From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JSP13-0003qA-R3 for garchives@archives.gentoo.org; Fri, 22 Feb 2008 03:56:06 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E83EEE04B7; Fri, 22 Feb 2008 03:55:19 +0000 (UTC) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.230]) by pigeon.gentoo.org (Postfix) with ESMTP id 3BEE7E04B6 for ; Fri, 22 Feb 2008 03:55:19 +0000 (UTC) Received: by wr-out-0506.google.com with SMTP id 58so435384wri.10 for ; Thu, 21 Feb 2008 19:55:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=ww5Y21ZI1miYzzfZUpqTsp9FkRVM7OewsQ2zrGbjwMY=; b=gPqUTbXG2RAjrbG23YLSwYCdKcjzTwHtIc6dTee8x3gCOBzkl5eLZ804nqxzAG0hgCES9cC1ZIPzphexphdKrlitpgSgIv7p/iBbZjBf/NRnUGiP0jzb48vkOKtC2YYm7oW3GOgvQZUdlkRqEOIcWqlED/HzdZ8OnU8hRMckcKM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZroyiRCPLqznKW9km+f6paFleQZzrEj9DnEakS4ZRv5+HZz+2JjXswUE2rtiTnD9X2UQPpW3+A/03PgxuDTOGA2cRHgHeru4CzJleuYhvgFvi10BOFFugDF+cyng9z/hKlbAWeKxEIjFgNv6UonRGXiD7j3aapdt8Z5ukCY9/gc= Received: by 10.141.169.9 with SMTP id w9mr7298177rvo.241.1203652517888; Thu, 21 Feb 2008 19:55:17 -0800 (PST) Received: by 10.141.114.9 with HTTP; Thu, 21 Feb 2008 19:55:17 -0800 (PST) Message-ID: Date: Thu, 21 Feb 2008 22:55:17 -0500 From: "Casey Link" To: gentoo-security@lists.gentoo.org Subject: Re: [gentoo-security] Kernel Security + KISS In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@lists.gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080221070213.GA6385@quasar.las> <83c2b2e00802210114q1d5beba5gcaa478df808020d6@mail.gmail.com> <47BD458E.3010906@gmail.com> <2d11f51c0802210509w770934c1wf52e3d6ce5d1d3a7@mail.gmail.com> <47BDA52A.2040305@gmail.com> <47BDD0CF.7030100@gmail.com> X-Archives-Salt: 11ee8714-d2ac-4527-9e0a-1b66c75174e6 X-Archives-Hash: 932172dc667214da355e044c5aa8152e Here are some day to day duties that will be need to get done.This isn't exhaustive just the results of a few minutes of brainstorming: * Stalking the places vulnerabilities are announced (CVE, mailing lists, etc) to create the relevant bug. * Determine which upstream (kernel.org) version has the fix and make the whiteboard entry in bugzilla. * Determine which sources are affected * Nag kernel maintainers to patch their sources * Find patches and discussion to link to the kernel maintainers to ease their patching (and ideally encourage them to patch faster) * As sources are patched update the whiteboard * Release glsas of unaffected packages (?) Some framework and specification needs to be laid, but that is a general outline of the process I think. None of those duties require programming experience at all. Of course crafting patches to send to the kernel maintainers would be another helpful thing to do. Ideally this would be made pretty simple with some nifty tools, however manpower is going to be required regardless. There are still the glaring issues of (1) the best way to notify users of vulnerabilities, and (2) how to enforce rapid-ish response by kernel maintainers. I think the best way to approach (2) is to be amicable towards the maintainers. Point them in the right direction, send them patches, etc., rather than spamming "OMG! Patch foo-sources!" every day. Maybe we could give them candy or something. Casey On Thu, Feb 21, 2008 at 9:26 PM, Eduardo Tongson wrote: > Yes. We should each have assigned tasks which will depend on our > respective skill and trait. > > -- ed*eonsec > > > > On Fri, Feb 22, 2008 at 3:28 AM, doppelgaenger wrote: > > George Prowse wrote: > > > Eduardo Tongson wrote: > > >> Nice plan. I think you are more able to lead. Can we communicate more > > >> in email perhaps a google group or list. IRC is not efficient for > > >> people in different timezones. > > >> > > >> -- ed*eonsec > > >> > > > I agree, a list or group would be better at pooling the people at your > > > disposal > > > > I also think it would be a good idea to set up some requirements profile > > so people can identify them self in some kind of matrix ? > > > > I basically volunteer but not sure what use I could be with a background > > as an ISO, limited time and basic C knowledge. > > > > --doppelgaenger > > > > > > -- > > gentoo-security@lists.gentoo.org mailing list > > > > > -- > gentoo-security@lists.gentoo.org mailing list > > -- gentoo-security@lists.gentoo.org mailing list