Gentoo Archives: gentoo-security

From: Casey Link <unnamedrambler@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernel Security + KISS
Date: Fri, 22 Feb 2008 03:56:06
Message-Id: fb3727060802211955j54f27760g1ae36c7510f6ebb1@mail.gmail.com
In Reply to: Re: [gentoo-security] Kernel Security + KISS by Eduardo Tongson
Here are some day to day duties that will be need to get done.This
isn't exhaustive just the results of a few minutes of brainstorming:

* Stalking the places vulnerabilities are announced (CVE, mailing
lists, etc) to create the relevant bug.
* Determine which upstream (kernel.org) version has the fix and make
the whiteboard entry in bugzilla.
* Determine which sources are affected
* Nag kernel maintainers to patch their sources
* Find patches and discussion to link to the kernel maintainers to
ease their patching (and ideally encourage them to patch faster)
* As sources are patched update the whiteboard
* Release glsas of unaffected packages (?)

Some framework and specification needs to be laid, but that is a
general outline of the process I think. None of those duties require
programming experience at all. Of course crafting patches to send to
the kernel maintainers would be another helpful thing to do. Ideally
this would be made pretty simple with some nifty tools, however
manpower is going to be required regardless.

There are still the glaring issues of (1) the best way to notify users
of vulnerabilities, and (2) how to enforce rapid-ish response by
kernel maintainers. I think the best way to approach (2) is to be
amicable towards the maintainers. Point them in the right direction,
send them patches, etc., rather than spamming "OMG! Patch
foo-sources!" every day. Maybe we could give them candy or something.

Casey


On Thu, Feb 21, 2008 at 9:26 PM, Eduardo Tongson <propolice@×××××.com> wrote:
> Yes. We should each have assigned tasks which will depend on our > respective skill and trait. > > -- ed*eonsec > > > > On Fri, Feb 22, 2008 at 3:28 AM, doppelgaenger <bm2600@×××××.com> wrote: > > George Prowse wrote: > > > Eduardo Tongson wrote: > > >> Nice plan. I think you are more able to lead. Can we communicate more > > >> in email perhaps a google group or list. IRC is not efficient for > > >> people in different timezones. > > >> > > >> -- ed*eonsec > > >> > > > I agree, a list or group would be better at pooling the people at your > > > disposal > > > > I also think it would be a good idea to set up some requirements profile > > so people can identify them self in some kind of matrix ? > > > > I basically volunteer but not sure what use I could be with a background > > as an ISO, limited time and basic C knowledge. > > > > --doppelgaenger > > > > > > -- > > gentoo-security@l.g.o mailing list > > > > > -- > gentoo-security@l.g.o mailing list > >
-- gentoo-security@l.g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Kernel Security + KISS Sune Kloppenborg Jeppesen <jaervosz@g.o>
Re: [gentoo-security] Kernel Security + KISS Marc Riemer <mail@×××××××××××.de>