Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build,src: add tag/property for security releases #27612

Closed
wants to merge 2 commits into from

Conversation

richardlau
Copy link
Member

@richardlau richardlau commented May 8, 2019

Define a new NODE_VERSION_IS_SECURITY_RELEASE macro in
src/node_version.h that indicates if the release is a security
release. Update the release documentation.

Add a corresponding new property to process.release and include
it in report and trace events output.

Fixes: nodejs/Release#437

cc @nodejs/security-release

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

Define a new `NODE_VERSION_IS_SECURITY_RELEASE` macro in
`src/node_version.h` that indicates if the release is a security
release. Update the release documentation.

Add a corresponding new property to `process.release` and include
it in report and trace events output.
@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. labels May 8, 2019
richardlau added a commit to richardlau/nodejs-dist-indexer that referenced this pull request May 8, 2019
@richardlau
Copy link
Member Author

richardlau commented May 8, 2019

These are the build changes in core required to support nodejs/Release#437. Corresponding changes are required in the tool that builds the index files: nodejs/nodejs-dist-indexer#8

cc @nodejs/security-wg

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented May 8, 2019

src/node_v8_platform-inl.h Outdated Show resolved Hide resolved
@refack
Copy link
Contributor

refack commented May 8, 2019

Is there a "homolog" of such a flag in other language runtimes?

@richardlau
Copy link
Member Author

Is there a "homolog" of such a flag in other language runtimes?

☝️ @bnb, as you raised the requirement.

@rvagg
Copy link
Member

rvagg commented May 9, 2019

What does it mean for a node process to have an internal process.release.security===true or false? How does that model make sense for a running process? "This process is a security process", "this process only exists in its current form because it was fixing a bug in the last version of this process that was a security release". And what does it mean for a C++ compiler to encounter a macro that says "this code is a security release"? Why should it make any difference at either level?

This information doesn't relate to a process and it only relates to the codebase in a temporal sense of "this commit is better than an older commit because of <security reasons>" but even that doesn't extend into compiler or runtime land, it's just irelevant and serves no purpose. Or does it? Is there a consumption model of this that makes sense beyond metadata for the generation of index.json and index.tab?

I don't mind the idea of being able to report it in index.json/index.tab though.

Here's two alternatives:

  1. Adjust dist-indexer to look at the commit message for the release tag. We've always had a lose requirement for including text that indicates a security release. I think all of mine start with "This is a security release." (matching "security release" isn't quite good enough unfortunately). That could just be codified into release docs.

  2. Use existing information available in https://github.com/nodejs/security-wg/blob/master/vuln/core/ to figure this out. I've been making a point of being very clear with version information in all of the most recent additions so you can tell what versions are impacted.

e.g. from 59 for CVE-2018-12123

  "vulnerable": "6 || 8 || 10 || 11",
  "patched": "^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0",

6.15.0, 8.14.0, 10.14.0, 11.3.0 are all clearly security releases.

The trick is connecting this with the consumer. I've been inclined to say that it's up to consumers to put these pieces together, and ideally downstream packagers and service providers to provide a nice format for it (e.g. Snyk saying "hey, you're running a vulnerable version of Node" by having this information available). It's true that in the past, those vuln/core JSON files haven't been put in place until after releases were out, so it wouldn't have been possible for index.json and index.tab to have accurate information at that moment (it could be made accurate with a later re-run). But maybe that's a matter of process too.

@richardlau
Copy link
Member Author

Adjust dist-indexer to look at the commit message for the release tag. We've always had a lose requirement for including text that indicates a security release. I think all of mine start with "This is a security release." (matching "security release" isn't quite good enough unfortunately). That could just be codified into release docs.

@rvagg I've just submitted nodejs/nodejs-dist-indexer#9 that does this. If that's the preferred approach we can close this PR and just submit a release docs update to this repository to codify the "This is a security release." in commit message convention.

@jasnell
Copy link
Member

jasnell commented May 10, 2019

I'm -1 on adding a runtime property here because the value is likely limited and there is a non-zero chance of it being used in less-than-desirable ways.

@Trott
Copy link
Member

Trott commented May 10, 2019

I share the concerns raised by others, and I am especially concerned that this will be routinely misunderstood as "This process is running in some sort of extra-secure mode" like a jailed process or something.

I'm going to go ahead and close this out since it seems like your alternative approach is likely to happen and this is unlikely to happen. If you think I'm acting too soon, by all means, re-open it. (I'm just taking a break from something else to do some traiging/landing for a few minutes, and this is the thing I'm choosing to close out.)

@Trott Trott closed this May 10, 2019
richardlau added a commit to richardlau/node-1 that referenced this pull request May 10, 2019
The release commit message for security releases have conventionally
started with the phrase `This is a security release.`. Codify this
as part of the release process so that the distribution indexer can
use this to detect and mark releases as security releases.

Fixes: nodejs/Release#437
Refs: nodejs#27612 (comment)
Refs: nodejs/nodejs-dist-indexer#9
@richardlau
Copy link
Member Author

I share the concerns raised by others, and I am especially concerned that this will be routinely misunderstood as "This process is running in some sort of extra-secure mode" like a jailed process or something.

I'm going to go ahead and close this out since it seems like your alternative approach is likely to happen and this is unlikely to happen. If you think I'm acting too soon, by all means, re-open it. (I'm just taking a break from something else to do some traiging/landing for a few minutes, and this is the thing I'm choosing to close out.)

No worries. This PR has served it purpose, which was to try to get nodejs/Release#437 moving to some form of resolution.

I've opened #27643 as a counterpart to nodejs/nodejs-dist-indexer#9.

@richardlau richardlau deleted the release.security branch May 10, 2019 19:22
Trott pushed a commit to Trott/io.js that referenced this pull request May 13, 2019
The release commit message for security releases have conventionally
started with the phrase `This is a security release.`. Codify this
as part of the release process so that the distribution indexer can
use this to detect and mark releases as security releases.

Fixes: nodejs/Release#437
Refs: nodejs#27612 (comment)
Refs: nodejs/nodejs-dist-indexer#9

PR-URL: nodejs#27643
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
targos pushed a commit that referenced this pull request May 14, 2019
The release commit message for security releases have conventionally
started with the phrase `This is a security release.`. Codify this
as part of the release process so that the distribution indexer can
use this to detect and mark releases as security releases.

Fixes: nodejs/Release#437
Refs: #27612 (comment)
Refs: nodejs/nodejs-dist-indexer#9

PR-URL: #27643
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Adding a "security" property to dist/index.json
7 participants