Gentoo Archives: gentoo-security

From: Eduardo Tongson <propolice@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernel Security + KISS
Date: Thu, 21 Feb 2008 13:53:40
Message-Id: b18fbe3c0802210552y36ddf585w14d53b5c6bc21362@mail.gmail.com
In Reply to: Re: [gentoo-security] Kernel Security + KISS by Casey Link
Nice plan. I think you are more able to lead. Can we communicate more
in email perhaps a google group or list. IRC is not efficient for
people in different timezones.

  --  ed*eonsec

On Thu, Feb 21, 2008 at 9:35 PM, Casey Link <unnamedrambler@×××××.com> wrote:
> A couple days ago I discussed (in #gentoo-security) with Robert > (rbu@g.o) a solution > to the Kernel security issue. Robert has a good plan to keep the > bugzilla data in bugzilla, that is, don't take away the essentials > from bugzilla. And that is by implementing a tagging system for each > bug. In the whiteboard field for each bug could go something like so > (this is taken from our IRC convo): > [linux < 2.6.22] [genpatches < 2.6.20-3] [xen-sources < 2.6.18-r2] > Which would translate as kernel.org upstream released 2.6.22 with a > fix, genpatches released 2.6.20-3 with a fix, and xen-sources released > 2.6.18-r2 with the patch applied. > > A tool could then be written to parse the bugzilla entries and > generate reports. Then when all the sources have been patched a GLSA > can be released. > I like this idea because all the data stays in bugzilla, so you can go > to bugzilla and get all the information you need about each bug. > > I don't see why this tool cannot be available for users to.. in the > same form that KISS was. I came across these screenshots: > http://dev.gentoo.org/~dsd/misc/kiss1.jpg > http://dev.gentoo.org/~dsd/misc/kiss2.jpg > > What if KISS was an external tool like shown in those pictures, but > parsed the bugzilla entries and generated reports like I talked about > above. Robert's whiteboard tagging system is a great one, but the > system needs a way to view the status of all the sources together and > individually similarly to what is show in those screenshots.. and why > not make this a website? A single GLSA could still be released per bug > once all sources had been patched, but KISS could be a place for users > to go (if they feel so inclined) to get an overall and granular status > report of the various sources in portage. > > Perhaps KISS could offer an email notification option. A user could > "subscribe" to several sources and be notified about their security > status. The user could even specify what sort of information he > wanted: vulnerability report, severity levels, patches released, etc. > > Those are just some thoughts I had. I already tossed my hat in but > I've got medium C experience, and I am pretty experienced with hosting > setups, and simple web development (PHP mainly). I would be willing to > work on something like I described above.. bugzilla parsing, a nice > Web display, etc. > > Casey > > > > > On Thu, Feb 21, 2008 at 8:09 AM, Robert Joslyn <rjmars97@×××××.com> wrote: > > I would like to help as well. I have limited C experience unfortunately, > > and most of that is programming PIC microcontrollers. Been using Gentoo for > > years, and would love to give something back. > > > > > > Robert > > > > > > > > > > On Thu, Feb 21, 2008 at 4:34 AM, George Prowse <cokehabit@×××××.com> wrote: > > > Im interested, no C knowledge but plenty of time, passed the dev exam > > > and a willingness to learn. It's been on my agenda for a long time. > > > > > > > > > > > > > > > nick loeve wrote: > > > > I can help also... i have limited free time but am willing to put in > > > > some hours... > > > > > > > > I have medium C knowledge, reasonable kernel experience, and also a > > > > strong linux background > > > > > > > > On Thu, Feb 21, 2008 at 8:02 AM, Arthur Bispo de Castro > > > > <arthur@××××××××××××××.br> wrote: > > > >> I'm interested... little C knowledge, very curious about kernel, strong > > > >> linux background... > > > >> > > > >> is there another prereq to join this? > > > >> > > > >> > > > >> > > > >> On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote: > > > >> > I am interested too :) > > > >> > > > > >> > No C knowledge but strong linux background and very organized guy. > > > >> > > > > >> > On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote: > > > >> > > It would probably help if we knew how many people were interested. > > > >> > > > > > >> > > I am. +1 > > > >> > > > > > >> > > Casey > > > >> > > > > > >> > > On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson > > <propolice@×××××.com> wrote: > > > >> > > > Alright how do we proceed to get this team started. > > > >> > > > > > > >> > > > ed*eonsec > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@g.o> > > wrote: > > > >> > > > > > > > >> > > > > > > > >> > > > > On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg > > wrote: > > > >> > > > > > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote: > > > >> > > > > > > On Sunday, 17. February 2008, Eduardo Tongson wrote: > > > >> > > > > > > > What specific kernel knowledge is needed to get a > > Kernel advisory up > > > >> > > > > > > > and running ? > > > >> > > > > > > > > > >> > > > > > > Between becoming aware of a vulnerability in Linux and > > drafting an advisory > > > >> > > > > > > for one or all kernel sources comes the part where you > > review which > > > >> > > > > > > versions of which kernel sources are affected and > > unaffected. You also > > > >> > > > > > > need to pay attention to specifics of the added > > patchsets, which might > > > >> > > > > > > duplicate vulnerabilities. > > > >> > > > > > > > > > >> > > > > > > Parts of the job can indeed be done without Kernel and C > > knowledge, but > > > >> > > > > > > some cannot. So if we draft a new kernel security > > *team*, people without C > > > >> > > > > > > and kernel knowledge are helpful -- some others need to > > have it, though. > > > >> > > > > > > > > > >> > > > > > > Robert > > > >> > > > > > > > > >> > > > > > To be honest, 99% of what is done in the kernel security > > team can be done with > > > >> > > > > > no C knowledge at all. > > > >> > > > > > > > > >> > > > > > I'm not an expert C person - far from it - but I > > eventually became the head of > > > >> > > > > > Kernel Security until I retired a few months ago. > > > >> > > > > > > > > >> > > > > > Most of it is bug handling. The major problem is a > > social, not a technical > > > >> > > > > > one. Because of the manner in which our kernels are > > organized, a single > > > >> > > > > > vulnerability involves checking upstream version numbers, > > coordinating them > > > >> > > > > > into our downstream version numbers for all sources, > > checking to see if the > > > >> > > > > > sources are effected, figuring out who to CC for the bugs, > > then harassing > > > >> > > > > > them until they do it. > > > >> > > > > > > > > >> > > > > > Unlike other security sources, any attempt to hardmask the > > package is shutdown > > > >> > > > > > instantly. The chaos that would result from a kernel > > hardmask, even one of > > > >> > > > > > the lesser used ones, caused me to only successfully order > > one over my entire > > > >> > > > > > career in Gentoo Kernsec... even though more around 30 > > would have been > > > >> > > > > > needed. It is not infrequently that bugs will last six > > months without any > > > >> > > > > > action coming about them, and users are blissfully > > unaware. > > > >> > > > > > > > > >> > > > > > I am happy to give my input as the former head of Kernel > > Security, but it is > > > >> > > > > > my personal opinion that any advances in kernel security > > will require the > > > >> > > > > > full cooperation of security, and letting the head of > > kernel security be able > > > >> > > > > > to actually enforce threats, as that seems to be the only > > way bugs ever get > > > >> > > > > > resolved. Pleading didn't work - I tried. > > > >> > > > > > > > > >> > > > > > -Harlan Lieberman-Berg > > > >> > > > > > Gentoo Developer Emeritus > > > >> > > > > > > > >> > > > > > > > >> > > > > Every word of what you said is painfully true. The only way > > to > > > >> > > > > accomplish this would be with an Iron Fist(fail) or a team > > of ~15 guys > > > >> > > > > who do nothing but patch and push new kernels and the PR > > that goes along > > > >> > > > > with them every few days. > > > >> > > > > -- > > > >> > > > > Ned Ludd <solar@g.o> > > > >> > > > > > > > >> > > > > > > > >> > > > > > > > >> > > > > -- > > > >> > > > > gentoo-security@l.g.o mailing list > > > >> > > > > > > > >> > > > > > > > >> > > > -- > > > >> > > > gentoo-security@l.g.o mailing list > > > >> > > > > > > >> > > > > > > >> > > > > >> > -- > > > >> > gentoo-security@l.g.o mailing list > > > >> > > > >> -- > > > >> Arthur Bispo de Castro > > > >> Laboratório de Administração e Segurança (LAS/IC) > > > >> Universidade Estadual de Campinas (UNICAMP) > > > >> -- > > > >> > > > >> > > > >> gentoo-security@l.g.o mailing list > > > >> > > > >> > > > > > > > > > > > > > > > > > > -- > > > gentoo-security@l.g.o mailing list > > > > > > > > > > > -- > > > gentoo-security@l.g.o mailing list > >

Replies

Subject Author
Re: [gentoo-security] Kernel Security + KISS George Prowse <cokehabit@×××××.com>