nodejs distributions are not affected the same way by security releases #1187
Comments
|
Hi @kapouer, I'm not sure I fully understand what you mean. Do you mean an improvement for security release notes? Isn't this handled by the release WG? What is the current sentence like and where can we see it? https://github.com/nodejs/release They also define what gets backported:
Sure, most distros and the package maintainers there who package the software for the target distros most often recompile, repackage and backport upstream fixes. |
|
That is true for RHEL distributions as well. I'm going to move this into the TSC repo for discussion to see what we might be willing to add to the pre-release announce. The pre-announce is handled by the security stewards and I think we'd want the TSC to be aware if we are going to start adding a disclaimer like that. |
|
I'm +1 to add such a disclaimer. It seemed obvious to me but likely it's not for most devs. |
|
TSC Question: Any concerns with by default adding If you're using a Node.js version which is part of a linux distribution which uses a system installed OpenSSL, this security upate might not concern you, please check with their security team to the pre-announce for any OpenSSL only security releases? |
|
No concerns from me, although I think Homebrew might also be dynamically linking openssl so it's not just Linux distributions. |
|
Considering (i believe) node isn't officially distributed anywhere without openssl, adding such a message seems "fine", but also seems like the sort of thing users sign up for when they choose to use an unofficial installation mechanism. |
|
Discussion in TSC meeting, might want to say that you may need to update your openssl instead. |
So, perhaps we should decide on the text, and add this as a suggested wording for those cases when we are totally sure there won't be any other changes except for the deps update, but leave it at the releaser judgment on whether to include it or not, without specifically suggesting to do that "by default". It won't hurt much if this will be missing in some announcements. cc @MylesBorins @BethGriggs (as is related to what has been discussed on the meeting) -- does that sound good? |
|
@ChALkeR so maybe adding the following in the security release process in this section under the Pre-release announcement to node.js org blog, add the following additional text. If the security release is planned to only contain an OpenSSL update consider adding the following to the pre-release announcement: Since this security release will only includes updates for OpenSSL, if you're using a Node.js version which is part of a linux distribution which uses a system installed OpenSSL, this security update might not concern you. You may instead need to update your system OpenSSL libraries, please check the security announcements for the distribution. |
|
@mhdawson
|
|
@ChALkeR looks good to me. |
|
I'll open a PR to add that and we can have any additional discussion/concerns raised there. |
Fixes: nodejs/TSC#1187 Signed-off-by: Michael Dawson <[email protected]>
|
PR - nodejs/node#42456 |
Fixes: nodejs/TSC#1187 Signed-off-by: Michael Dawson <[email protected]> PR-URL: nodejs#42456 Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Danielle Adams <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Fixes: nodejs/TSC#1187 Signed-off-by: Michael Dawson <[email protected]> PR-URL: #42456 Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Danielle Adams <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Fixes: nodejs/TSC#1187 Signed-off-by: Michael Dawson <[email protected]> PR-URL: nodejs#42456 Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Danielle Adams <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Fixes: nodejs/TSC#1187 Signed-off-by: Michael Dawson <[email protected]> PR-URL: #42456 Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Danielle Adams <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Fixes: nodejs/TSC#1187 Signed-off-by: Michael Dawson <[email protected]> PR-URL: #42456 Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Danielle Adams <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Fixes: nodejs/TSC#1187 Signed-off-by: Michael Dawson <[email protected]> PR-URL: #42456 Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Danielle Adams <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Fixes: nodejs/TSC#1187 Signed-off-by: Michael Dawson <[email protected]> PR-URL: #42456 Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Danielle Adams <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Fixes: nodejs/TSC#1187 Signed-off-by: Michael Dawson <[email protected]> PR-URL: #42456 Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Danielle Adams <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Fixes: nodejs/TSC#1187 Signed-off-by: Michael Dawson <[email protected]> PR-URL: nodejs/node#42456 Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Danielle Adams <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
Hi,
as an example, in Debian we have Node.js depending on system-installed OpenSSL,
thus security issues affecting that dependency are, most of the time, dealt with in the corresponding dependency, not in Node.js.
Thus a sentence like "if you're using a Node.js version not distributed by official upstream channel, this security issue might not concern you, please check with their security team", etc...
The text was updated successfully, but these errors were encountered: