From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-security+bounces-844-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1JSP13-0003qA-R3
	for garchives@archives.gentoo.org; Fri, 22 Feb 2008 03:56:06 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id E83EEE04B7;
	Fri, 22 Feb 2008 03:55:19 +0000 (UTC)
Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.230])
	by pigeon.gentoo.org (Postfix) with ESMTP id 3BEE7E04B6
	for <gentoo-security@lists.gentoo.org>; Fri, 22 Feb 2008 03:55:19 +0000 (UTC)
Received: by wr-out-0506.google.com with SMTP id 58so435384wri.10
        for <gentoo-security@lists.gentoo.org>; Thu, 21 Feb 2008 19:55:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        bh=ww5Y21ZI1miYzzfZUpqTsp9FkRVM7OewsQ2zrGbjwMY=;
        b=gPqUTbXG2RAjrbG23YLSwYCdKcjzTwHtIc6dTee8x3gCOBzkl5eLZ804nqxzAG0hgCES9cC1ZIPzphexphdKrlitpgSgIv7p/iBbZjBf/NRnUGiP0jzb48vkOKtC2YYm7oW3GOgvQZUdlkRqEOIcWqlED/HzdZ8OnU8hRMckcKM=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=ZroyiRCPLqznKW9km+f6paFleQZzrEj9DnEakS4ZRv5+HZz+2JjXswUE2rtiTnD9X2UQPpW3+A/03PgxuDTOGA2cRHgHeru4CzJleuYhvgFvi10BOFFugDF+cyng9z/hKlbAWeKxEIjFgNv6UonRGXiD7j3aapdt8Z5ukCY9/gc=
Received: by 10.141.169.9 with SMTP id w9mr7298177rvo.241.1203652517888;
        Thu, 21 Feb 2008 19:55:17 -0800 (PST)
Received: by 10.141.114.9 with HTTP; Thu, 21 Feb 2008 19:55:17 -0800 (PST)
Message-ID: <fb3727060802211955j54f27760g1ae36c7510f6ebb1@mail.gmail.com>
Date: Thu, 21 Feb 2008 22:55:17 -0500
From: "Casey Link" <unnamedrambler@gmail.com>
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] Kernel Security + KISS
In-Reply-To: <b18fbe3c0802211826k7fc21d09gf78e6c9be188ad0c@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-security@lists.gentoo.org>
List-Help: <mailto:gentoo-security+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-security+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-security+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@lists.gentoo.org
Reply-to: gentoo-security@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <fb3727060802161457x30472ff2v970bd41902bc8de2@mail.gmail.com>
	 <20080221070213.GA6385@quasar.las>
	 <83c2b2e00802210114q1d5beba5gcaa478df808020d6@mail.gmail.com>
	 <47BD458E.3010906@gmail.com>
	 <2d11f51c0802210509w770934c1wf52e3d6ce5d1d3a7@mail.gmail.com>
	 <fb3727060802210535k4c91812bt48fa90a539059a88@mail.gmail.com>
	 <b18fbe3c0802210552y36ddf585w14d53b5c6bc21362@mail.gmail.com>
	 <47BDA52A.2040305@gmail.com> <47BDD0CF.7030100@gmail.com>
	 <b18fbe3c0802211826k7fc21d09gf78e6c9be188ad0c@mail.gmail.com>
X-Archives-Salt: 11ee8714-d2ac-4527-9e0a-1b66c75174e6
X-Archives-Hash: 932172dc667214da355e044c5aa8152e

Here are some day to day duties that will be need to get done.This
isn't exhaustive just the results of a few minutes of brainstorming:

* Stalking the places vulnerabilities are announced (CVE, mailing
lists, etc) to create the relevant bug.
* Determine which upstream (kernel.org) version has the fix and make
the whiteboard entry in bugzilla.
* Determine which sources are affected
* Nag kernel maintainers to patch their sources
* Find patches and discussion to link to the kernel maintainers to
ease their patching (and ideally encourage them to patch faster)
* As sources are patched update the whiteboard
* Release glsas of unaffected packages (?)

Some framework and specification needs to be laid, but that is a
general outline of the process I think. None of those duties require
programming experience at all. Of course crafting patches to send to
the kernel maintainers would be another helpful thing to do. Ideally
this would be made pretty simple with some nifty tools, however
manpower is going to be required regardless.

There are still the glaring issues of (1) the best way to notify users
of vulnerabilities, and (2) how to enforce rapid-ish response by
kernel maintainers. I think the best way to approach (2) is to be
amicable towards the maintainers. Point them in the right direction,
send them patches, etc., rather than spamming "OMG! Patch
foo-sources!" every day. Maybe we could give them candy or something.

Casey


On Thu, Feb 21, 2008 at 9:26 PM, Eduardo Tongson <propolice@gmail.com> wrote:
> Yes. We should each have assigned tasks which will depend on our
>  respective skill and trait.
>
>   --  ed*eonsec
>
>
>
>  On Fri, Feb 22, 2008 at 3:28 AM, doppelgaenger <bm2600@gmail.com> wrote:
>  > George Prowse wrote:
>  >  > Eduardo Tongson wrote:
>  >  >> Nice plan. I think you are more able to lead. Can we communicate more
>  >  >> in email perhaps a google group or list. IRC is not efficient for
>  >  >> people in different timezones.
>  >  >>
>  >  >>   --  ed*eonsec
>  >  >>
>  >  > I agree, a list or group would be better at pooling the people at your
>  >  > disposal
>  >
>  >  I also think it would be a good idea to set up some requirements profile
>  >  so people can identify them self in some kind of matrix ?
>  >
>  >  I basically volunteer but not sure what use I could be with a background
>  >  as an ISO, limited time and basic C knowledge.
>  >
>  >  --doppelgaenger
>  >
>  >
>  > --
>  >  gentoo-security@lists.gentoo.org mailing list
>  >
>  >
>  --
>  gentoo-security@lists.gentoo.org mailing list
>
>
-- 
gentoo-security@lists.gentoo.org mailing list