Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: "Casey Link" <unnamedrambler@...>
Subject: Re: Kernel Security + KISS
Date: Thu, 21 Feb 2008 08:35:39 -0500
A couple days ago I discussed (in #gentoo-security) with Robert
(rbu@g.o) a solution
to the Kernel security issue. Robert has a good plan to keep the
bugzilla data in bugzilla, that is, don't take away the essentials
from bugzilla. And that is by implementing a tagging system for each
bug. In the whiteboard field for each bug could go something like so
(this is taken from our IRC convo):
[linux < 2.6.22] [genpatches < 2.6.20-3] [xen-sources < 2.6.18-r2]
Which would translate as kernel.org upstream released 2.6.22 with a
fix, genpatches released 2.6.20-3 with a fix, and xen-sources released
2.6.18-r2 with the patch applied.

A tool could then be written to parse the bugzilla entries and
generate reports. Then when all the sources have been patched a GLSA
can be released.
I like this idea because all the data stays in bugzilla, so you can go
to bugzilla and get all the information you need about each bug.

I don't see why this tool cannot be available for users to.. in the
same form that KISS was. I came across these screenshots:
http://dev.gentoo.org/~dsd/misc/kiss1.jpg
http://dev.gentoo.org/~dsd/misc/kiss2.jpg

What if KISS was an external tool like shown in those pictures, but
parsed the bugzilla entries and generated reports like I talked about
above. Robert's  whiteboard tagging system is a great one, but the
system needs a way to view the status of all the sources together and
individually similarly to what is show in those screenshots.. and why
not make this a website? A single GLSA could still be released per bug
once all sources had been patched, but KISS could be a place for users
to go (if they feel so inclined) to get an overall and granular status
report of the various sources in portage.

Perhaps KISS could offer an email notification option. A user could
"subscribe" to several sources and be notified about their security
status. The user could even specify what sort of information he
wanted: vulnerability report, severity levels, patches released, etc.

Those are just some thoughts I had. I already tossed my hat in but
I've got medium C experience, and I am pretty experienced with hosting
setups, and simple web development (PHP mainly). I would be willing to
work on something like I described above.. bugzilla parsing, a nice
Web display, etc.

Casey


On Thu, Feb 21, 2008 at 8:09 AM, Robert Joslyn <rjmars97@...> wrote:
> I would like to help as well.  I have limited C experience unfortunately,
> and most of that is programming PIC microcontrollers.  Been using Gentoo for
> years, and would love to give something back.
>
>
> Robert
>
>
>
>
> On Thu, Feb 21, 2008 at 4:34 AM, George Prowse <cokehabit@...> wrote:
> > Im interested, no C knowledge but plenty of time, passed the dev exam
> > and a willingness to learn. It's been on my agenda for a long time.
> >
> >
> >
> >
> > nick loeve wrote:
> > > I can help also... i have limited free time but am willing to put in
> > > some hours...
> > >
> > > I have medium C knowledge, reasonable kernel experience, and also a
> > > strong linux background
> > >
> > > On Thu, Feb 21, 2008 at 8:02 AM, Arthur Bispo de Castro
> > > <arthur@...> wrote:
> > >> I'm interested... little C knowledge, very curious about kernel, strong
> > >>  linux background...
> > >>
> > >>  is there another prereq to join this?
> > >>
> > >>
> > >>
> > >>  On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote:
> > >>  > I am interested too :)
> > >>  >
> > >>  > No C knowledge but strong linux background and very organized guy.
> > >>  >
> > >>  > On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote:
> > >>  > > It would probably help if we knew how many people were interested.
> > >>  > >
> > >>  > > I am. +1
> > >>  > >
> > >>  > > Casey
> > >>  > >
> > >>  > > On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson
> <propolice@...> wrote:
> > >>  > > > Alright how do we proceed to get this team started.
> > >>  > > >
> > >>  > > >   ed*eonsec
> > >>  > > >
> > >>  > > >
> > >>  > > >
> > >>  > > >  On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@g.o>
> wrote:
> > >>  > > >  >
> > >>  > > >  >
> > >>  > > >  >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg
> wrote:
> > >>  > > >  >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
> > >>  > > >  >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
> > >>  > > >  >  > > > What specific kernel knowledge is needed to get a
> Kernel advisory up
> > >>  > > >  >  > > > and running ?
> > >>  > > >  >  > >
> > >>  > > >  >  > > Between becoming aware of a vulnerability in Linux and
> drafting an advisory
> > >>  > > >  >  > > for one or all kernel sources comes the part where you
> review which
> > >>  > > >  >  > > versions of which kernel sources are affected and
> unaffected. You also
> > >>  > > >  >  > > need to pay attention to specifics of the added
> patchsets, which might
> > >>  > > >  >  > > duplicate vulnerabilities.
> > >>  > > >  >  > >
> > >>  > > >  >  > > Parts of the job can indeed be done without Kernel and C
> knowledge, but
> > >>  > > >  >  > > some cannot. So if we draft a new kernel security
> *team*, people without C
> > >>  > > >  >  > > and kernel knowledge are helpful -- some others need to
> have it, though.
> > >>  > > >  >  > >
> > >>  > > >  >  > > Robert
> > >>  > > >  >  >
> > >>  > > >  >  > To be honest, 99% of what is done in the kernel security
> team can be done with
> > >>  > > >  >  > no C knowledge at all.
> > >>  > > >  >  >
> > >>  > > >  >  > I'm not an expert C person - far from it - but I
> eventually became the head of
> > >>  > > >  >  > Kernel Security until I retired a few months ago.
> > >>  > > >  >  >
> > >>  > > >  >  > Most of it is bug handling.  The major problem is a
> social, not a technical
> > >>  > > >  >  > one.  Because of the manner in which our kernels are
> organized, a single
> > >>  > > >  >  > vulnerability involves checking upstream version numbers,
> coordinating them
> > >>  > > >  >  > into our downstream version numbers for all sources,
> checking to see if the
> > >>  > > >  >  > sources are effected, figuring out who to CC for the bugs,
> then harassing
> > >>  > > >  >  > them until they do it.
> > >>  > > >  >  >
> > >>  > > >  >  > Unlike other security sources, any attempt to hardmask the
> package is shutdown
> > >>  > > >  >  > instantly.  The chaos that would result from a kernel
> hardmask, even one of
> > >>  > > >  >  > the lesser used ones, caused me to only successfully order
> one over my entire
> > >>  > > >  >  > career in Gentoo Kernsec... even though more around 30
> would have been
> > >>  > > >  >  > needed.  It is not infrequently that bugs will last six
> months without any
> > >>  > > >  >  > action coming about them, and users are blissfully
> unaware.
> > >>  > > >  >  >
> > >>  > > >  >  > I am happy to give my input as the former head of Kernel
> Security, but it is
> > >>  > > >  >  > my personal opinion that any advances in kernel security
> will require the
> > >>  > > >  >  > full cooperation of security, and letting the head of
> kernel security be able
> > >>  > > >  >  > to actually enforce threats, as that seems to be the only
> way bugs ever get
> > >>  > > >  >  > resolved.  Pleading didn't work - I tried.
> > >>  > > >  >  >
> > >>  > > >  >  > -Harlan Lieberman-Berg
> > >>  > > >  >  > Gentoo Developer Emeritus
> > >>  > > >  >
> > >>  > > >  >
> > >>  > > >  >  Every word of what you said is painfully true. The only way
> to
> > >>  > > >  >  accomplish this would be with an Iron Fist(fail) or a team
> of ~15 guys
> > >>  > > >  >  who do nothing but patch and push new kernels and the PR
> that goes along
> > >>  > > >  >  with them every few days.
> > >>  > > >  >  --
> > >>  > > >  >  Ned Ludd <solar@g.o>
> > >>  > > >  >
> > >>  > > >  >
> > >>  > > >  >
> > >>  > > >  >  --
> > >>  > > >  >  gentoo-security@g.o mailing list
> > >>  > > >  >
> > >>  > > >  >
> > >>  > > >  --
> > >>  > > >  gentoo-security@g.o mailing list
> > >>  > > >
> > >>  > > >
> > >>  >
> > >>  > --
> > >>  > gentoo-security@g.o mailing list
> > >>
> > >>  --
> > >>  Arthur Bispo de Castro
> > >>  Laboratório de Administração e Segurança (LAS/IC)
> > >>  Universidade Estadual de Campinas (UNICAMP)
> > >>  --
> > >>
> > >>
> > >> gentoo-security@g.o mailing list
> > >>
> > >>
> > >
> > >
> > >
> >
> > --
> > gentoo-security@g.o mailing list
> >
> >
>
>
--
gentoo-security@g.o mailing list


Replies:
Re: Kernel Security + KISS
-- Eduardo Tongson
References:
Kernel Security + KISS
-- Casey Link
Re: Kernel Security + KISS
-- Harlan Lieberman-Berg
Re: Kernel Security + KISS
-- Ned Ludd
Re: Kernel Security + KISS
-- Eduardo Tongson
Re: Kernel Security + KISS
-- Casey Link
Re: Kernel Security + KISS
-- Juan Pablo Olivera
Re: Kernel Security + KISS
-- Arthur Bispo de Castro
Re: Kernel Security + KISS
-- nick loeve
Re: Kernel Security + KISS
-- George Prowse
Re: Kernel Security + KISS
-- Robert Joslyn
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Kernel Security + KISS
Next by thread:
Re: Kernel Security + KISS
Previous by date:
Re: Kernel Security + KISS
Next by date:
Re: Kernel Security + KISS


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.