1 |
Here are some day to day duties that will be need to get done.This |
2 |
isn't exhaustive just the results of a few minutes of brainstorming: |
3 |
|
4 |
* Stalking the places vulnerabilities are announced (CVE, mailing |
5 |
lists, etc) to create the relevant bug. |
6 |
* Determine which upstream (kernel.org) version has the fix and make |
7 |
the whiteboard entry in bugzilla. |
8 |
* Determine which sources are affected |
9 |
* Nag kernel maintainers to patch their sources |
10 |
* Find patches and discussion to link to the kernel maintainers to |
11 |
ease their patching (and ideally encourage them to patch faster) |
12 |
* As sources are patched update the whiteboard |
13 |
* Release glsas of unaffected packages (?) |
14 |
|
15 |
Some framework and specification needs to be laid, but that is a |
16 |
general outline of the process I think. None of those duties require |
17 |
programming experience at all. Of course crafting patches to send to |
18 |
the kernel maintainers would be another helpful thing to do. Ideally |
19 |
this would be made pretty simple with some nifty tools, however |
20 |
manpower is going to be required regardless. |
21 |
|
22 |
There are still the glaring issues of (1) the best way to notify users |
23 |
of vulnerabilities, and (2) how to enforce rapid-ish response by |
24 |
kernel maintainers. I think the best way to approach (2) is to be |
25 |
amicable towards the maintainers. Point them in the right direction, |
26 |
send them patches, etc., rather than spamming "OMG! Patch |
27 |
foo-sources!" every day. Maybe we could give them candy or something. |
28 |
|
29 |
Casey |
30 |
|
31 |
|
32 |
On Thu, Feb 21, 2008 at 9:26 PM, Eduardo Tongson <propolice@×××××.com> wrote: |
33 |
> Yes. We should each have assigned tasks which will depend on our |
34 |
> respective skill and trait. |
35 |
> |
36 |
> -- ed*eonsec |
37 |
> |
38 |
> |
39 |
> |
40 |
> On Fri, Feb 22, 2008 at 3:28 AM, doppelgaenger <bm2600@×××××.com> wrote: |
41 |
> > George Prowse wrote: |
42 |
> > > Eduardo Tongson wrote: |
43 |
> > >> Nice plan. I think you are more able to lead. Can we communicate more |
44 |
> > >> in email perhaps a google group or list. IRC is not efficient for |
45 |
> > >> people in different timezones. |
46 |
> > >> |
47 |
> > >> -- ed*eonsec |
48 |
> > >> |
49 |
> > > I agree, a list or group would be better at pooling the people at your |
50 |
> > > disposal |
51 |
> > |
52 |
> > I also think it would be a good idea to set up some requirements profile |
53 |
> > so people can identify them self in some kind of matrix ? |
54 |
> > |
55 |
> > I basically volunteer but not sure what use I could be with a background |
56 |
> > as an ISO, limited time and basic C knowledge. |
57 |
> > |
58 |
> > --doppelgaenger |
59 |
> > |
60 |
> > |
61 |
> > -- |
62 |
> > gentoo-security@l.g.o mailing list |
63 |
> > |
64 |
> > |
65 |
> -- |
66 |
> gentoo-security@l.g.o mailing list |
67 |
> |
68 |
> |
69 |
-- |
70 |
gentoo-security@l.g.o mailing list |