Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001

[Sam James <sam () gentoo org>]

> On 29 Jan 2022, at 20:16, Leo Famulari <leo () famulari name> wrote:
>
> On Mon, Jan 24, 2022 at 08:13:15AM -0600, John Helmert III wrote:
> > I don't think it makes much sense for every downstream to make these
> > kinds of assumptions.
>
> Why not? History shows that this assumption will almost always be
> correct for WebKit.
>
> > Besides, this doesn't seem to be what's
> > happening in practice. For example, WSA-2021-0006 was released on
> > October 26, 2021 with vulnerabilities addressed in 2.34.0, released on
> > September 22, but RedHat's bugs for it were only opened in the days
> > after the *security advisory's* release, not the software release. It
> > doesn't help that most most distribution security tooling seems to be
> > oriented around CVEs, which aren't released for WebKit until after the
> > associated advisory.
>
> I'm sure that Red Hat's package maintainers know what a WebKit update
> means. Presumably they are busy and their KPIs prioritize fixing CVEs,
> so they don't act as proactively as one might prefer.
>
> In general, it seems that WebKit is handling these issues like Linux.
> Observers know that important bugs are fixed constantly in software of
> this size and complexity. Relying only on CVEs is too reactive and
> limited in scope to provide a meaningful security stance, increasingly
> so since the CVE assignment system stopped working in the last few
> years.

This isn't an argument against WebKit Doing The Right Thing (TM).

There's no need for us to rehash the standard arguments for/against
bothering with CVEs at all.

The point is that CVE notifications are useful for some of us and
it _seems_ (obviously I can't know) that they're intentionally not
published at the same time as release notes, often a week or more later.

I, and John, are just saying that if possible, it'd be a big help for
them to do so.

Best,
sam

Attachment: signature.asc
Description: Message signed with OpenPGP