From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.54) id 1FM5Mg-0007IS-L0 for garchives@archives.gentoo.org; Wed, 22 Mar 2006 15:35:15 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5.20060308/8.13.5) with SMTP id k2MFY6TJ008176; Wed, 22 Mar 2006 15:34:06 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [134.68.220.30]) by robin.gentoo.org (8.13.5.20060308/8.13.5) with ESMTP id k2MFVZrr021227 for ; Wed, 22 Mar 2006 15:31:35 GMT Received: from dslb-084-062-155-042.pools.arcor-ip.net ([84.62.155.42] helo=localhost) by smtp.gentoo.org with esmtpa (Exim 4.54) id 1FM5J8-0006jZ-O1 for gentoo-dev@lists.gentoo.org; Wed, 22 Mar 2006 15:31:35 +0000 Subject: [gentoo-dev] Security team meeting summary From: Stefan Cornelius To: gentoo-dev@lists.gentoo.org Content-Type: text/plain Date: Wed, 22 Mar 2006 16:29:44 +0100 Message-Id: <1143041385.18250.4.camel@localhost> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.6.0 Content-Transfer-Encoding: 7bit X-Archives-Salt: 2156e5ba-596d-4250-b79c-42885b8b30da X-Archives-Hash: 73422db6f88abf151d55a8a478a11165 This is the summary of the IRC meeting the Gentoo Linux Security Team had on Monday, March 20, 20:00 UTC in #gentoo-security (freenode). A raw IRC log of the meeting can be found here: http://dev.gentoo.org/~dercorny/security/sec-meeting-20060320.log Agenda was: ----------- 1/ Project status a) GLSA team status b) Kernel team status c) Audit team status 2/ Improvements areas a) Maintainers involvement b) Recruitment c) Portage integration d) Other process or policy improvements 3/ Lead(s) election 4/ Public Q&A 1/ Project status: ------------------ a) GLSA team status The number of late GLSAs (means not delivered within the timeframe given by the policy) drastically increased by almost 50% [1]. Two main causes have been identified: - The GLSA team is operating close or below to the critical mass of GLSA coordinators, which causes delays in certain areas like GLSA voting, drafting and reviewing. - Package maintainer security awareness is bad: sometimes maintainers don't care about security, don't fix bugs in time, don't respond or are completely missing. This causes huge delays in the GLSA processing. Possible methods to resolve these issues are discussed in "Improvements areas". [1] http://dev.gentoo.org/~koon/arch_ratings.png b) Kernel team status Just as the GLSA team, the kernel team lacks the sufficient amount of manpower needed to operate as wished. As a result, the KISS project (a system designed to release kernel security advisories), originally thought to go live by 2005, still isn't ready for production use since the manpower to keep it fully updated is lacking. Although KISS is closely tied to the kernel work, a scout and a coordinator, who help finding and handling kernel bugs, are needed to fully implement it. Besides that, a draft of the kernel security policy [2] has been presented, which is expected to reduce the workload for the kernel team while improving the general enduser kernel security awareness. [2] http://dev.gentoo.org/~johnm/files/kernel-security-policy.txt c) Audit team status The overall status of the audit team isn't too bad. Altough the majority of the audit team is quite busy with non-gentoo stuff or inactive, a nice list of high profile security vulnerabilities was discovered. New developers and better coordination within the team could help to improve the speed of the audit project, so that bugs get dealt with faster. 2/ Improvement areas: --------------------- a) Maintainers involvement Increasing the security awareness of maintainers is vital to the success of the Gentoo Linux Security Team. Unfortunately, missing or inactive maintainers are a general Gentoo problem. The security team can't deal with that alone because it has no means to punish bad maintainers, thus this has to be brought to the Gentoo council. A powerful QA team could improve the situation by cleaning out unmaintained packages or taking over if a maintainer doesn't reply in timely manner, but this will require changes in the QA policy which are still being discussed. b) Recruitment As mentioned in the status reports above, every team badly needs more developers. Since a lot of recruits drop out during recruitement or vanish after becoming a new developer, it was decided to rethink the recruitement process. The Security Team will now start to actively look for new members, for example by writing an article within the GWN. Also recruits should get more attention of senior developers, so that they feel involved and learn faster. The progress of the recruits should be followed closely, so that they can be upgraded appropriate to their skills, additionally more documentation will be written, for example about GLSAmaker. c) Portage integration A goal of the security project is to integrate glsa-check and other useful security related tools into portage. glsa-check had a lot of improvements recently but unfortunately the portage code is considered as not yet ready for a glsa-check integration. Until this changes, portage 2.1 is expected to bring up some new and interesting features in a security point of view, like security.mask or running glsa-check in a post_sync. d) Other process or policy improvements Nothing special to mention here. 3/ Lead(s) election: -------------------- - Koon (Thierry Carrez) stepped back from operational lead - Plasmaroo (Tim Yamin) is old and new kernel subproject leader - Taviso (Tavis Ormandy) is old and new auditing subprojet leader - Jaervosz (Sune Kloppenborg Jeppesen) is old and new operational lead - DerCorny (Stefan Cornelius) is new operational lead 4/ Public Q&A: -------------- Nothing special to mention here, too. The Gentoo Linux Security team is always open to new ideas or questions. Write an email to security@gentoo.org or visit us on IRC, #gentoo-security in the freenode network. EOF -- gentoo-dev@gentoo.org mailing list