Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: Casey Link <unnamedrambler@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernel Security + KISS
Date: Thu, 21 Feb 2008 13:36:43
Message-Id: fb3727060802210535k4c91812bt48fa90a539059a88@mail.gmail.com
In Reply to: Re: [gentoo-security] Kernel Security + KISS by Robert Joslyn
1 A couple days ago I discussed (in #gentoo-security) with Robert
2 (rbu@g.o) a solution
3 to the Kernel security issue. Robert has a good plan to keep the
4 bugzilla data in bugzilla, that is, don't take away the essentials
5 from bugzilla. And that is by implementing a tagging system for each
6 bug. In the whiteboard field for each bug could go something like so
7 (this is taken from our IRC convo):
8 [linux < 2.6.22] [genpatches < 2.6.20-3] [xen-sources < 2.6.18-r2]
9 Which would translate as kernel.org upstream released 2.6.22 with a
10 fix, genpatches released 2.6.20-3 with a fix, and xen-sources released
11 2.6.18-r2 with the patch applied.
12
13 A tool could then be written to parse the bugzilla entries and
14 generate reports. Then when all the sources have been patched a GLSA
15 can be released.
16 I like this idea because all the data stays in bugzilla, so you can go
17 to bugzilla and get all the information you need about each bug.
18
19 I don't see why this tool cannot be available for users to.. in the
20 same form that KISS was. I came across these screenshots:
21 http://dev.gentoo.org/~dsd/misc/kiss1.jpg
22 http://dev.gentoo.org/~dsd/misc/kiss2.jpg
23
24 What if KISS was an external tool like shown in those pictures, but
25 parsed the bugzilla entries and generated reports like I talked about
26 above. Robert's whiteboard tagging system is a great one, but the
27 system needs a way to view the status of all the sources together and
28 individually similarly to what is show in those screenshots.. and why
29 not make this a website? A single GLSA could still be released per bug
30 once all sources had been patched, but KISS could be a place for users
31 to go (if they feel so inclined) to get an overall and granular status
32 report of the various sources in portage.
33
34 Perhaps KISS could offer an email notification option. A user could
35 "subscribe" to several sources and be notified about their security
36 status. The user could even specify what sort of information he
37 wanted: vulnerability report, severity levels, patches released, etc.
38
39 Those are just some thoughts I had. I already tossed my hat in but
40 I've got medium C experience, and I am pretty experienced with hosting
41 setups, and simple web development (PHP mainly). I would be willing to
42 work on something like I described above.. bugzilla parsing, a nice
43 Web display, etc.
44
45 Casey
46
47
48 On Thu, Feb 21, 2008 at 8:09 AM, Robert Joslyn <rjmars97@×××××.com> wrote:
49 > I would like to help as well. I have limited C experience unfortunately,
50 > and most of that is programming PIC microcontrollers. Been using Gentoo for
51 > years, and would love to give something back.
52 >
53 >
54 > Robert
55 >
56 >
57 >
58 >
59 > On Thu, Feb 21, 2008 at 4:34 AM, George Prowse <cokehabit@×××××.com> wrote:
60 > > Im interested, no C knowledge but plenty of time, passed the dev exam
61 > > and a willingness to learn. It's been on my agenda for a long time.
62 > >
63 > >
64 > >
65 > >
66 > > nick loeve wrote:
67 > > > I can help also... i have limited free time but am willing to put in
68 > > > some hours...
69 > > >
70 > > > I have medium C knowledge, reasonable kernel experience, and also a
71 > > > strong linux background
72 > > >
73 > > > On Thu, Feb 21, 2008 at 8:02 AM, Arthur Bispo de Castro
74 > > > <arthur@××××××××××××××.br> wrote:
75 > > >> I'm interested... little C knowledge, very curious about kernel, strong
76 > > >> linux background...
77 > > >>
78 > > >> is there another prereq to join this?
79 > > >>
80 > > >>
81 > > >>
82 > > >> On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote:
83 > > >> > I am interested too :)
84 > > >> >
85 > > >> > No C knowledge but strong linux background and very organized guy.
86 > > >> >
87 > > >> > On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote:
88 > > >> > > It would probably help if we knew how many people were interested.
89 > > >> > >
90 > > >> > > I am. +1
91 > > >> > >
92 > > >> > > Casey
93 > > >> > >
94 > > >> > > On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson
95 > <propolice@×××××.com> wrote:
96 > > >> > > > Alright how do we proceed to get this team started.
97 > > >> > > >
98 > > >> > > > ed*eonsec
99 > > >> > > >
100 > > >> > > >
101 > > >> > > >
102 > > >> > > > On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@g.o>
103 > wrote:
104 > > >> > > > >
105 > > >> > > > >
106 > > >> > > > > On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg
107 > wrote:
108 > > >> > > > > > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
109 > > >> > > > > > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
110 > > >> > > > > > > > What specific kernel knowledge is needed to get a
111 > Kernel advisory up
112 > > >> > > > > > > > and running ?
113 > > >> > > > > > >
114 > > >> > > > > > > Between becoming aware of a vulnerability in Linux and
115 > drafting an advisory
116 > > >> > > > > > > for one or all kernel sources comes the part where you
117 > review which
118 > > >> > > > > > > versions of which kernel sources are affected and
119 > unaffected. You also
120 > > >> > > > > > > need to pay attention to specifics of the added
121 > patchsets, which might
122 > > >> > > > > > > duplicate vulnerabilities.
123 > > >> > > > > > >
124 > > >> > > > > > > Parts of the job can indeed be done without Kernel and C
125 > knowledge, but
126 > > >> > > > > > > some cannot. So if we draft a new kernel security
127 > *team*, people without C
128 > > >> > > > > > > and kernel knowledge are helpful -- some others need to
129 > have it, though.
130 > > >> > > > > > >
131 > > >> > > > > > > Robert
132 > > >> > > > > >
133 > > >> > > > > > To be honest, 99% of what is done in the kernel security
134 > team can be done with
135 > > >> > > > > > no C knowledge at all.
136 > > >> > > > > >
137 > > >> > > > > > I'm not an expert C person - far from it - but I
138 > eventually became the head of
139 > > >> > > > > > Kernel Security until I retired a few months ago.
140 > > >> > > > > >
141 > > >> > > > > > Most of it is bug handling. The major problem is a
142 > social, not a technical
143 > > >> > > > > > one. Because of the manner in which our kernels are
144 > organized, a single
145 > > >> > > > > > vulnerability involves checking upstream version numbers,
146 > coordinating them
147 > > >> > > > > > into our downstream version numbers for all sources,
148 > checking to see if the
149 > > >> > > > > > sources are effected, figuring out who to CC for the bugs,
150 > then harassing
151 > > >> > > > > > them until they do it.
152 > > >> > > > > >
153 > > >> > > > > > Unlike other security sources, any attempt to hardmask the
154 > package is shutdown
155 > > >> > > > > > instantly. The chaos that would result from a kernel
156 > hardmask, even one of
157 > > >> > > > > > the lesser used ones, caused me to only successfully order
158 > one over my entire
159 > > >> > > > > > career in Gentoo Kernsec... even though more around 30
160 > would have been
161 > > >> > > > > > needed. It is not infrequently that bugs will last six
162 > months without any
163 > > >> > > > > > action coming about them, and users are blissfully
164 > unaware.
165 > > >> > > > > >
166 > > >> > > > > > I am happy to give my input as the former head of Kernel
167 > Security, but it is
168 > > >> > > > > > my personal opinion that any advances in kernel security
169 > will require the
170 > > >> > > > > > full cooperation of security, and letting the head of
171 > kernel security be able
172 > > >> > > > > > to actually enforce threats, as that seems to be the only
173 > way bugs ever get
174 > > >> > > > > > resolved. Pleading didn't work - I tried.
175 > > >> > > > > >
176 > > >> > > > > > -Harlan Lieberman-Berg
177 > > >> > > > > > Gentoo Developer Emeritus
178 > > >> > > > >
179 > > >> > > > >
180 > > >> > > > > Every word of what you said is painfully true. The only way
181 > to
182 > > >> > > > > accomplish this would be with an Iron Fist(fail) or a team
183 > of ~15 guys
184 > > >> > > > > who do nothing but patch and push new kernels and the PR
185 > that goes along
186 > > >> > > > > with them every few days.
187 > > >> > > > > --
188 > > >> > > > > Ned Ludd <solar@g.o>
189 > > >> > > > >
190 > > >> > > > >
191 > > >> > > > >
192 > > >> > > > > --
193 > > >> > > > > gentoo-security@l.g.o mailing list
194 > > >> > > > >
195 > > >> > > > >
196 > > >> > > > --
197 > > >> > > > gentoo-security@l.g.o mailing list
198 > > >> > > >
199 > > >> > > >
200 > > >> >
201 > > >> > --
202 > > >> > gentoo-security@l.g.o mailing list
203 > > >>
204 > > >> --
205 > > >> Arthur Bispo de Castro
206 > > >> Laboratório de Administração e Segurança (LAS/IC)
207 > > >> Universidade Estadual de Campinas (UNICAMP)
208 > > >> --
209 > > >>
210 > > >>
211 > > >> gentoo-security@l.g.o mailing list
212 > > >>
213 > > >>
214 > > >
215 > > >
216 > > >
217 > >
218 > > --
219 > > gentoo-security@l.g.o mailing list
220 > >
221 > >
222 >
223 >
224 --
225 gentoo-security@l.g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Kernel Security + KISS Eduardo Tongson <propolice@×××××.com>
Report Message
Find on MARC Find on Google Groups