Would you consider a new informational advisory class, "distributes-executable"?

[mulkieran]

The category would be something like "distributes-executable". This came up for me recently because of the issue here: serde-rs/serde#2538, which caused me difficulty in packaging. The particular difficulty here was that our project distributes a vendor tarfile upstream. Then, downstream, the tarfile is used by the packaging system. It would have been helpful to be forewarned about what was going to turn out to be a packaging problem downstream. As it was, the remediation had to occur in the downstream packaging, (or there would have to be a new upstream release).

[alex]

This seems to go beyond the scope of what's appropriate for a security advisory DB IMO.

…

On Thu, Aug 3, 2023 at 11:41 AM mulkieran ***@***.***> wrote: The category would be something like "distributes-executable". This came up for me recently because of the issue here: serde-rs/serde#2538 <serde-rs/serde#2538>, which caused me difficulty in packaging. The particular difficulty here was that our project distributes a vendor tarfile upstream. Then, downstream, the tarfile is used by the packaging system. It would have been helpful to be forewarned about what was going to turn out to be a packaging problem downstream. As it was, the remediation had to occur in the downstream packaging, (or there would have to be a new upstream release). — Reply to this email directly, view it on GitHub <#1737>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBG6JXFEABFJKUQJXMDXTPBDLANCNFSM6AAAAAA3C7BIP4> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

[tarcieri]

For examples of additional categories we might consider adding, you can look at the CWE database: https://cwe.mitre.org/

[mulkieran]

This seems to go beyond the scope of what's appropriate for a security advisory DB IMO.

advisory-db has a category "unmaintained", which I think goes even further beyond security than my proposed category. I think its mission has already crept, witness the "unmaintained" category, and it might be reasonable for it to creep in this direction, also.

[tarcieri]

unmaintained isn't a "category", it's a class of informational advisory, which is a non-security advisory

[mulkieran]

unmaintained isn't a "category", it's a class of informational advisory, which is a non-security advisory

Thanks! I've updated the title appropriately.

[tarcieri]

The existing informational = "notice" class may be more appropriate for this use case

[mulkieran]

Ok! I've given that a try.

[jirutka]

This seems to go beyond the scope of what's appropriate for a security advisory DB IMO.

I disagree; downloading some binary code from the internet and running it during build without the user’s knowledge and consent is a serious security issue that opens the door to various attacks.

[jhpratt]

I've strongly disagree with the decision to close this. Distributing an executable that is run without the user knowing is inherently a security vulnerability. Doubly so when the executable cannot be reproduced, as is the case with serde.

[Shnatsel]

This is being actively discussed on the PR adding the actual advisory: #1738

Reopening since there is actually work being done on an instance of this, which may set a precedent.