Gentoo Archives: gentoo-security

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernel Security + KISS
Date: Sun, 24 Feb 2008 13:46:26
Message-Id: 200802241443.38508.jaervosz@gentoo.org
In Reply to: Re: [gentoo-security] Kernel Security + KISS by Casey Link
1 On Friday 22 February 2008 04:55:17 Casey Link wrote:
2 > Here are some day to day duties that will be need to get done.This
3 > isn't exhaustive just the results of a few minutes of brainstorming:
4 >
5 > * Stalking the places vulnerabilities are announced (CVE, mailing
6 > lists, etc) to create the relevant bug.
7 The Security team is more or less already doing this. We could quite easily
8 start filing kernel stuff again.
9
10 > * Determine which upstream (kernel.org) version has the fix and make
11 > the whiteboard entry in bugzilla.
12 > * Determine which sources are affected
13 > * Nag kernel maintainers to patch their sources
14 > * Find patches and discussion to link to the kernel maintainers to
15 > ease their patching (and ideally encourage them to patch faster)
16 > * As sources are patched update the whiteboard
17 > * Release glsas of unaffected packages (?)
18 The GLSA format/DTD per se was deemed unfit for kernel sources. I guess you
19 could add what is needed to the Resolution section though.
20
21 >
22 > Some framework and specification needs to be laid, but that is a
23 > general outline of the process I think. None of those duties require
24 > programming experience at all. Of course crafting patches to send to
25 > the kernel maintainers would be another helpful thing to do. Ideally
26 > this would be made pretty simple with some nifty tools, however
27 > manpower is going to be required regardless.
28 >
29 > There are still the glaring issues of (1) the best way to notify users
30 > of vulnerabilities, and (2) how to enforce rapid-ish response by
31 > kernel maintainers. I think the best way to approach (2) is to be
32 > amicable towards the maintainers. Point them in the right direction,
33 > send them patches, etc., rather than spamming "OMG! Patch
34 > foo-sources!" every day. Maybe we could give them candy or something.
35 I think we should try to get all security supported kernel maintainers to
36 abide by some timetable laid down in a coming kernel security policy. If
37 kernel maintainers don't want to do that I guess their sources should go back
38 to unstable. Before anything is final kernel maintainers and council should
39 be consulted.
40
41 --
42 Sune Kloppenborg Jeppesen
43 Gentoo Linux Security Team
44
45 >
46 > Casey
47 >
48 > On Thu, Feb 21, 2008 at 9:26 PM, Eduardo Tongson <propolice@×××××.com>
49 wrote:
50 > > Yes. We should each have assigned tasks which will depend on our
51 > > respective skill and trait.
52 > >
53 > > -- ed*eonsec
54 > >
55 > > On Fri, Feb 22, 2008 at 3:28 AM, doppelgaenger <bm2600@×××××.com> wrote:
56 > > > George Prowse wrote:
57 > > > > Eduardo Tongson wrote:
58 > > > >> Nice plan. I think you are more able to lead. Can we communicate
59 > > > >> more in email perhaps a google group or list. IRC is not efficient
60 > > > >> for people in different timezones.
61 > > > >>
62 > > > >> -- ed*eonsec
63 > > > >
64 > > > > I agree, a list or group would be better at pooling the people at
65 > > > > your disposal
66 > > >
67 > > > I also think it would be a good idea to set up some requirements
68 > > > profile so people can identify them self in some kind of matrix ?
69 > > >
70 > > > I basically volunteer but not sure what use I could be with a
71 > > > background as an ISO, limited time and basic C knowledge.
72 > > >
73 > > > --doppelgaenger
74 > > >
75 > > >
76 > > > --
77 > > > gentoo-security@l.g.o mailing list
78 > >
79 > > --
80 > > gentoo-security@l.g.o mailing list
81 --
82 gentoo-security@l.g.o mailing list