Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| zh:docs:guide-developer:security [2021/04/17 19:43] – guyezi | zh:docs:guide-developer:security [2021/11/18 00:26] – 同步官方更新内容翻译 guyezi | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | |||
| ====== 安全 ====== | ====== 安全 ====== | ||
| + | 有关以往页面, | ||
| - | 点击 [[:docs/guide-developer/security/old|这里]]访问旧版信息。 | + | 此页面列出了 OpenWrt 用于确保 OpenWrt 安全的流程, |
| + | 这包括了 OpenWrt 发行版以及托管在 https://github.com/openwrt/ 的官方插件包源以及托管在 https:// | ||
| - | 本页面罗列了用于确保OpenWrt安全性的流程、工具及机制。 | + | ===== 漏洞报告 ===== |
| - | 涵盖了由https:// | + | 安全漏洞应保密报告至 [[contact@openwrt.org]], 详见[[:bugs# |
| - | ===== Vulnerability Reporting | + | ===== 安全建议 |
| - | + | ==== 2021 年安全建议 | |
| - | Security bugs should be reported in confidentiality to [[contact@openwrt.org]], | + | <nspages advisory -actualtitle -textPages="" |
| - | + | ||
| - | ===== Security advisories ===== | + | |
| - | + | ||
| - | ==== Security advisories 2020 ==== | + | |
| + | ==== 2020 年安全建议 ==== | ||
| <nspages advisory -actualtitle -textPages="" | <nspages advisory -actualtitle -textPages="" | ||
| - | ==== Security advisories 2019 ==== | ||
| + | ==== 2019 年安全公告 ==== | ||
| <nspages advisory -actualtitle -textPages="" | <nspages advisory -actualtitle -textPages="" | ||
| - | ===== Support status | + | ===== 支持状态 |
| + | 这列出了当前支持或不支持的 OpenWrt 版本. | ||
| - | This lists the currently support or not supported OpenWrt versions. | + | ^ 版本 ^ 当前状态 ^ 预计停止时间 ^ |
| + | | 21.02 | 完全支持| | | ||
| + | | 19.07 | 安全维护 | 2022 年 3 月 | | ||
| + | | 18.06 | 终结维护 | 2020 年 12 月 | | ||
| + | | 17.01 | 终结维护 | 停止 | | ||
| + | | 15.05 | 终结维护 | 停止 | | ||
| - | ^ Version ^ Current status ^ Projected EOL ^ | + | 预计的停止可以在以后延长, |
| - | | 19.07 | Fully supported | August 2021 | | + | |
| - | | 18.06 | End of life | December 2020 | | + | |
| - | | 17.01 | End of life | EOL | | + | |
| - | | 15.05 | End of life | EOL | | + | |
| - | The Version references the most recent stable version from this release branch. | + | 版本引用了此发布分支中的最新稳定版本. |
| - | * Fully supported means that the OpenWrt | + | * 完全支持意味着 |
| - | * Security maintenance means that the OpenWrt | + | * 安全维护意味着 |
| - | * End of life means that we will *not* provide any updates also for severe security problem. Please update to more recent versions. | + | * 终结维护意味着我们将 |
| - | The Projected EOL can be extended later, depending on the future situation, like the release date of the next release. | + | OpenWrt 主要版本在最初发布后将进入完全支持状态. |
| + | 当下一个 OpenWrt 主要版本发布时. 旧版本将进入安全维护模式. | ||
| + | OpenWrt 主要版本将在初始版本发布后 1 年或下一个主要版本发布后 6 个月终止. 将使用较晚的日期.我们计划在支持周期结束时进行最终的次要版本. | ||
| - | This only covers the core OpenWrt | + | 这仅包含核心 |
| + | 一些提要包维护者并不关心仍然支持核心组件的所有 | ||
| + | 为了获得最佳的安全支持, | ||
| - | ===== Identifying problems | + | ===== 识别问题 |
| - | + | OpenWrt | |
| - | The OpenWrt | + | 这些信息通常可供所有人使用, |
| - | The information are normally available for everyone and we appreciate fixes for problems reported by these tools form everyone. | + | |
| ==== uscan ==== | ==== uscan ==== | ||
| + | 该[[https:// | ||
| + | 此外,生成此页面的工具还会根据许多包的 PKG_CPE_ID 变量中列出的通用平台枚举 (CPE) 检查分配给包的现有 CVEs. | ||
| + | 该页面每周为 master 和活跃分支更新. | ||
| - | This report shows the version number of all packages from the base and the package repository and compares it against the recent upstream released versions. | + | ==== 覆盖扫描 ==== |
| - | In addition the tool which generates this page also checks for existing CVEs assigned to the packages based on the Common Platform Enumeration (CPE) which is listed in the PKG_CPE_ID | + | OpenWrt 使用商业 |
| - | This page is weekly regenerated for master and the active release branches. | + | 这每周扫描一个 OpenWrt 构建, 并报告在 OpenWrt 项目中开发的组件(如 procd 和 ubus)中发现的问题, |
| - | [[https://sdwalker.github.io/uscan/index.html]] | + | |
| - | ==== Coverity Scan ==== | + | ===== 可复制构建 |
| + | [[https:// | ||
| + | 这证明生成的版本确实与交付的源代码匹配并且在构建过程中没有引入后门. | ||
| - | OpenWrt uses the commercial Coverity Scan tool which is available for free to open source projects to do static code analyses on the OpenWrt components. | + | ===== 交付给用户 ===== |
| - | This scans one OpenWrt | + | OpenWrt |
| - | [[https:// | + | |
| - | ===== Reproducible Builds ===== | + | 当对包的更改提交到包源的 OpenWrt 基础存储库时, |
| + | 然后,新构建的包可以使用 opkg 安装或由 OpenWrt 用户与图像生成器集成. | ||
| + | 这使我们能够在大约 2 天内向最终用户发送更新. | ||
| - | OpenWrt releases should be reproducible to make it possible to check that the releases we produced are really matching the source code we delivered and no backdoors were introduced in the build process. | + | 内核通常位于其自己的分区中, |
| - | The reproducible builds project checks that OpenWrt master is still reproducible and publishes the results here: | + | 这种机制目前不适用于内核本身和内核模块, |
| - | [[https:// | + | |
| - | ===== deliver to users ===== | + | ===== 强化build选项 |
| + | OpenWrt在编译时为所有包build激活[[https:// | ||
| + | 请注意个别插件包可能 和/或 targets 会忽略或不遵守这些设置. | ||
| - | OpenWrt operates multiple build bot instances which are building snapshots of the master and the supported release branches. See [[: | + | ^ .config line ^ 默认启用 |
| - | + | ||
| - | When a change to a package is committed to the OpenWrt base repository of package feed the build bots are automatically detection this change and will rebuild this package. The new newly build package can then be installed with opkg or be integrated with the image builder by users of OpenWrt. This allows us to ship updates in about 2 days to the end users. | + | |
| - | + | ||
| - | The kernel is normally located in its own partition and upgrades are not so easily possible. Therefore this mechanism currently does not work for the kernel itself and kernel modules, there a new minor release is needed to ship fixes to end users. | + | |
| - | + | ||
| - | ===== Hardening build options ===== | + | |
| - | OpenWrt activates some build hardening options at compile time for all packages build. | + | |
| - | + | ||
| - | Source: [[https:// | + | |
| - | + | ||
| - | ^ .config line ^ Enabled by Default? | + | |
| | '' | | '' | ||
| | '' | | '' | ||
| Line 83: | Line 81: | ||
| | '' | | '' | ||
| | '' | | '' | ||
| - | | '' | + | | '' |
| - | | '' | + | | '' |
| | '' | | '' | ||
| - | | '' | + | | '' |