Gentoo Archives: gentoo-security

From: Marcin Dylewski <marcin.dylewski@×××××××××.pl>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernel Security + KISS
Date: Thu, 21 Feb 2008 09:31:20
Message-Id: 005a01c8746c$67f86080$4204180a@polcard.pl
In Reply to: Re: [gentoo-security] Kernel Security + KISS by Arthur Bispo de Castro
1 Hi All,
2
3 I am interested in contributing as well. Moderate C knowledge and strong
4 linux background.
5
6 Regards,
7 Marcin
8
9 ----- Original Message -----
10 From: "Arthur Bispo de Castro" <arthur@××××××××××××××.br>
11 To: <gentoo-security@l.g.o>
12 Sent: Thursday, February 21, 2008 8:02 AM
13 Subject: Re: [gentoo-security] Kernel Security + KISS
14
15
16 > I'm interested... little C knowledge, very curious about kernel, strong
17 > linux background...
18 >
19 > is there another prereq to join this?
20 >
21 > On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote:
22 >> I am interested too :)
23 >>
24 >> No C knowledge but strong linux background and very organized guy.
25 >>
26 >> On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote:
27 >> > It would probably help if we knew how many people were interested.
28 >> >
29 >> > I am. +1
30 >> >
31 >> > Casey
32 >> >
33 >> > On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson <propolice@×××××.com>
34 >> > wrote:
35 >> > > Alright how do we proceed to get this team started.
36 >> > >
37 >> > > ed*eonsec
38 >> > >
39 >> > >
40 >> > >
41 >> > > On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@g.o> wrote:
42 >> > > >
43 >> > > >
44 >> > > > On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
45 >> > > > > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
46 >> > > > > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
47 >> > > > > > > What specific kernel knowledge is needed to get a Kernel
48 >> > > advisory up
49 >> > > > > > > and running ?
50 >> > > > > >
51 >> > > > > > Between becoming aware of a vulnerability in Linux and
52 >> > > drafting an advisory
53 >> > > > > > for one or all kernel sources comes the part where you review
54 >> > > which
55 >> > > > > > versions of which kernel sources are affected and unaffected.
56 >> > > You also
57 >> > > > > > need to pay attention to specifics of the added patchsets,
58 >> > > which might
59 >> > > > > > duplicate vulnerabilities.
60 >> > > > > >
61 >> > > > > > Parts of the job can indeed be done without Kernel and C
62 >> > > knowledge, but
63 >> > > > > > some cannot. So if we draft a new kernel security *team*,
64 >> > > people without C
65 >> > > > > > and kernel knowledge are helpful -- some others need to have
66 >> > > it, though.
67 >> > > > > >
68 >> > > > > > Robert
69 >> > > > >
70 >> > > > > To be honest, 99% of what is done in the kernel security team
71 >> > > can be done with
72 >> > > > > no C knowledge at all.
73 >> > > > >
74 >> > > > > I'm not an expert C person - far from it - but I eventually
75 >> > > became the head of
76 >> > > > > Kernel Security until I retired a few months ago.
77 >> > > > >
78 >> > > > > Most of it is bug handling. The major problem is a social, not
79 >> > > a technical
80 >> > > > > one. Because of the manner in which our kernels are organized,
81 >> > > a single
82 >> > > > > vulnerability involves checking upstream version numbers,
83 >> > > coordinating them
84 >> > > > > into our downstream version numbers for all sources, checking
85 >> > > to see if the
86 >> > > > > sources are effected, figuring out who to CC for the bugs, then
87 >> > > harassing
88 >> > > > > them until they do it.
89 >> > > > >
90 >> > > > > Unlike other security sources, any attempt to hardmask the
91 >> > > package is shutdown
92 >> > > > > instantly. The chaos that would result from a kernel hardmask,
93 >> > > even one of
94 >> > > > > the lesser used ones, caused me to only successfully order one
95 >> > > over my entire
96 >> > > > > career in Gentoo Kernsec... even though more around 30 would
97 >> > > have been
98 >> > > > > needed. It is not infrequently that bugs will last six months
99 >> > > without any
100 >> > > > > action coming about them, and users are blissfully unaware.
101 >> > > > >
102 >> > > > > I am happy to give my input as the former head of Kernel
103 >> > > Security, but it is
104 >> > > > > my personal opinion that any advances in kernel security will
105 >> > > require the
106 >> > > > > full cooperation of security, and letting the head of kernel
107 >> > > security be able
108 >> > > > > to actually enforce threats, as that seems to be the only way
109 >> > > bugs ever get
110 >> > > > > resolved. Pleading didn't work - I tried.
111 >> > > > >
112 >> > > > > -Harlan Lieberman-Berg
113 >> > > > > Gentoo Developer Emeritus
114 >> > > >
115 >> > > >
116 >> > > > Every word of what you said is painfully true. The only way to
117 >> > > > accomplish this would be with an Iron Fist(fail) or a team of ~15
118 >> > > guys
119 >> > > > who do nothing but patch and push new kernels and the PR that
120 >> > > goes along
121 >> > > > with them every few days.
122 >> > > > --
123 >> > > > Ned Ludd <solar@g.o>
124 >> > > >
125 >> > > >
126 >> > > >
127 >> > > > --
128 >> > > > gentoo-security@l.g.o mailing list
129 >> > > >
130 >> > > >
131 >> > > --
132 >> > > gentoo-security@l.g.o mailing list
133 >> > >
134 >> > >
135 >>
136 >> --
137 >> gentoo-security@l.g.o mailing list
138 >
139 > --
140 > Arthur Bispo de Castro
141 > Laboratório de Administração e Segurança (LAS/IC)
142 > Universidade Estadual de Campinas (UNICAMP)
143 > --
144 > gentoo-security@l.g.o mailing list
145 >
146
147 --
148 gentoo-security@l.g.o mailing list