[DOCS] Onedir Security Support

[ssoto2]

Description In the previous case #62681 and others like it the new statement from SALT is to install the Onedir version of salt. This is a version of salt that will have a self-contained version of python and all the salt components. Yet from a security aspect, it does not explain how it handles the added components (salt-provided version of python) when a security issue occurs.

With the original salt rpm the majority of the required packages were provided from EPEL or Core REPO's. So updates to dependencies like python were being handled by OS.

Now per https://docs.saltproject.io/salt/install-guide/en/latest/topics/upgrade.html#onedir salt is basically advising all users to move to a onedir installation

Onedir is Salt’s new packaging system (as of 3005). Onedir stands for “one directory” because the goal is to provide a single directory containing all the executables that Salt needs. It includes the version of Python needed by Salt and its required dependencies. The onedir packages simplify the installation process because they allow you to use Salt out of the box without installing Python or other dependencies first. See What is onedir? for more information.

Beginning with the release of Salt 3005 (Phosphorus), the Salt Project will begin replacing the old packaging system with the Tiamat packaging system. The Salt Project strongly recommends upgrading to onedir to continue receiving Salt version updates. See Upgrade to onedir for more information.

What is Salts model for handling security vulns found in the dependency packages that salt is bundling?

Suggested Fix Include documentation around onedir on how dependency updating will occur. For example, if a vuln is in a dependency (example bundled python) we will strike to have an update for salt 1 month after the upstream fix has been provided. Or be clear if you don't offer any assurances as at. This should be known as this a big departure in salt and users be aware.

Type of documentation This could be Salt documentation, Salt modules, the Salt Repo or the Getting Started guide.

Location or format of documentation Insert page URL if applicable.

Additional context Add any other context or screenshots about the feature request here.

[OrangeDog]

Also, all users are now responsible for patching and updating any additional dependencies that previously would also have been provided by the os - pygit2, MySQLdb, docker-py, etc.

[barbaricyawps]

@Ch3LL , could you take a look at this and provide commentary on the ask? If you send me the info, I can find a way to integrate it into the Salt Install Guide or another doc set. I've opened up a separate issue in the Salt Install Guide to track this task: https://gitlab.com/saltstack/open/docs/salt-install-guide/-/issues/57

[Ch3LL]

re-assigning to @dwoz as he will have a better understanding here.

[ssoto2]

Is there any update on this? Sorry don't mean to be pushy and I know I am asking this in community support but IMHO it is hard not to believe that this is a big question to enterprise customers also as this opened a large security issue and this is basically being forced on users for 3005 but there is no bootstrap docs, security docs, and the only way to have a temp short term solution is to this is to install at a lower version until more clarity is provided by salt.

[mdschmitt]

Bump?

[golpa]

Yearly bump? This is no longer theoretical problem. When you install salt you end up with critical vulnerable versions of software for at least 2 weeks now. A lot of institutions have security plans requiring critical vulnerabilities to be addressed within 2 weeks or less