Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Harlan Lieberman-Berg <sysadmin@...>
Subject: Re: Kernel Security + KISS
Date: Wed, 20 Feb 2008 13:59:55 -0500
On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
> On Sunday, 17. February 2008, Eduardo Tongson wrote:
> > What specific kernel knowledge is needed to get a Kernel advisory up
> > and running ?
>
> Between becoming aware of a vulnerability in Linux and drafting an advisory
> for one or all kernel sources comes the part where you review which
> versions of which kernel sources are affected and unaffected. You also
> need to pay attention to specifics of the added patchsets, which might
> duplicate vulnerabilities.
>
> Parts of the job can indeed be done without Kernel and C knowledge, but
> some cannot. So if we draft a new kernel security *team*, people without C
> and kernel knowledge are helpful -- some others need to have it, though.
>
> Robert

To be honest, 99% of what is done in the kernel security team can be done with 
no C knowledge at all.

I'm not an expert C person - far from it - but I eventually became the head of 
Kernel Security until I retired a few months ago.

Most of it is bug handling.  The major problem is a social, not a technical 
one.  Because of the manner in which our kernels are organized, a single 
vulnerability involves checking upstream version numbers, coordinating them 
into our downstream version numbers for all sources, checking to see if the 
sources are effected, figuring out who to CC for the bugs, then harassing 
them until they do it.

Unlike other security sources, any attempt to hardmask the package is shutdown 
instantly.  The chaos that would result from a kernel hardmask, even one of 
the lesser used ones, caused me to only successfully order one over my entire 
career in Gentoo Kernsec... even though more around 30 would have been 
needed.  It is not infrequently that bugs will last six months without any 
action coming about them, and users are blissfully unaware.

I am happy to give my input as the former head of Kernel Security, but it is 
my personal opinion that any advances in kernel security will require the 
full cooperation of security, and letting the head of kernel security be able 
to actually enforce threats, as that seems to be the only way bugs ever get 
resolved.  Pleading didn't work - I tried.

-Harlan Lieberman-Berg
Gentoo Developer Emeritus
-- 
gentoo-security@g.o mailing list


Replies:
Re: Kernel Security + KISS
-- Ned Ludd
Re: Kernel Security + KISS
-- C.
References:
Kernel Security + KISS
-- Casey Link
Re: Kernel Security + KISS
-- Eduardo Tongson
Re: Kernel Security + KISS
-- Robert Buchholz
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Kernel Security + KISS
Next by thread:
Re: Kernel Security + KISS
Previous by date:
Re: Strange occurrence of sendmail and disk I/O in background....
Next by date:
Re: Kernel Security + KISS


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.