Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: "Robert Joslyn" <rjmars97@...>
Subject: Re: Kernel Security + KISS
Date: Thu, 21 Feb 2008 08:09:54 -0500
I would like to help as well.&nbsp; I have limited C experience unfortunately, and most of that is programming PIC microcontrollers.&nbsp; Been using Gentoo for years, and would love to give something back.<br><br><br>Robert<br><br>
<br><div class="gmail_quote">On Thu, Feb 21, 2008 at 4:34 AM, George Prowse &lt;<a href="mailto:cokehabit@...">cokehabit@...</a>&gt; wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Im interested, no C knowledge but plenty of time, passed the dev exam<br>
and a willingness to learn. It&#39;s been on my agenda for a long time.<br>
<div><div></div><div class="Wj3C7c"><br>
nick loeve wrote:<br>
&gt; I can help also... i have limited free time but am willing to put in<br>
&gt; some hours...<br>
&gt;<br>
&gt; I have medium C knowledge, reasonable kernel experience, and also a<br>
&gt; strong linux background<br>
&gt;<br>
&gt; On Thu, Feb 21, 2008 at 8:02 AM, Arthur Bispo de Castro<br>
&gt; &lt;<a href="mailto:arthur@...">arthur@...</a>&gt; wrote:<br>
&gt;&gt; I&#39;m interested... little C knowledge, very curious about kernel, strong<br>
&gt;&gt; &nbsp;linux background...<br>
&gt;&gt;<br>
&gt;&gt; &nbsp;is there another prereq to join this?<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; &nbsp;On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote:<br>
&gt;&gt; &nbsp;&gt; I am interested too :)<br>
&gt;&gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; No C knowledge but strong linux background and very organized guy.<br>
&gt;&gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote:<br>
&gt;&gt; &nbsp;&gt; &gt; It would probably help if we knew how many people were interested.<br>
&gt;&gt; &nbsp;&gt; &gt;<br>
&gt;&gt; &nbsp;&gt; &gt; I am. +1<br>
&gt;&gt; &nbsp;&gt; &gt;<br>
&gt;&gt; &nbsp;&gt; &gt; Casey<br>
&gt;&gt; &nbsp;&gt; &gt;<br>
&gt;&gt; &nbsp;&gt; &gt; On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson &lt;<a href="mailto:propolice@...">propolice@...</a>&gt; wrote:<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; Alright how do we proceed to get this team started.<br>
&gt;&gt; &nbsp;&gt; &gt; &gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp; ed*eonsec<br>
&gt;&gt; &nbsp;&gt; &gt; &gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd &lt;<a href="mailto:solar@g.o">solar@g.o</a>&gt; wrote:<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt; On Sunday, 17. February 2008, Eduardo Tongson wrote:<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt; &gt; What specific kernel knowledge is needed to get a Kernel advisory up<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt; &gt; and running ?<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt; Between becoming aware of a vulnerability in Linux and drafting an advisory<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt; for one or all kernel sources comes the part where you review which<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt; versions of which kernel sources are affected and unaffected. You also<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt; need to pay attention to specifics of the added patchsets, which might<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt; duplicate vulnerabilities.<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt; Parts of the job can indeed be done without Kernel and C knowledge, but<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt; some cannot. So if we draft a new kernel security *team*, people without C<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt; and kernel knowledge are helpful -- some others need to have it, though.<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; &gt; Robert<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; To be honest, 99% of what is done in the kernel security team can be done with<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; no C knowledge at all.<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; I&#39;m not an expert C person - far from it - but I eventually became the head of<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; Kernel Security until I retired a few months ago.<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; Most of it is bug handling. &nbsp;The major problem is a social, not a technical<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; one. &nbsp;Because of the manner in which our kernels are organized, a single<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; vulnerability involves checking upstream version numbers, coordinating them<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; into our downstream version numbers for all sources, checking to see if the<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; sources are effected, figuring out who to CC for the bugs, then harassing<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; them until they do it.<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; Unlike other security sources, any attempt to hardmask the package is shutdown<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; instantly. &nbsp;The chaos that would result from a kernel hardmask, even one of<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; the lesser used ones, caused me to only successfully order one over my entire<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; career in Gentoo Kernsec... even though more around 30 would have been<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; needed. &nbsp;It is not infrequently that bugs will last six months without any<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; action coming about them, and users are blissfully unaware.<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; I am happy to give my input as the former head of Kernel Security, but it is<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; my personal opinion that any advances in kernel security will require the<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; full cooperation of security, and letting the head of kernel security be able<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; to actually enforce threats, as that seems to be the only way bugs ever get<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; resolved. &nbsp;Pleading didn&#39;t work - I tried.<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; -Harlan Lieberman-Berg<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;&gt; Gentoo Developer Emeritus<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;Every word of what you said is painfully true. The only way to<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;accomplish this would be with an Iron Fist(fail) or a team of ~15 guys<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;who do nothing but patch and push new kernels and the PR that goes along<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;with them every few days.<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;--<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;Ned Ludd &lt;<a href="mailto:solar@g.o">solar@g.o</a>&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;--<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt; &nbsp;<a href="mailto:gentoo-security@g.o">gentoo-security@g.o</a> mailing list<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;--<br>
&gt;&gt; &nbsp;&gt; &gt; &gt; &nbsp;<a href="mailto:gentoo-security@g.o">gentoo-security@g.o</a> mailing list<br>
&gt;&gt; &nbsp;&gt; &gt; &gt;<br>
&gt;&gt; &nbsp;&gt; &gt; &gt;<br>
&gt;&gt; &nbsp;&gt;<br>
&gt;&gt; &nbsp;&gt; --<br>
&gt;&gt; &nbsp;&gt; <a href="mailto:gentoo-security@g.o">gentoo-security@g.o</a> mailing list<br>
&gt;&gt;<br>
&gt;&gt; &nbsp;--<br>
&gt;&gt; &nbsp;Arthur Bispo de Castro<br>
&gt;&gt; &nbsp;Laboratório de Administração e Segurança (LAS/IC)<br>
&gt;&gt; &nbsp;Universidade Estadual de Campinas (UNICAMP)<br>
&gt;&gt; &nbsp;--<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; <a href="mailto:gentoo-security@g.o">gentoo-security@g.o</a> mailing list<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
<br>
--<br>
<a href="mailto:gentoo-security@g.o">gentoo-security@g.o</a> mailing list<br>
<br>
</div></div></blockquote></div><br>
Replies:
Re: Kernel Security + KISS
-- Casey Link
References:
Kernel Security + KISS
-- Casey Link
Re: Kernel Security + KISS
-- Robert Buchholz
Re: Kernel Security + KISS
-- Harlan Lieberman-Berg
Re: Kernel Security + KISS
-- Ned Ludd
Re: Kernel Security + KISS
-- Eduardo Tongson
Re: Kernel Security + KISS
-- Casey Link
Re: Kernel Security + KISS
-- Juan Pablo Olivera
Re: Kernel Security + KISS
-- Arthur Bispo de Castro
Re: Kernel Security + KISS
-- nick loeve
Re: Kernel Security + KISS
-- George Prowse
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Kernel Security + KISS
Next by thread:
Re: Kernel Security + KISS
Previous by date:
Re: Kernel Security + KISS
Next by date:
Re: Kernel Security + KISS


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.