of an unfixed vuln in a rarely-used feature of ffmpeg, there shouldn't be much impact on real users, most of the pain would be with the CVE-obsessed corpos that use ffmpeg in their products, right?
Haelwenn /элвэн/ :triskell:
Wolf480pl
@lanodan @sjvn
Right, so they'd have to survive a wave of corpos asking about the CVE and tell all of them to send a patch or gtfo....
Maybe they could create an issue on their issue tracker with the details of the vuln, and info why it's not a priority and that they lack resources to fix it.
Then send all the angry corpos a link to that issue, and disable notifications.
Haelwenn /элвэн/ :triskell:
Wolf480pl
@lanodan @sjvn
Oh, also I don't blame corpos for having a "zero unfixed CVEs" policy for the simple reason that CVE metadata is not sufficient to effectively filter out things that don't affect you.
Wolf480pl
@lanodan @sjvn
I see three possible outcomes:
- the corpos eventually make a patch
- the corpos fork ffmpeg
- the corpos remove ffmpeg from all of their products
I don't think any of those would be tragic, though getting there might be painful :/
Phantasm
Phantasm
Wolf480pl
Haelwenn /элвэн/ :triskell:
Haelwenn /элвэн/ :triskell:
Wolf480pl
Assume I haven OS that has unattended security updates.
And I run a web backend written in python on that host.
And it has requirements.txt
And I create a virtualenv and venv/bin/pip install -r requirements.txt before running my backend.
And I want someone to go through requirements.txt, and find all libs that have vulns, and go through my code, see how I use those libs, and tell me which I need to update.
Haelwenn /элвэн/ :triskell:
Wolf480pl
@lanodan @sjvn
right, but those are usually compiled by pip still?
Like you install build-essentials on the host OS, and then pip will take care of compiling all the rust code?
Haelwenn /элвэн/ :triskell:
Phantasm
Wolf480pl
I suspect that might be the only way to use CVEs at all.
Also, have you ever worked at a company that cared about security fixes but had a more reasonable approach to it?
Phantasm
Haelwenn /элвэн/ :triskell:
@phnt @sjvn @wolf480pl At least that comes from PyPI, there's also some horrors which downloads blobs in the setup.py or during runtime.
Haelwenn /элвэн/ :triskell:
Wolf480pl
@phnt
that sounds like one of the invariants of pypi has been broken/abandoned...
Phantasm
Haelwenn /элвэн/ :triskell:
Haelwenn /элвэн/ :triskell:
@wolf480pl @phnt @sjvn Nah, requirements.txt is way too loose as it's just for dependency requirements, and which blobs will be downloaded is by definition system-dependent.
You'd want either a lockfile (hell to maintain, pretty much nobody really uses them for security purposes, after all you'd need to audit binaries if you'd do) or a curated repository like a distro.
Wolf480pl
Wolf480pl
@lanodan @phnt @sjvn
in any case:
which binary wheels get installed, and which blobs get downloaded, is still determined by requirements.txt, right?
So someone could recursively explore all of that pile?
Wolf480pl
@lanodan
btw. I read the rest of that blogpost, kinda couldn't believe the Java situation, so I looked it up and found this:
https://www.chainguard.dev/unchained/fully-bootstrapping-java-from-source-in-wolfi
and it indeed looks like a herculean effort
Haelwenn /элвэн/ :triskell:
J. R. DePriest :verified_trans: :donor: :Moopsy: :EA DATA. SF:
@phnt @sjvn @wolf480pl @lanodan working in threat management at a mid-sized company and prioritizing vulnerabilities is a full time job focusing on actual risk.
CVEs are labels that make it easier to talk about specific vulnerabilities, nothing more.
A "Zero CVE Policy" doesn't even make sense and is literally impossible without huge caveats and exceptions.
Also, CVEs don't exist for misconfigurations. Which is a bigger risk? Default password on your external firewall or a CVE with a CVSS score of 10.0 on a dev server with no Internet access?
AI Slop CVEs are a grift to "get those numbers up".
Wolf480pl
@jrdepriest @phnt @sjvn @lanodan
Is there any hope for a small company with a handful of developers and 1 or 2 sysadmins to do anything about vulnerabilities?
J. R. DePriest :verified_trans: :donor: :Moopsy: :EA DATA. SF:
@wolf480pl @phnt @sjvn @lanodan I think the public, in general, puts too much pressure on small, mostly volunteer teams.
On the one hand, these projects are vital lynchpins holding up trillion dollar industries.
On the other, they apparently aren't worth a contact or even a donation by those using them.
I imagine corporations would spend FTEs building complicated workarounds rather than fund an open source protect. They think, "someone else will step in and fix it, eventually."
What can the small projects do? I don't know. So much of our infrastructure is designed around taking away their power while magnifying their responsibility. If it were me, I'd probably work myself to death trying to be everything for everybody. Ideally, they'd be able to go on strike. No fixes the leeches step up with people or funds. But that's taking your life into your own hands. That could end badly.
I don't have a solution. The most important thing is to prioritize but with AI generated CVEs, I'm not sure the flood is manageable.
My advice is that your mental health should come first. Always. Every day. Take care of yourself.
Haelwenn /элвэн/ :triskell:
Phantasm
Haelwenn /элвэн/ :triskell:
Wolf480pl
@jrdepriest @phnt @sjvn @lanodan
I guess I went on a tangent without making it clear:
We all know the situation for small open-source projects with large corporate userbase is rough.
But at least it's not the FOSS projects that'll get pwned if they miss something - the large corpos will.
Then we started talking about how companies manage vulns, and whether they're doing it wrong.
1/
Wolf480pl
@jrdepriest @phnt @sjvn @lanodan
So my question was about how a small-to-medium company (eg. one whose product is a website) that can't dedicate a whole person to patch management could approach this problem without resorting to "get CVE scanner, filter by severity == critical, cry in a corner because there's still too much stuff".
Wolf480pl
@lanodan @phnt @jrdepriest @sjvn
I wish I could go to the devs and tell them
"No pypi, only use dependencies packaged in Debian. If you want a library that's not packaged in Debian, open a ticket with the SRE team, we'll package it. Rate limit: one library per month."
Though I guess even that would be unsustainable.
Haelwenn /элвэн/ :triskell:
@wolf480pl @phnt @jrdepriest @sjvn I think it's a cultural problem that then made things just seem unrealistic due to it impacting the ecosystem, like Debian has a *lot* of python libraries to choose from but searching for those is a mess, and then there's also things like libraries with hundreds of dependencies or really awkward (if not simply broken) buildsystems.
Also PYTHONPATH is a thing so you wouldn't need to wait for packaging team during development, at least when there's already been a basic check on whether the library is viable (which seems to never be really done).
Haelwenn /элвэн/ :triskell:
Wolf480pl
@lanodan @phnt @jrdepriest @sjvn
I'm afraid there are whole fields whose python libs are not packaged by Debian... though to know for sure i should go through $dayjob's requirements.txt and see how much of that is packaged...
sjvn
@lanodan @phnt@fluffytail.org @jrdepriest @wolf480pl There's been lots of AI garbage CVEs. I wrote about it a while back. https://www.zdnet.com/article/how-fake-security-reports-are-swamping-open-source-projects-thanks-to-ai/
Check out @bagder cURL's creator and maintainer, and his endless battles against AI security spam.
Haelwenn /элвэн/ :triskell:
🪨
@jrdepriest @phnt @sjvn @wolf480pl @lanodan A score of 10.0 wouldn't be possible on a dev server with no internet access, since it would have a low exploitability.
Bart Veldhuizen 🚀
@sjvn add more bugs that specifically break Google’s systems and nothing else
Haelwenn /элвэн/ :triskell:
🪨
@lanodan @sjvn @wolf480pl @jrdepriest @phnt Let me rephrase: it wouldn't be possible to exploit a 10.0 CVE vulnerability on a dev server without internet access, because a part of the CVSS score is the attack vector, and for a score of 10.0 you'd need an attack that can be easily made over a network, so the offline dev server can't be impacted. So that example is irrelevant.
fu
Henrik Pauli
@sjvn Will Google create a fake community poll like they did with XSLT and try to replace this too?
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.