Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
zh:docs:guide-developer:security [2021/04/17 19:43] guyezizh:docs:guide-developer:security [2021/11/18 00:26] – 同步官方更新内容翻译 guyezi
Line 1: Line 1:
- 
 ====== 安全 ====== ====== 安全 ======
 +有关以往页面,请参阅以前的 [[:docs/guide-developer/security/old|安全]]页面.
  
-点击 [[:docs/guide-developer/security/old|这里]]访问旧版信息。+此页面列出了 OpenWrt 用于确保 OpenWrt 安全的流程, 工具和机制. 
 +这包括了 OpenWrt 发行版以及托管在 https://github.com/openwrt/ 的官方插件包源以及托管在 https://git.openwrt.org/ 的 OpenWrt 专用工具,如 procd, ubus 和 libubox
  
-本页面罗列了用于确保OpenWrt安全性的流程、工具及机制。 +===== 漏洞报告 ===== 
-涵盖了由https://github.com/openwrt/所承载的官方软件包源及https://git.openwrt.org/承载的procd、ubus和libubox。+安全漏洞应保密报告至 [[contact@openwrt.org]], 详见[[:bugs#reporting_security_bugs|报告安全漏洞]].
  
-===== Vulnerability Reporting ===== +===== 安全建议 ===== 
- +==== 2021 年安全建议 ==== 
-Security bugs should be reported in confidentiality to [[contact@openwrt.org]], see [[:bugs#reporting_security_bugs|Reporting security bugs]] for details. +<nspages advisory -actualtitle -textPages="" -exclude -numberedList -sortId -reverse -title -pregPagesOn="/2021-/">
- +
-===== Security advisories ===== +
- +
-==== Security advisories 2020 ====+
  
 +==== 2020 年安全建议 ====
 <nspages advisory -actualtitle -textPages="" -exclude -numberedList -sortId -reverse -title -pregPagesOn="/2020-/"> <nspages advisory -actualtitle -textPages="" -exclude -numberedList -sortId -reverse -title -pregPagesOn="/2020-/">
-==== Security advisories 2019 ==== 
  
 +==== 2019 年安全公告 ====
 <nspages advisory -actualtitle -textPages="" -exclude -numberedList -sortId -reverse -title -pregPagesOn="/2019-/"> <nspages advisory -actualtitle -textPages="" -exclude -numberedList -sortId -reverse -title -pregPagesOn="/2019-/">
  
-===== Support status =====+===== 支持状态 ===== 
 +这列出了当前支持或不支持的 OpenWrt 版本.
  
-This lists the currently support or not supported OpenWrt versions.+^ 版本 ^ 当前状态 ^ 预计停止时间 ^ 
 +| 21.02 | 完全支持| | 
 +| 19.07 | 安全维护 | 2022 年 3 月 | 
 +| 18.06 | 终结维护 | 2020 年 12 月 | 
 +| 17.01 | 终结维护 | 停止 | 
 +| 15.05 | 终结维护 | 停止 |
  
-^ Version ^ Current status ^ Projected EOL ^ +预计的停止可以在以后延长, 具体取决于未来的情况, 例如下一个版本的发布日期.
-| 19.07 | Fully supported | August 2021 | +
-| 18.06 | End of life | December 2020 | +
-| 17.01 | End of life | EOL | +
-| 15.05 | End of life | EOL |+
  
-The Version references the most recent stable version from this release branch.+版本引用了此发布分支中的最新稳定版本.
  
-  * Fully supported means that the OpenWrt team provides updates for the core packages fixing security and other problems we are aware of+  * 完全支持意味着 OpenWrt 团队为修复安全性和我们知道的其他问题的核心包提供更新
-  * Security maintenance means that the OpenWrt team fixes only security problems in this release but no bugs any more+  * 安全维护意味着 OpenWrt 团队仅修复此版本中的安全问题,不再修复任何错误
-  * End of life means that we will *notprovide any updates also for severe security problemPlease update to more recent versions.+  * 终结维护意味着我们将 *不再为严重的安全问题提供任何更新请更新到最新版本.
  
-The Projected EOL can be extended later, depending on the future situation, like the release date of the next release.+OpenWrt 主要版本在最初发布后将进入完全支持状态. 
 +当下一个 OpenWrt 主要版本发布时. 旧版本将进入安全维护模式.  
 +OpenWrt 主要版本将在初始版本发布后 1 年或下一个主要版本发布后 6 个月终止. 将使用较晚的日期.我们计划在支持周期结束时进行最终的次要版本.
  
-This only covers the core OpenWrt packages and not the external package feeds hosted on github. Some feed package maintainer do not take care of all OpenWrt versions where the the core components are still supportedFor the best security support we suggest everyone to upgrade to the most recent stable version.+这仅包含核心 OpenWrt 包而不涵盖 github 上托管的外部包源. 
 +一些提要包维护者并不关心仍然支持核心组件的所有 OpenWrt 版本. 
 +为了获得最佳的安全支持, 我们建议大家升级到最新的稳定版本.
  
-===== Identifying problems ===== +===== 识别问题 ===== 
- +OpenWrt 项目使用多种工具来识别潜在的安全问题
-The OpenWrt project uses multiple tools to identify potential security problems+这些信息通常可供所有人使用, 我们感谢这些工具对每个人报告的问题的修复.
-The information are normally available for everyone and we appreciate fixes for problems reported by these tools form everyone.+
  
 ==== uscan ==== ==== uscan ====
 +该[[https://sdwalker.github.io/uscan/index.html|uscan报告]]显示, 从基础和包库所有软件包的版本号, 并确定它的上游近期发布的版本.
 +此外,生成此页面的工具还会根据许多包的 PKG_CPE_ID 变量中列出的通用平台枚举 (CPE) 检查分配给包的现有 CVEs. 
 +该页面每周为 master 和活跃分支更新.
  
-This report shows the version number of all packages from the base and the package repository and compares it against the recent upstream released versions. +==== 覆盖扫描 ==== 
-In addition the tool which generates this page also checks for existing CVEs assigned to the packages based on the Common Platform Enumeration (CPE) which is listed in the PKG_CPE_ID  variable of many packages. +OpenWrt 使用商业 [[https://scan.coverity.com/projects/openwrt|Coverity Scan]] 工具可免费用于开源项目对 OpenWrt 组件进行静态代码分析. 
-This page is weekly regenerated for master and the active release branches. +这每周扫描一个 OpenWrt 构建, 并报告在 OpenWrt 项目中开发的组件(如 procd 和 ubus)中发现的问题, 但未在(patched)的第三方组件上报告.
-[[https://sdwalker.github.io/uscan/index.html]]+
  
-==== Coverity Scan ====+===== 可复制构建 ===== 
 +[[https://reproducible.debian.net/openwrt/openwrt.html|可复制的构建项目]]检查OpenWrt master 仍然是可重现的. 
 +这证明生成的版本确实与交付的源代码匹配并且在构建过程中没有引入后门.
  
-OpenWrt uses the commercial Coverity Scan tool which is available for free to open source projects to do static code analyses on the OpenWrt components.  +===== 交付给用户 ===== 
-This scans one OpenWrt build per week and reports the problems found in the components developed in the OpenWrt project  like procd and ubus, but not on (patched) third party components. +OpenWrt 运行多个构建[[:infrastructure#Buildbot|build bot 实例]], 它们正在构建 ''master'' 和支持的发布分支的快照.
-[[https://scan.coverity.com/projects/openwrt]]+
  
-===== Reproducible Builds =====+当对包的更改提交到包源的 OpenWrt 基础存储库时, build bots 会自动检测此更改并将重建此包. 
 +然后,新构建的包可以使用 opkg 安装或由 OpenWrt 用户与图像生成器集成. 
 +这使我们能够在大约 2 天内向最终用户发送更新.
  
-OpenWrt releases should be reproducible to make it possible to check that the releases we produced are really matching the source code we delivered and no backdoors were introduced in the build process+内核通常位于其自己的分区中, 因此升级并不容易
-The reproducible builds project checks that OpenWrt master is still reproducible and publishes the results here: +这种机制目前不适用于内核本身和内核模块, 需要一个新的次要版本来向最终用户发送修复程序.
-[[https://reproducible.debian.net/openwrt/openwrt.html]]+
  
-===== deliver to users =====+===== 强化build选项 ===== 
 +OpenWrt在编译时为所有包build激活[[https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=config/Config-build.in|build 配置]]中的一些builds强化选项. 
 +请注意个别插件包可能 和/或 targets 会忽略或不遵守这些设置.
  
-OpenWrt operates multiple build bot instances which are building snapshots of the master and the supported release branches. See [[:infrastructure#Buildbot]] for details. +^ .config line ^ 默认启用 ^ Notes ^
- +
-When a change to a package is committed to the OpenWrt base repository of package feed the build bots are automatically detection this change and will rebuild this package. The new newly build package can then be installed with opkg or be integrated with the image builder by users of OpenWrt. This allows us to ship updates in about 2 days to the end users. +
- +
-The kernel is normally located in its own partition and upgrades are not so easily possible. Therefore this mechanism currently does not work for the kernel itself and kernel modules, there a new minor release is needed to ship fixes to end users. +
- +
-===== Hardening build options ===== +
-OpenWrt activates some build hardening options at compile time for all packages build. +
- +
-Source: [[https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=config/Config-build.in|config/Config-build.in]]. Note that individual packages and/or targets may ignore or otherwise not respect these settings. +
- +
-^ .config line ^ Enabled by Default? ^ Notes ^+
 | ''CONFIG_PKG_CHECK_FORMAT_SECURITY=y'' | Yes | ''-Wformat -Werror=format-security'' | | ''CONFIG_PKG_CHECK_FORMAT_SECURITY=y'' | Yes | ''-Wformat -Werror=format-security'' |
 | ''CONFIG_PKG_CC_STACKPROTECTOR_REGULAR=y'' | Yes | ''-fstack-protector'' | | ''CONFIG_PKG_CC_STACKPROTECTOR_REGULAR=y'' | Yes | ''-fstack-protector'' |
Line 83: Line 81:
 | ''CONFIG_KERNEL_CC_STACKPROTECTOR_REGULAR=y'' | Yes | Kernel config CONFIG_STACKPROTECTOR | | ''CONFIG_KERNEL_CC_STACKPROTECTOR_REGULAR=y'' | Yes | Kernel config CONFIG_STACKPROTECTOR |
 | ''CONFIG_KERNEL_CC_STACKPROTECTOR_STRONG=y'' | | Kernel config CONFIG_STACKPROTECTOR_STRONG | | ''CONFIG_KERNEL_CC_STACKPROTECTOR_STRONG=y'' | | Kernel config CONFIG_STACKPROTECTOR_STRONG |
-| ''CONFIG_PKG_FORTIFY_SOURCE_1=y'' | Yes | ''-D_FORTIFY_SOURCE=1'' (Using [[https://git.2f30.org/fortify-headers/|fortify-headers]] for musl libc) | +| ''CONFIG_PKG_FORTIFY_SOURCE_1=y'' | Yes | ''-D_FORTIFY_SOURCE=1'' (对 musl libc使用 [[https://git.2f30.org/fortify-headers/|fortify-headers]]) | 
-| ''CONFIG_PKG_FORTIFY_SOURCE_2=y'' | | ''-D_FORTIFY_SOURCE=2'' (Using [[https://git.2f30.org/fortify-headers/|fortify-headers]] for musl libc) |+| ''CONFIG_PKG_FORTIFY_SOURCE_2=y'' | | ''-D_FORTIFY_SOURCE=2'' (对 musl libc使用 [[https://git.2f30.org/fortify-headers/|fortify-headers]]) |
 | ''CONFIG_PKG_RELRO_FULL=y'' | Yes | ''-Wl,-z,now -Wl,-z,relro'' | | ''CONFIG_PKG_RELRO_FULL=y'' | Yes | ''-Wl,-z,now -Wl,-z,relro'' |
-| ''CONFIG_PKG_ASLR_PIE=y'' | | ''-PIE''  (some own spec file)|+| ''CONFIG_PKG_ASLR_PIE=y'' | | ''-PIE'' (一些自己的文件规范) | 
  • Last modified: 2023/12/28 18:59
  • by heybrowhatsup