Fedora security response time

By Jake Edge
April 29, 2020

A call for faster Fedora updates in response to security vulnerabilities was recently posted to the Fedora devel mailing list; it urgently advocated changes to the process so that updates, in general, and to the kernel and packages based on web browsers, in particular, are handled more expeditiously. While Fedora developers are sympathetic to that, there is only so much the distribution can do as there are logistical and other hurdles between Fedora and its users. It turns out that, to a great extent, Fedora can already move quickly when it needs to.

In mid-April, Demi M. Obenour posted a message with the subject "Getting security updates out to users sooner". There were several aspects of the current situation that she wanted to see addressed, starting with simply providing updates more quickly:

Currently, security updates can take days to get to users. In particular, Firefox and Thunderbird often take a day or more, even though virtually every single update contains security fixes.

We need to ensure that security updates reach stable within hours of an upstream advisory. [...]

Beyond that, the metadata hashes for the old packages need to be invalidated quickly, throughout the entire update network (i.e. mirrors) "within an hour or less, preferably minutes"; that would mean that the older, vulnerable packages would no longer be installable. In the past, there have been few regressions with security updates, she said, so those should bypass most of the usual QA. For some package types, the kernel and those based on web-browser libraries (e.g. Thunderbird, Chromium, webkit2gtk), all updates should be considered to be security updates, she said, so that they can get to users more quickly.

Adam Williamson, who is part of the Fedora QA team, wondered about the "within hours" timeline. Gerald Henriksen noted that Firefox sometimes says that the problems an update is fixing are already being exploited in the wild.

Whether a security risk on Linux isn't indicated, but users shouldn't have to wonder why the media is telling them Firefox needs an immediate update and it isn't being provided by their distribution.

But in-the-wild Linux-specific web-engine exploits are vanishingly rare, Michael Catanzaro said:

I've yet to see a Linux exploit developed for a web engine vulnerability and deployed against users in the wild. Are you aware of any instance of this happening, ever? Only a very tiny minority of web engine vulnerabilities ever have exploits developed for any platform. The usual workflow is: fuzzer finds HTML that triggers an asan [AddressSanitizer] complaint, the end, you have a CVE. Now, that doesn't mean Linux exploits don't exist (they surely do). And it doesn't mean the vulnerabilities don't need to be fixed (they do). But let's be reasonable here. Most users are not at risk because we take some time to get the update out to users. Not unless a nation state is out to get you....

There are other types of browser vulnerabilities that are more dangerous; "I know this happens with Firefox occasionally, but when it does, I don't think a next-day response is so bad". There is definitely a need to get updates out in a timely manner, he said, but he thinks "a couple weeks" is timely enough in most cases. "At least with WebKit, regressions are not uncommon and a few days of testing is important to ensure quality user experience."

Kernel updates are also not good candidates for blanket "security update fast-track" treatment, Michel Alexandre Salim said. Kernel updates often do introduce regressions, so it is important to distinguish those that address a critical vulnerability from others that can get additional needed testing, he said. While it is not mentioned in the thread, the upstream kernel policy that obscures the security nature of patches, as described in this article and elsewhere, may make that harder than it needs to be. On the flipside, though, Fedora regularly updates from the stable kernel stream, which fixes lots of security problems—often before they are even known to be vulnerabilities.

In any case, Fedora kernel team member Justin Forbes said that there is already a process in place to handle the exceptional kernel update that needs to go out quickly. The process is followed two or three times a year, and it can all complete pretty quickly:

This can all happen within a matter of hours (kernels take 3 hours just to build if everything goes well). Often it means someone in releng [release engineering] is staying up late to help me deal with it, and it is greatly appreciated. But the system is not abused, it only happens on critical updates. A majority of CVEs are *not* critical updates. It is important they are patched for a variety of reasons, but the risk of going a day or 2 without a patch is approaching zero.

Petr Pisar said that even if there were a separate repository where fixes were immediately built, composed, and published, there would still be barriers to getting them into users' hands. The Fedora mirrors use a pull model, so the mirrors poll for updates at some frequency. In order to ensure that users get access immediately, the updates would need to come directly from Fedora servers, which is something that the infrastructure may not be able to handle.

Fedora project leader Matthew Miller pointed out that the subject has come up before. He filed a releng bug six years ago seeking a way to get urgent fixes out to users more quickly. In the years since, it was discussed in the bug and in other forums, put on the wiki, and eventually closed in 2018 because the overall process had gotten much faster in the meantime. Instead of a two-day wait, urgent updates could be ready in two or three hours.

A short vulnerability response time for a distribution is important to try to keep users as secure as possible, but there are obviously limits too. Distributions need to find the right balance and it would seem that Fedora has generally done so. It is also important to review those policies and procedures now and again to ensure that they are still functioning as they should.

Index entries for this article
Security	Distribution security

Fedora security response time

Posted Apr 29, 2020 21:44 UTC (Wed) by smoogen (subscriber, #97) [Link] (1 responses)

One of the problems not covered is that the Fedora mirroring system is a pull system where the downstream mirrors are in control of when they pull and what they pull. There are 4 tier-0 mirrors which we seed 12 tier-1 mirrors at various universities and public orgs like kernel.org. Those 12 feed all the level 2 mirrors. There is no CDN because those cost money in both pushing data into them and pulling data out of them. We have had a couple of offers for CDN data but use it for only limited uses as we found it took more than 24 hours to sync up the amount of data we normally change in a day to the CDN.

Finally Fedora does not push updates to clients. A client may check for updates regularly if they are running the standard desktop, or they may only do so when they can afford the cost on a metered line.

There are ways around this, but they all come with costs in time, release engineering changes, and tooling in client, server and user expectations. Those all need someone to drive the changes over the long term it will take to implement.

Fedora security response time

Posted Apr 30, 2020 6:52 UTC (Thu) by pabs (subscriber, #43278) [Link]

For the CDNs that Debian deals with (Fastly mostly for mirrors), they don't sync the entire mirror, they just dynamically populate their caches as clients fetch individual files. Debian gets gratis services from Fastly and the other external entities we use.

https://www.debian.org/partners/
https://wiki.debian.org/ExternalEntities

Fedora security response time

Posted Apr 29, 2020 22:57 UTC (Wed) by ballombe (subscriber, #9523) [Link] (3 responses)

I note that Debian distribute security updates from a small set of servers separated from mirrors, so one never have to wait for the mirrors to pull.

Fedora security response time

Posted Apr 30, 2020 0:44 UTC (Thu) by Conan_Kudo (subscriber, #103240) [Link]

Push comes to shove, Fedora's tier-0 servers and tier-1 mirrors can serve content as close to immediately as possible. The MirrorManager system will allow total mirror network invalidation and force users to pull from those servers for that content.

However, it is not needed. An argument could be made that we haven't needed it even the couple of times we've used it last year and only needed it once at the beginning of the year before (Spectre/Meltdown was that year...).

Fedora security response time

Posted Apr 30, 2020 6:48 UTC (Thu) by pabs (subscriber, #43278) [Link] (1 responses)

Debian has had to place a CDN frontend on that set of servers, as Linux kernel updates were overwhelming them.

Fedora security response time

Posted Apr 30, 2020 12:36 UTC (Thu) by idealista (guest, #121682) [Link]

For that type of services, having a CDN nowadays it's close to a requirement rather than a feature.

Fedora security response time

Posted Apr 30, 2020 1:21 UTC (Thu) by AdamW (subscriber, #48457) [Link]

"Adam Williamson, who is part of the Fedora QA team, wondered about the "within hours" timeline."

Just to clarify this - I was being a bit wilfully gnomic, but my reply was intended to convey that the original mail simply stated "We need to ensure that security updates reach stable within hours of an upstream advisory", but never provided any justification for this assertion. It's not that I necessarily disagree, more a case of "please provide a rationale rather than simply asserting this".

Fedora security response time

Posted Apr 30, 2020 7:04 UTC (Thu) by mst@redhat.com (subscriber, #60682) [Link]

> the metadata hashes for the old packages need to invalidated quickly,
> throughout the entire update network (i.e. mirrors) "within an hour or less, preferably minutes";
> that would mean that the older, vulnerable packages would no longer be installable.
Looks like this will break my attempts to have a system cache and search/install packages quickly from there: any attempts to use cache will run into everything having been invalidated, unless I am prepared to hit network for updates every minute :(.

Fedora security response time

Posted Apr 30, 2020 15:34 UTC (Thu) by mattdm (subscriber, #18) [Link]

For some context on the original release engineering request: at that time, a number of us worked overnight to make sure we had a fix for Heartbleed (remember when that was the kind of security vulnerabilities our systems had? oh to simpler times), and then it turned out that it took another whole day just for that update to churn through the mechanical process, and something went wrong at just the wrong time making it even worse than expected. I'm quite confident that process improvements we've made since then make a repeat of that unlikely.

Fedora security response time

Posted Apr 30, 2020 16:27 UTC (Thu) by highvoltage (subscriber, #57465) [Link] (1 responses)

It's been proven in multiple software projects over the years that rushing out updates lead to regular botched updates. This is an area of work that is indeed important to do fast, but above all to do properly.

Fedora security response time

Posted May 1, 2020 7:31 UTC (Fri) by abo (subscriber, #77288) [Link]

Updates that break things also tend to cause people to disable them, which is a lot worse than a day's delay.

Fedora security response time

Posted Apr 30, 2020 20:23 UTC (Thu) by mcatanzaro (subscriber, #93033) [Link]

> I've yet to see a Linux exploit developed for a web engine vulnerability and deployed against users in the wild. Are you aware of any instance of this happening, ever?

I hope I don't come to regret this comment. :D It will happen eventually, but I haven't seen it yet.

Another consideration is that web engines are heavily sandboxed. We generally class everything more serious than a null pointer dereference as a remote code execution vulnerability, which is about as serious as it gets, but we also assume that you can't really do *too* much harm if you achieve code execution in the untrusted sandboxed process that has very limited filesystem access. Sandbox escapes are discovered on occasion, but they are rare and generally quite clever. Web engine CVEs are a never-ending stream, and as long as they're fixed in a reasonably timely manner, I think Linux distros will be all right.

For an example of not reasonably timely, look at QtWebKit.

Fedora security response time

Posted May 7, 2020 0:05 UTC (Thu) by KaiRo (subscriber, #1987) [Link] (4 responses)

Man, how the world has changed. In 2007, we were proud in the Mozilla project that we could ship security fixes in "10 f--ing days" (there is a story behind that phrase) after becoming aware of them. In 2020, we are talking about bringing security response times from a day or two down to hours in this case...

Fedora security response time

Posted May 7, 2020 0:20 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

Extrapolating... Subsecond response times by 2030?

Fedora security response time

Posted May 7, 2020 0:25 UTC (Thu) by zlynx (guest, #2285) [Link] (2 responses)

Sure, why not?

Machine learning based unit, integration and fuzz testing to find the bugs, and a machine learning / AI process to fix the bugs.

Fedora security response time

Posted May 9, 2020 6:47 UTC (Sat) by ghane (guest, #1805) [Link] (1 responses)

I am not sure why you smart developers insist on doing things the hard way.

Just develop Skynet. The T800 is designed to fix bugs *before* they occur.

:-)

--
Sanjeev

Fedora security response time

Posted May 9, 2020 22:58 UTC (Sat) by zlynx (guest, #2285) [Link]

That makes sense. No developers, no bugs.