From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JSBbP-0006Y6-Bt for garchives@archives.gentoo.org; Thu, 21 Feb 2008 13:36:43 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9F946E04A7; Thu, 21 Feb 2008 13:35:42 +0000 (UTC) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.236]) by pigeon.gentoo.org (Postfix) with ESMTP id E2224E04A6 for ; Thu, 21 Feb 2008 13:35:41 +0000 (UTC) Received: by wr-out-0506.google.com with SMTP id 58so57393wri.10 for ; Thu, 21 Feb 2008 05:35:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=oJHRNIGoyhgRQw5M2HzpLbZEsjD8pT+uwiZG2SxHpRs=; b=IzKdVMGqYJVCr9mjtMJghW/GzolKCzazUiVHdYPCDEnjJvxC9ExuXkdbV0YaNX5lAK9l8oA8P51axYMR+K99aAdu0CpH+S5ZdbOA9apUxFsawZFlcEK8t4OosUgXTg1bYmwTQFL90uJfqoAsE6UJyU8Dh/uTVCrx6PtBI4ifD6I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=PvVk8x5zc+YP3OAIlONRRwKieeJ94ww7HK4xtUFbaxMPz3MNbBBGeZq8zfkKw7hSTlDOsustyPje59y2b9GNC+5cfD9t2bPfpxug0fdbpPaicvQgWkUkYSrQi/FExl65a+lglYdWhCGH4W9bvmrafXuIy8t6WTcbsoIGrM1f2Lw= Received: by 10.141.167.5 with SMTP id u5mr6680415rvo.220.1203600939640; Thu, 21 Feb 2008 05:35:39 -0800 (PST) Received: by 10.141.114.9 with HTTP; Thu, 21 Feb 2008 05:35:39 -0800 (PST) Message-ID: Date: Thu, 21 Feb 2008 08:35:39 -0500 From: "Casey Link" To: gentoo-security@lists.gentoo.org Subject: Re: [gentoo-security] Kernel Security + KISS In-Reply-To: <2d11f51c0802210509w770934c1wf52e3d6ce5d1d3a7@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@lists.gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200802201359.55663.sysadmin@tacticalbusinesspartners.com> <1203548143.26804.29.camel@media> <1203574802.6841.14.camel@notebook> <20080221070213.GA6385@quasar.las> <83c2b2e00802210114q1d5beba5gcaa478df808020d6@mail.gmail.com> <47BD458E.3010906@gmail.com> <2d11f51c0802210509w770934c1wf52e3d6ce5d1d3a7@mail.gmail.com> X-Archives-Salt: ad5bb443-632a-4a51-8a13-f7b12126f4e4 X-Archives-Hash: 7a3018eff0df37a48dea1d629d0eaa1f A couple days ago I discussed (in #gentoo-security) with Robert (rbu@g.o) a solution to the Kernel security issue. Robert has a good plan to keep the bugzilla data in bugzilla, that is, don't take away the essentials from bugzilla. And that is by implementing a tagging system for each bug. In the whiteboard field for each bug could go something like so (this is taken from our IRC convo): [linux < 2.6.22] [genpatches < 2.6.20-3] [xen-sources < 2.6.18-r2] Which would translate as kernel.org upstream released 2.6.22 with a fix, genpatches released 2.6.20-3 with a fix, and xen-sources released 2.6.18-r2 with the patch applied. A tool could then be written to parse the bugzilla entries and generate reports. Then when all the sources have been patched a GLSA can be released. I like this idea because all the data stays in bugzilla, so you can go to bugzilla and get all the information you need about each bug. I don't see why this tool cannot be available for users to.. in the same form that KISS was. I came across these screenshots: http://dev.gentoo.org/~dsd/misc/kiss1.jpg http://dev.gentoo.org/~dsd/misc/kiss2.jpg What if KISS was an external tool like shown in those pictures, but parsed the bugzilla entries and generated reports like I talked about above. Robert's whiteboard tagging system is a great one, but the system needs a way to view the status of all the sources together and individually similarly to what is show in those screenshots.. and why not make this a website? A single GLSA could still be released per bug once all sources had been patched, but KISS could be a place for users to go (if they feel so inclined) to get an overall and granular status report of the various sources in portage. Perhaps KISS could offer an email notification option. A user could "subscribe" to several sources and be notified about their security status. The user could even specify what sort of information he wanted: vulnerability report, severity levels, patches released, etc. Those are just some thoughts I had. I already tossed my hat in but I've got medium C experience, and I am pretty experienced with hosting setups, and simple web development (PHP mainly). I would be willing to work on something like I described above.. bugzilla parsing, a nice Web display, etc. Casey On Thu, Feb 21, 2008 at 8:09 AM, Robert Joslyn wrote: > I would like to help as well. I have limited C experience unfortunately, > and most of that is programming PIC microcontrollers. Been using Gentoo = for > years, and would love to give something back. > > > Robert > > > > > On Thu, Feb 21, 2008 at 4:34 AM, George Prowse wrot= e: > > Im interested, no C knowledge but plenty of time, passed the dev exam > > and a willingness to learn. It's been on my agenda for a long time. > > > > > > > > > > nick loeve wrote: > > > I can help also... i have limited free time but am willing to put in > > > some hours... > > > > > > I have medium C knowledge, reasonable kernel experience, and also a > > > strong linux background > > > > > > On Thu, Feb 21, 2008 at 8:02 AM, Arthur Bispo de Castro > > > wrote: > > >> I'm interested... little C knowledge, very curious about kernel, str= ong > > >> linux background... > > >> > > >> is there another prereq to join this? > > >> > > >> > > >> > > >> On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote: > > >> > I am interested too :) > > >> > > > >> > No C knowledge but strong linux background and very organized guy= . > > >> > > > >> > On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote: > > >> > > It would probably help if we knew how many people were interest= ed. > > >> > > > > >> > > I am. +1 > > >> > > > > >> > > Casey > > >> > > > > >> > > On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson > wrote: > > >> > > > Alright how do we proceed to get this team started. > > >> > > > > > >> > > > ed*eonsec > > >> > > > > > >> > > > > > >> > > > > > >> > > > On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd > wrote: > > >> > > > > > > >> > > > > > > >> > > > > On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg > wrote: > > >> > > > > > On Sunday 17 February 2008 23:12:35 Robert Buchholz wro= te: > > >> > > > > > > On Sunday, 17. February 2008, Eduardo Tongson wrote: > > >> > > > > > > > What specific kernel knowledge is needed to get a > Kernel advisory up > > >> > > > > > > > and running ? > > >> > > > > > > > > >> > > > > > > Between becoming aware of a vulnerability in Linux an= d > drafting an advisory > > >> > > > > > > for one or all kernel sources comes the part where yo= u > review which > > >> > > > > > > versions of which kernel sources are affected and > unaffected. You also > > >> > > > > > > need to pay attention to specifics of the added > patchsets, which might > > >> > > > > > > duplicate vulnerabilities. > > >> > > > > > > > > >> > > > > > > Parts of the job can indeed be done without Kernel an= d C > knowledge, but > > >> > > > > > > some cannot. So if we draft a new kernel security > *team*, people without C > > >> > > > > > > and kernel knowledge are helpful -- some others need = to > have it, though. > > >> > > > > > > > > >> > > > > > > Robert > > >> > > > > > > > >> > > > > > To be honest, 99% of what is done in the kernel securit= y > team can be done with > > >> > > > > > no C knowledge at all. > > >> > > > > > > > >> > > > > > I'm not an expert C person - far from it - but I > eventually became the head of > > >> > > > > > Kernel Security until I retired a few months ago. > > >> > > > > > > > >> > > > > > Most of it is bug handling. The major problem is a > social, not a technical > > >> > > > > > one. Because of the manner in which our kernels are > organized, a single > > >> > > > > > vulnerability involves checking upstream version number= s, > coordinating them > > >> > > > > > into our downstream version numbers for all sources, > checking to see if the > > >> > > > > > sources are effected, figuring out who to CC for the bu= gs, > then harassing > > >> > > > > > them until they do it. > > >> > > > > > > > >> > > > > > Unlike other security sources, any attempt to hardmask = the > package is shutdown > > >> > > > > > instantly. The chaos that would result from a kernel > hardmask, even one of > > >> > > > > > the lesser used ones, caused me to only successfully or= der > one over my entire > > >> > > > > > career in Gentoo Kernsec... even though more around 30 > would have been > > >> > > > > > needed. It is not infrequently that bugs will last six > months without any > > >> > > > > > action coming about them, and users are blissfully > unaware. > > >> > > > > > > > >> > > > > > I am happy to give my input as the former head of Kerne= l > Security, but it is > > >> > > > > > my personal opinion that any advances in kernel securit= y > will require the > > >> > > > > > full cooperation of security, and letting the head of > kernel security be able > > >> > > > > > to actually enforce threats, as that seems to be the on= ly > way bugs ever get > > >> > > > > > resolved. Pleading didn't work - I tried. > > >> > > > > > > > >> > > > > > -Harlan Lieberman-Berg > > >> > > > > > Gentoo Developer Emeritus > > >> > > > > > > >> > > > > > > >> > > > > Every word of what you said is painfully true. The only w= ay > to > > >> > > > > accomplish this would be with an Iron Fist(fail) or a tea= m > of ~15 guys > > >> > > > > who do nothing but patch and push new kernels and the PR > that goes along > > >> > > > > with them every few days. > > >> > > > > -- > > >> > > > > Ned Ludd > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > -- > > >> > > > > gentoo-security@lists.gentoo.org mailing list > > >> > > > > > > >> > > > > > > >> > > > -- > > >> > > > gentoo-security@lists.gentoo.org mailing list > > >> > > > > > >> > > > > > >> > > > >> > -- > > >> > gentoo-security@lists.gentoo.org mailing list > > >> > > >> -- > > >> Arthur Bispo de Castro > > >> Laborat=F3rio de Administra=E7=E3o e Seguran=E7a (LAS/IC) > > >> Universidade Estadual de Campinas (UNICAMP) > > >> -- > > >> > > >> > > >> gentoo-security@lists.gentoo.org mailing list > > >> > > >> > > > > > > > > > > > > > -- > > gentoo-security@lists.gentoo.org mailing list > > > > > > -- gentoo-security@lists.gentoo.org mailing list