Gentoo Archives: gentoo-security

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernel Security + KISS
Date: Sun, 24 Feb 2008 13:46:26
Message-Id: 200802241443.38508.jaervosz@gentoo.org
In Reply to: Re: [gentoo-security] Kernel Security + KISS by Casey Link
On Friday 22 February 2008 04:55:17 Casey Link wrote:
> Here are some day to day duties that will be need to get done.This > isn't exhaustive just the results of a few minutes of brainstorming: > > * Stalking the places vulnerabilities are announced (CVE, mailing > lists, etc) to create the relevant bug.
The Security team is more or less already doing this. We could quite easily start filing kernel stuff again.
> * Determine which upstream (kernel.org) version has the fix and make > the whiteboard entry in bugzilla. > * Determine which sources are affected > * Nag kernel maintainers to patch their sources > * Find patches and discussion to link to the kernel maintainers to > ease their patching (and ideally encourage them to patch faster) > * As sources are patched update the whiteboard > * Release glsas of unaffected packages (?)
The GLSA format/DTD per se was deemed unfit for kernel sources. I guess you could add what is needed to the Resolution section though.
> > Some framework and specification needs to be laid, but that is a > general outline of the process I think. None of those duties require > programming experience at all. Of course crafting patches to send to > the kernel maintainers would be another helpful thing to do. Ideally > this would be made pretty simple with some nifty tools, however > manpower is going to be required regardless. > > There are still the glaring issues of (1) the best way to notify users > of vulnerabilities, and (2) how to enforce rapid-ish response by > kernel maintainers. I think the best way to approach (2) is to be > amicable towards the maintainers. Point them in the right direction, > send them patches, etc., rather than spamming "OMG! Patch > foo-sources!" every day. Maybe we could give them candy or something.
I think we should try to get all security supported kernel maintainers to abide by some timetable laid down in a coming kernel security policy. If kernel maintainers don't want to do that I guess their sources should go back to unstable. Before anything is final kernel maintainers and council should be consulted. -- Sune Kloppenborg Jeppesen Gentoo Linux Security Team
> > Casey > > On Thu, Feb 21, 2008 at 9:26 PM, Eduardo Tongson <propolice@×××××.com>
wrote:
> > Yes. We should each have assigned tasks which will depend on our > > respective skill and trait. > > > > -- ed*eonsec > > > > On Fri, Feb 22, 2008 at 3:28 AM, doppelgaenger <bm2600@×××××.com> wrote: > > > George Prowse wrote: > > > > Eduardo Tongson wrote: > > > >> Nice plan. I think you are more able to lead. Can we communicate > > > >> more in email perhaps a google group or list. IRC is not efficient > > > >> for people in different timezones. > > > >> > > > >> -- ed*eonsec > > > > > > > > I agree, a list or group would be better at pooling the people at > > > > your disposal > > > > > > I also think it would be a good idea to set up some requirements > > > profile so people can identify them self in some kind of matrix ? > > > > > > I basically volunteer but not sure what use I could be with a > > > background as an ISO, limited time and basic C knowledge. > > > > > > --doppelgaenger > > > > > > > > > -- > > > gentoo-security@l.g.o mailing list > > > > -- > > gentoo-security@l.g.o mailing list
-- gentoo-security@l.g.o mailing list