[gentoo-commits] proj/hardened-docs:master commit in: xml/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     30fc4bb43b43456288c250ed48d13972c00f5055
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 22 21:34:25 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May 22 21:34:25 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=30fc4bb4

Improve roadmap (still wip)

---
 xml/roadmap.xml |  528 ++++++++++++++++++++++++++++++++++++++-----------------
 1 files changed, 364 insertions(+), 164 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index e8a46d8..eab839e 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -1,7 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
 
-<guide link="roadmap.xml">
+<!--
+  TODO BEFORE REMOVING THE DISCLAIMER !!!
+
+  - Update document to use a generic structure (cfr until the "@HERE" sign)
+  - Move support tables out of the document, make it a
+    'supported-architectures.xml' file or something like that. People will
+    eventually ask if this or that is supported on their architecture, and then
+    that page is better suited than a roadmap page (with a roadmap page, people
+    think it isn't supported). 
+    Instead, in the roadmap, use something like 'Support currently unsupported
+    architectures (mips, ppc64, ...)' -> Unassigned, and for each one that is
+    progressing have a specific entry.
+  - Suggest changes to the document (make milestones benchmarkable, move other
+    stuff as goals).
+-->
+<guide disclaimer="draft" link="roadmap.xml">
 <title>Hardened Gentoo Roadmap</title>
 <author title="Author">
   <mail link="tocharian@gentoo.org">Adam Mondl</mail>
@@ -46,28 +61,366 @@ Hardened Gentoo project.
 <date>2011-05-22</date>
 
 <chapter>
-<title>Short-Term Goals</title>
+<title>Vision</title>
+<section>
+<body>
+
+<!--
+  What is the main vision that Gentoo Hardened strives towards?
+  Why does Gentoo Hardened exist? In light of which vision do we
+  take our decisions?
+-->
+
+<p>
+Within Gentoo Linux, the Gentoo Hardened project wants to be a shepherd for all
+security oriented projects. The project wants to make Gentoo viable for highly
+secure, high stability production environments. 
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Strategy</title>
+<section>
+<title>Introduction</title>
+<body>
+
+<!--
+  Our strategy should reflect our high-level choices and focuses. It should
+  describe what we aim for (in light of our vision) in a generic descriptive
+  approach. The strategy of Gentoo Hardened should be what we envision to be the
+  way to go forward to implement our vision. It should not change much in time.
+-->
+
+<p>
+In order to succesfully strive towards our vision, Gentoo Hardened aims to
+provide subprojects that test, develop, enhance, implement and integrate 
+specific security measures in Gentoo Linux. Although each of these projects has
+operational responsibilities (after all, the technologies that they support are
+used by users all around) they continue to research and develop, making Gentoo
+Linux even better than it is today.
+</p>
+
+<p>
+The direction that each of these projects is heading towards is described in
+their <e>roadmap</e>, a combination of strategic directions and shorter term
+milestones. These roadmaps are combined in this very document, allowing users to
+get a general overview of where Gentoo Hardened is evolving towards.
+</p>
+
+</body>
+</section>
+<section>
+<title>Documentation</title>
+<body>
+
+<p>
+Documentation is Gentoo Hardened's first asset that users come in contact with.
+It is important that Gentoo Hardened's documentation is well structured, easily
+accessible and correctly written. Although we currently focus on technically
+educated users and system administrators, this focus should not lower our
+responsibility of creating the necessary documents to guide new users in Gentoo
+Hardened's realms.
+</p>
+
+</body>
+</section>
+<section>
+<title>Vulnerability Mitigation</title>
+<body>
+
+<p>
+Users use a <e>toolchain</e>, a set of libraries and tools like compilers,
+linkers and more, to build their systems with. To fight potential
+vulnerabilities and future exploits, Gentoo Hardened maintains a toolchain that
+supports additional security-enhancing features like SSP, PIE and PIC.
+Our focus is to enhance and maintain this toolchain and help the integration of
+these security-enhancing patchsets within the upstream communities so that the
+benefits are available for all Linux users.
+</p>
+
+<p>
+Yet toolchains are not the only method where risks can be reduced. Specific
+patch sets that enhance Linux' security-related capabilities exist, such as
+PAX, that help users mitigate the risk of succesful exploitation of
+vulnerabilities. Gentoo Hardened positions and integrates these patches in the
+distribution.
+</p>
+
+</body>
+</section>
+<section>
+<title>Access Control</title>
+<body>
+
+<p>
+Although definitely not the only security component of a system, proper access
+control is a prerequisite for a safer environment. Within Gentoo Hardened,
+support of proper access control systems is important, and reflected in our
+choices of enhanced development of SELinux, grSecurity RSBAC and more.
+</p>
+
+</body>
+</section>
+<section>
+<title>Architecture Support</title>
+<body>
+
+<p>
+The current primary development activities take place within the popular and
+commodity architectures x86 and amd64 (x86_64). Yet many other architectures
+exist, especially within the server and embedded/mobile environments. These
+architectures need to be properly supported as well.
+</p>
+
+</body>
+</section>
+<section>
+<title>Staffing</title>
+<body>
+
+<p>
+In order to sustain or even grow our research and development pace and keep
+supporting operational tasks and help out users, the Gentoo Hardened team is
+always looking for fresh blood. Users who take a proactive approach to finding
+places for improvement and filling in the holes should and will be noticed and
+probably recruited. Yet recruitment is not mandatory to help out our project. 
+The necessary resources are put in place to let contributors efficiently help 
+out the project.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Documentation Goals and Milestones</title>
 <section>
-<title>Hardened Toolchain</title>
+<title>Current State</title>
 <body>
 
 <p>
-Now is the time to take a step back and examine the work that has been done so
-far. A review of the current approach that the hardened toolchain takes is
-needed. There may be ways to strengthen the current implementation or areas of
-code that can be cleaned up to allow changes to be pushed upstream easier.
+The Gentoo Hardened project is currently lagging behind a bit on documentation.
+Recent upstaffing and contributions have helped this out, but we still need to
+focus on the toolchain documentation (both toolchain-specific documentation
+as wel as documents that relate to the toolchain) such as SSP, PIE and PIC
+information.
 </p>
 
 <p>
-As a side effect of the previous hardened toolchain, many ebuilds currently
-filter hardened CFLAGS such as -fPIE and -fstack-protector. Work will also be
-dedicated to reviewing those packages and seeking alternate solutions for the
-filters.
+Also, comparative documents should be written to explain the choices that Gentoo
+Hardened has made, such as tool selection.
 </p>
 
 </body>
 </section>
+<section>
+<title>Goals and Milestones</title>
+<body>
+
+<!--
+  TODO I just verbatimly copied it from the previous version. However, I think
+  we should set goals (what to go for) and milestones (specific points that are
+  benchmarkable and - most likely - be strengthened by the availability of bug
+  reports)
+-->
+
+<table>
+<tr>
+  <th>Description</th>
+  <th>ETA</th>
+  <th>Status</th>
+  <th>Coordinator(s)</th>
+  <th>Related Bugs</th>
+</tr>
+<tr>
+  <ti>Document the Hardened Toolchain</ti>
+  <ti></ti>
+  <ti><keyword>In Progress</keyword></ti>
+  <ti>Zorry</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>Comparative analysis of security approaches taken by distributions</ti>
+  <ti></ti>
+  <ti><comment>Unassigned</comment></ti>
+  <ti></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>Rework grSecurity documentation</ti>
+  <ti></ti>
+  <ti><comment>Unassigned</comment></ti>
+  <ti></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>Update/rewrite propolice documentation</ti>
+  <ti></ti>
+  <ti><comment>Unassigned</comment></ti>
+  <ti></ti>
+  <ti />
+</tr>
+</table>
+
+</body>
+</section>
+</chapter>
 
+<chapter>
+<title>Hardened Toolchain Goals and Milestones</title>
+<section>
+<title>Current State</title>
+<body>
+
+<p>
+Our toolchain so far has seen a tremendous evolution. Some of the integrated
+patches have been accepted upstream (like SSP), but work can still improve.
+To allow changes to be pushed upstream more easily, we might need improvements
+on the ways to strengthen the current implementation, and work on the areas of
+code that need clean-up.
+</p>
+
+<p>
+Our next steps are to take a step backwards and examine the work that has been
+done so far. We need to improve our existing documents, but also review the
+packages available in the Portage tree and help out the package maintainers in
+handling CFLAG filters for a hardened toolchain in a proper way.
+</p>
+
+</body>
+</section>
+<section>
+<title>Goals and Milestones</title>
+<body>
+
+<table>
+<tr>
+  <th>Description</th>
+  <th>ETA</th>
+  <th>Status</th>
+  <th>Coordinator(s)</th>
+  <th>Related Bugs</th>
+</tr>
+<tr>
+  <th colspan="5">Improve and sustain support for multiple architectures</th>
+</tr>
+<tr>
+  <ti>x86 support</ti>
+  <ti />
+  <ti><keyword>In place</keyword></ti>
+  <ti>Zorry</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>amd64 (x86_64) support</ti>
+  <ti />
+  <ti><keyword>In place</keyword></ti>
+  <ti>Zorry</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>sparc32 support</ti>
+  <ti />
+  <ti><comment>Unassigned</comment></ti>
+  <ti />
+  <ti />
+</tr>
+<tr>
+  <ti>sparc64 support</ti>
+  <ti />
+  <ti><comment>Unassigned</comment></ti>
+  <ti />
+  <ti />
+</tr>
+<tr>
+  <ti>ppc support</ti>
+  <ti />
+  <ti><keyword>In place</keyword></ti>
+  <ti>nixnut, Zorry, blueness</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>ppc64 support</ti>
+  <ti />
+  <ti><keyword>In place</keyword></ti>
+  <ti>blueness</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>s390 support</ti>
+  <ti />
+  <ti><comment>Unassigned</comment></ti>
+  <ti />
+  <ti />
+</tr>
+<tr>
+  <ti>hppa support</ti>
+  <ti />
+  <ti><comment>Unassigned</comment></ti>
+  <ti />
+  <ti />
+</tr>
+<tr>
+  <ti>arm support</ti>
+  <ti />
+  <ti><var>In progress</var></ti>
+  <ti>blueness</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>mips support</ti>
+  <ti />
+  <ti><var>In progress</var></ti>
+  <ti>blueness</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>ia64 support</ti>
+  <ti />
+  <ti><keyword>In place</keyword></ti>
+  <ti>Zorry, blueness</ti>
+  <ti />
+</tr>
+<tr>
+  <th colspan="5">Enhance documentation</th>
+</tr>
+<tr>
+  <ti>Document the toolchain feature set</ti>
+  <ti />
+  <ti><var>In progress</var></ti>
+  <ti />
+  <ti />
+</tr>
+<tr>
+  <ti>Describe the grSecurity RBAC system</ti>
+  <ti />
+  <ti><comment>Unassigned</comment></ti>
+  <ti />
+  <ti />
+</tr>
+<tr>
+  <th colspan="5">Kernel development and maintenance</th>
+</tr>
+<tr>
+  <ti>Release hardened-sources-2.6.37</ti>
+  <ti />
+  <ti><keyword>Done</keyword></ti>
+  <ti>blueness</ti>
+  <ti />
+</tr>
+</table>
+
+<!-- @HERE -->
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Short-Term Goals</title>
 <section>
 <title>Access Control Systems</title>
 <body>
@@ -132,115 +485,8 @@ contact us.
 </chapter>
 
 <chapter>
-<title>Long-Term Goals</title>
-<section>
-<title>Documentation</title>
-<body>
-
-<p>
-The Hardened Gentoo Project is currently very lacking in documentation. The
-hardened toolchain needs to be documented fully, and older documents that have a
-relationship to the  toolchain need to be updated, such as the SSP, PIE, and PIC
-documents. Also, comparative documents should be written to explain the choices
-that Hardened Gentoo has made in deciding which security tools to support and
-which not to support.
-</p>
-
-</body>
-</section>
-
-<section>
-<title>Support More Architectures</title>
-<body>
-
-<p>
-A long-term goal of the Hardened Gentoo Project is to support all of the
-architectures that are officially supported by Gentoo. The only strong support
-that exists at the moment is for  x86 and amd64.
-</p>
-
-<p>
-The hardened toolchain supports x86, amd64, ppc, ppc64, arm, ia64 and would like
-to extend support to sparc and similar architectures. With access to different
-kinds of hardware,  hardened support can slowly be extended to those
-architectures as well.
-</p>
-
-</body>
-</section>
-
-<section>
-<title>Expand the Hardened Team</title>
-<body>
-
-<p>
-There will always be unfinished tasks for the Hardened Team. Users who take a
-proactive approach to finding places for improvement and filling in the holes
-will be noticed and probably recruited. Current Hardened Team members will be
-responsible for training new developers to fill new roles. If you are interested
-in helping out, stop by the IRC channel and let someone know what you are
-interested in and what you will be doing about it.
-</p>
-
-<p>
-Input/peer review should always be welcome as it helps everyone out in the long
-run.
-</p>
-
-
-</body>
-</section>
-</chapter>
-
-<chapter>
 <title>Roadmap Tracking</title>
 <section>
-<title>Hardened Toolchain</title>
-<body>
-
-<table>
-  <tr>
-    <th>Description</th><th>Coordinator(s)</th><th>Status</th>
-  </tr>
-  <tr>
-    <ti>x86 Support</ti><ti>zorry</ti><ti>Complete</ti>
-  </tr>
-  <tr>
-    <ti>amd64 Support</ti><ti>zorry</ti><ti>Complete</ti>
-  </tr>
-  <tr>
-    <ti>sparc32 Support</ti><ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>sparc64 Support</ti><ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>ppc Support</ti><ti>nixnut,zorry,blueness</ti><ti>Complete</ti>
-  </tr>
-  <tr>
-    <ti>ppc64 Support</ti><ti>blueness</ti><ti>Complete</ti>
-  </tr>
-  <tr>
-    <ti>s390 Support</ti><ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>hppa Support</ti><ti></ti><ti>Not supported</ti>
-  </tr>
-  <tr>
-    <ti>arm Support</ti><ti>blueness</ti><ti>In progress</ti>
-  </tr>
-  <tr>
-    <ti>mips Support</ti><ti>blueness</ti><ti>In progress</ti>
-  </tr>
-  <tr>
-    <ti>ia64 Support</ti><ti>zorry,blueness</ti><ti>Complete</ti>
-  </tr>
-</table>
-
-</body>
-</section>
-
-<section>
 <title>Hardened GCC</title>
 <body>
 
@@ -266,27 +512,6 @@ run.
 </section>
 
 <section>
-<title>Hardened Toolchain</title>
-<body>
-
-<table>
-  <tr>
-    <th>Description</th><th>Coordinator(s)</th><th>Status</th>
-  </tr>
-  <tr>
-    <ti>Document the feature set</ti><ti>none</ti><ti>In Progress</ti>
-  </tr>
-  <tr>
-    <ti>Describe the RBAC system</ti><ti>none</ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>Release hardened-sources-2.6.37</ti><ti>blueness</ti><ti>Complete</ti>
-  </tr>
-</table>
-
-</body>
-</section>
-<section>
 <title>Hardened Sources</title>
 <body>
 
@@ -383,31 +608,6 @@ run.
 </body>
 </section>
 
-<section>
-<title>Documentation</title>
-<body>
-
-<table>
-  <tr>
-    <th>Description</th><th>Coordinator(s)</th><th>Status</th>
-  </tr>
-  <tr>
-    <ti>Comparative analysis of security approaches taken by distributions.</ti>
-    <ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>Rework Grsecurity Documentation</ti><ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>Update/Rewrite Propolice Documentation</ti><ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>Document the Hardened Toolchain</ti><ti>zorry</ti><ti>In Progress</ti>
-  </tr>
-</table>
-
-</body>
-</section>
 </chapter>
 
 </guide>