Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
Subject: Re: Kernel Security + KISS
Date: Sun, 24 Feb 2008 14:43:38 +0100
On Friday 22 February 2008 04:55:17 Casey Link wrote:
> Here are some day to day duties that will be need to get done.This
> isn't exhaustive just the results of a few minutes of brainstorming:
>
> * Stalking the places vulnerabilities are announced (CVE, mailing
> lists, etc) to create the relevant bug.
The Security team is more or less already doing this. We could quite easily 
start filing kernel stuff again.

> * Determine which upstream (kernel.org) version has the fix and make
> the whiteboard entry in bugzilla.
> * Determine which sources are affected
> * Nag kernel maintainers to patch their sources
> * Find patches and discussion to link to the kernel maintainers to
> ease their patching (and ideally encourage them to patch faster)
> * As sources are patched update the whiteboard
> * Release glsas of unaffected packages (?)
The GLSA format/DTD per se was deemed unfit for kernel sources. I guess you 
could add what is needed to the Resolution section though.

>
> Some framework and specification needs to be laid, but that is a
> general outline of the process I think. None of those duties require
> programming experience at all. Of course crafting patches to send to
> the kernel maintainers would be another helpful thing to do. Ideally
> this would be made pretty simple with some nifty tools, however
> manpower is going to be required regardless.
>
> There are still the glaring issues of (1) the best way to notify users
> of vulnerabilities, and (2) how to enforce rapid-ish response by
> kernel maintainers. I think the best way to approach (2) is to be
> amicable towards the maintainers. Point them in the right direction,
> send them patches, etc., rather than spamming "OMG! Patch
> foo-sources!" every day. Maybe we could give them candy or something.
I think we should try to get all security supported kernel maintainers to 
abide by some timetable laid down in a coming kernel security policy. If 
kernel maintainers don't want to do that I guess their sources should go back 
to unstable. Before anything is final kernel maintainers and council should 
be consulted.

-- 
Sune Kloppenborg Jeppesen
Gentoo Linux Security Team

>
> Casey
>
> On Thu, Feb 21, 2008 at 9:26 PM, Eduardo Tongson <propolice@...> 
wrote:
> > Yes. We should each have assigned tasks which will depend on our
> >  respective skill and trait.
> >
> >   --  ed*eonsec
> >
> >  On Fri, Feb 22, 2008 at 3:28 AM, doppelgaenger <bm2600@...> wrote:
> >  > George Prowse wrote:
> >  >  > Eduardo Tongson wrote:
> >  >  >> Nice plan. I think you are more able to lead. Can we communicate
> >  >  >> more in email perhaps a google group or list. IRC is not efficient
> >  >  >> for people in different timezones.
> >  >  >>
> >  >  >>   --  ed*eonsec
> >  >  >
> >  >  > I agree, a list or group would be better at pooling the people at
> >  >  > your disposal
> >  >
> >  >  I also think it would be a good idea to set up some requirements
> >  > profile so people can identify them self in some kind of matrix ?
> >  >
> >  >  I basically volunteer but not sure what use I could be with a
> >  > background as an ISO, limited time and basic C knowledge.
> >  >
> >  >  --doppelgaenger
> >  >
> >  >
> >  > --
> >  >  gentoo-security@g.o mailing list
> >
> >  --
> >  gentoo-security@g.o mailing list
-- 
gentoo-security@g.o mailing list


References:
Kernel Security + KISS
-- Casey Link
Re: Kernel Security + KISS
-- Eduardo Tongson
Re: Kernel Security + KISS
-- Casey Link
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Kernel Security + KISS
Next by thread:
Re: Kernel Security + KISS
Previous by date:
Re: Kernel Security + KISS
Next by date:
Re: Kernel Security + KISS


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.