1 |
On Friday 22 February 2008 04:55:17 Casey Link wrote: |
2 |
> Here are some day to day duties that will be need to get done.This |
3 |
> isn't exhaustive just the results of a few minutes of brainstorming: |
4 |
> |
5 |
> * Stalking the places vulnerabilities are announced (CVE, mailing |
6 |
> lists, etc) to create the relevant bug. |
7 |
The Security team is more or less already doing this. We could quite easily |
8 |
start filing kernel stuff again. |
9 |
|
10 |
> * Determine which upstream (kernel.org) version has the fix and make |
11 |
> the whiteboard entry in bugzilla. |
12 |
> * Determine which sources are affected |
13 |
> * Nag kernel maintainers to patch their sources |
14 |
> * Find patches and discussion to link to the kernel maintainers to |
15 |
> ease their patching (and ideally encourage them to patch faster) |
16 |
> * As sources are patched update the whiteboard |
17 |
> * Release glsas of unaffected packages (?) |
18 |
The GLSA format/DTD per se was deemed unfit for kernel sources. I guess you |
19 |
could add what is needed to the Resolution section though. |
20 |
|
21 |
> |
22 |
> Some framework and specification needs to be laid, but that is a |
23 |
> general outline of the process I think. None of those duties require |
24 |
> programming experience at all. Of course crafting patches to send to |
25 |
> the kernel maintainers would be another helpful thing to do. Ideally |
26 |
> this would be made pretty simple with some nifty tools, however |
27 |
> manpower is going to be required regardless. |
28 |
> |
29 |
> There are still the glaring issues of (1) the best way to notify users |
30 |
> of vulnerabilities, and (2) how to enforce rapid-ish response by |
31 |
> kernel maintainers. I think the best way to approach (2) is to be |
32 |
> amicable towards the maintainers. Point them in the right direction, |
33 |
> send them patches, etc., rather than spamming "OMG! Patch |
34 |
> foo-sources!" every day. Maybe we could give them candy or something. |
35 |
I think we should try to get all security supported kernel maintainers to |
36 |
abide by some timetable laid down in a coming kernel security policy. If |
37 |
kernel maintainers don't want to do that I guess their sources should go back |
38 |
to unstable. Before anything is final kernel maintainers and council should |
39 |
be consulted. |
40 |
|
41 |
-- |
42 |
Sune Kloppenborg Jeppesen |
43 |
Gentoo Linux Security Team |
44 |
|
45 |
> |
46 |
> Casey |
47 |
> |
48 |
> On Thu, Feb 21, 2008 at 9:26 PM, Eduardo Tongson <propolice@×××××.com> |
49 |
wrote: |
50 |
> > Yes. We should each have assigned tasks which will depend on our |
51 |
> > respective skill and trait. |
52 |
> > |
53 |
> > -- ed*eonsec |
54 |
> > |
55 |
> > On Fri, Feb 22, 2008 at 3:28 AM, doppelgaenger <bm2600@×××××.com> wrote: |
56 |
> > > George Prowse wrote: |
57 |
> > > > Eduardo Tongson wrote: |
58 |
> > > >> Nice plan. I think you are more able to lead. Can we communicate |
59 |
> > > >> more in email perhaps a google group or list. IRC is not efficient |
60 |
> > > >> for people in different timezones. |
61 |
> > > >> |
62 |
> > > >> -- ed*eonsec |
63 |
> > > > |
64 |
> > > > I agree, a list or group would be better at pooling the people at |
65 |
> > > > your disposal |
66 |
> > > |
67 |
> > > I also think it would be a good idea to set up some requirements |
68 |
> > > profile so people can identify them self in some kind of matrix ? |
69 |
> > > |
70 |
> > > I basically volunteer but not sure what use I could be with a |
71 |
> > > background as an ISO, limited time and basic C knowledge. |
72 |
> > > |
73 |
> > > --doppelgaenger |
74 |
> > > |
75 |
> > > |
76 |
> > > -- |
77 |
> > > gentoo-security@l.g.o mailing list |
78 |
> > |
79 |
> > -- |
80 |
> > gentoo-security@l.g.o mailing list |
81 |
-- |
82 |
gentoo-security@l.g.o mailing list |