| 1 |
Here are some day to day duties that will be need to get done.This |
| 2 |
isn't exhaustive just the results of a few minutes of brainstorming: |
| 3 |
|
| 4 |
* Stalking the places vulnerabilities are announced (CVE, mailing |
| 5 |
lists, etc) to create the relevant bug. |
| 6 |
* Determine which upstream (kernel.org) version has the fix and make |
| 7 |
the whiteboard entry in bugzilla. |
| 8 |
* Determine which sources are affected |
| 9 |
* Nag kernel maintainers to patch their sources |
| 10 |
* Find patches and discussion to link to the kernel maintainers to |
| 11 |
ease their patching (and ideally encourage them to patch faster) |
| 12 |
* As sources are patched update the whiteboard |
| 13 |
* Release glsas of unaffected packages (?) |
| 14 |
|
| 15 |
Some framework and specification needs to be laid, but that is a |
| 16 |
general outline of the process I think. None of those duties require |
| 17 |
programming experience at all. Of course crafting patches to send to |
| 18 |
the kernel maintainers would be another helpful thing to do. Ideally |
| 19 |
this would be made pretty simple with some nifty tools, however |
| 20 |
manpower is going to be required regardless. |
| 21 |
|
| 22 |
There are still the glaring issues of (1) the best way to notify users |
| 23 |
of vulnerabilities, and (2) how to enforce rapid-ish response by |
| 24 |
kernel maintainers. I think the best way to approach (2) is to be |
| 25 |
amicable towards the maintainers. Point them in the right direction, |
| 26 |
send them patches, etc., rather than spamming "OMG! Patch |
| 27 |
foo-sources!" every day. Maybe we could give them candy or something. |
| 28 |
|
| 29 |
Casey |
| 30 |
|
| 31 |
|
| 32 |
On Thu, Feb 21, 2008 at 9:26 PM, Eduardo Tongson <propolice@×××××.com> wrote: |
| 33 |
> Yes. We should each have assigned tasks which will depend on our |
| 34 |
> respective skill and trait. |
| 35 |
> |
| 36 |
> -- ed*eonsec |
| 37 |
> |
| 38 |
> |
| 39 |
> |
| 40 |
> On Fri, Feb 22, 2008 at 3:28 AM, doppelgaenger <bm2600@×××××.com> wrote: |
| 41 |
> > George Prowse wrote: |
| 42 |
> > > Eduardo Tongson wrote: |
| 43 |
> > >> Nice plan. I think you are more able to lead. Can we communicate more |
| 44 |
> > >> in email perhaps a google group or list. IRC is not efficient for |
| 45 |
> > >> people in different timezones. |
| 46 |
> > >> |
| 47 |
> > >> -- ed*eonsec |
| 48 |
> > >> |
| 49 |
> > > I agree, a list or group would be better at pooling the people at your |
| 50 |
> > > disposal |
| 51 |
> > |
| 52 |
> > I also think it would be a good idea to set up some requirements profile |
| 53 |
> > so people can identify them self in some kind of matrix ? |
| 54 |
> > |
| 55 |
> > I basically volunteer but not sure what use I could be with a background |
| 56 |
> > as an ISO, limited time and basic C knowledge. |
| 57 |
> > |
| 58 |
> > --doppelgaenger |
| 59 |
> > |
| 60 |
> > |
| 61 |
> > -- |
| 62 |
> > gentoo-security@l.g.o mailing list |
| 63 |
> > |
| 64 |
> > |
| 65 |
> -- |
| 66 |
> gentoo-security@l.g.o mailing list |
| 67 |
> |
| 68 |
> |
| 69 |
-- |
| 70 |
gentoo-security@l.g.o mailing list |
Archives