Mailing List Archive

Security Project goals for 2005
Here are the proposed objectives for the Security Project in 2005 :

- Recruit new team members
It's very important to increase the size of our team, to ensure
that Gentoo will keep offering the same high level of security watch at
all times, to better spread the load and to allow team members to take
other tasks in the Gentoo project.

- Put new procedures in place to ensure kernel security
We will create a new kernel security subproject and a new kernel
security announcements system, to give our users live information on the
security vulnerabilities their kernels are exposed to and allow them to
planify kernel updates.

- Improve auditing
Put together a bigger team of auditors to find and report new
vulnerabilities in packages present in Portage.

- Get official CVE compatibility
Complete all steps required to get official MITRE CVE compatibility
certification.

--
Thierry Carrez (Koon)
Operational Manager, Gentoo Linux Security
RE: Security Project goals for 2005 [ In reply to ]
How about a central repository for kernel security patches? For the utmost security, I always build my own kernel sources, but it's a lot of work having to go to so many sites collecting the various patches.

Vern









--
gentoo-security@gentoo.org mailing list
RE: Security Project goals for 2005 [ In reply to ]
On 16 Jan, in message <F62740B0EFCFC74AA6DCF52CD746242D010337CA@iu-mssg-mbx05.exchange.iu.edu>
"Wilkins, Vern" <vwilkins@indiana.edu> wrote:

>How about a central repository for kernel security patches? For the utmost security, I always build my own kernel sources, but it's a lot of work having to go to so many sites collecting the various patches.

Isn't this covered by the hardened gentoo stuff?

I think the aim of the kernel security subproject was to limit it to
kernel security fixes, rather than also incorporate the other kernel
patches that can also be included.

As I see it, it would be nice if there was a single (sub)project that
took the source code for the latest stable kenel (2.4.x) + any offical
fixes/patches for exploits + the slightly less official/options patches
for increased security/hardening and allowed the sys admin to build
their own kernel with their own options.
It may exist, but I last ran Gentoo last weekend (I'm experiementing
with various Linux distros and it's Debian Testing ATM), so I can't
tell.

Yours,

Phil L.
--
http://philipnet.com | http://director.sf.net | http://sms2003.com/philipnet/


--
gentoo-security@gentoo.org mailing list
RE: Security Project goals for 2005 [ In reply to ]
Usually I'm ahead of the hardened-dev-sources. With the most recent grsecurity patch, I was testing it on my custom 2.6.10 sources the day it came out. The updated hardened-dev-sources came out days later. That's still very good, and more than adequate for most people, but when it comes to security, if I can do it sooner, I do.

I also have not been entirely satisfied with the documentation of many patched sources. For some sources there is a web page that tells what patches were applied, but I have had a very difficult time finding those pages on occasion, and they are often not kept up to date. I don't know why the patch list is not linked from the kernel-guide documentation. The general response I have gotten is to look at the changelog. That's not sufficient. The changelog is chronological, and it doesn't make sense to have to look through a huge list of changes over several months or years, to see what patches are in the current kernel. Also, they do not necessarily list things like the specific version of a patch. I've often seen something like "updated for 2.6.10", in the changelog. That doesn't tell me anything about what was actually done. When security is a concern, I think the utmost transparency is required, and that's often not the case with the patched sources I have seen.

Additionally, hardened-dev-sources, pretty much only has security patches and nothing more. If there are numerous patches I need in addition to those, I'd rather just start from scratch.

Although I think general patches like grsecurity, should be part of the kernel security sub-project, what I really meant as far as a central repository for security patches, is stuff like the smbfs security fix that was released a while back. Every vendor had patched kernels very quickly, and many gentoo supported sources had it quickly, but to me, if I had just been able to emerge the patch and apply it myself, it would have been much quicker. When you are talking about numerous patches, not just one, that becomes more of an issue.

What you mention in the last paragraph is pretty much what I'm looking for, having the patches there and being able to choose which ones go into the kernel I build. It should take less time to get a new patch up than it does to incorporate it into a kernel, and then it can be left up to the user to get it in if they can do it sooner. I think the idea of being able to build the kernel with the exact patches you want, fits in very well with the whole Gentoo philosophy, and would be preferred to having to just download the vanilla sources and spend a great deal of time searching for all the various patches one wants to apply.

Vern

-----Original Message-----
From: Philip Ludlam [mailto:nospam@philipnet.com]
Sent: Sun 1/16/2005 2:35 PM
To: gentoo-security@lists.gentoo.org
Cc:
Subject: RE: [gentoo-security] Security Project goals for 2005
On 16 Jan, in message <F62740B0EFCFC74AA6DCF52CD746242D010337CA@iu-mssg-mbx05.exchange.iu.edu>
"Wilkins, Vern" <vwilkins@indiana.edu> wrote:

>How about a central repository for kernel security patches? For the utmost security, I always build my own kernel sources, but it's a lot of work having to go to so many sites collecting the various patches.

Isn't this covered by the hardened gentoo stuff?

I think the aim of the kernel security subproject was to limit it to
kernel security fixes, rather than also incorporate the other kernel
patches that can also be included.

As I see it, it would be nice if there was a single (sub)project that
took the source code for the latest stable kenel (2.4.x) + any offical
fixes/patches for exploits + the slightly less official/options patches
for increased security/hardening and allowed the sys admin to build
their own kernel with their own options.
It may exist, but I last ran Gentoo last weekend (I'm experiementing
with various Linux distros and it's Debian Testing ATM), so I can't
tell.

Yours,

Phil L.
--
http://philipnet.com | http://director.sf.net | http://sms2003.com/philipnet/


--
gentoo-security@gentoo.org mailing list






-----Original Message-----
From: Philip Ludlam [mailto:nospam@philipnet.com]
Sent: Sun 1/16/2005 2:35 PM
To: gentoo-security@lists.gentoo.org
Cc:
Subject: RE: [gentoo-security] Security Project goals for 2005
On 16 Jan, in message <F62740B0EFCFC74AA6DCF52CD746242D010337CA@iu-mssg-mbx05.exchange.iu.edu>
"Wilkins, Vern" <vwilkins@indiana.edu> wrote:

>How about a central repository for kernel security patches? For the utmost security, I always build my own kernel sources, but it's a lot of work having to go to so many sites collecting the various patches.

Isn't this covered by the hardened gentoo stuff?

I think the aim of the kernel security subproject was to limit it to
kernel security fixes, rather than also incorporate the other kernel
patches that can also be included.

As I see it, it would be nice if there was a single (sub)project that
took the source code for the latest stable kenel (2.4.x) + any offical
fixes/patches for exploits + the slightly less official/options patches
for increased security/hardening and allowed the sys admin to build
their own kernel with their own options.
It may exist, but I last ran Gentoo last weekend (I'm experiementing
with various Linux distros and it's Debian Testing ATM), so I can't
tell.

Yours,

Phil L.
--
http://philipnet.com | http://director.sf.net | http://sms2003.com/philipnet/


--
gentoo-security@gentoo.org mailing list






--
gentoo-security@gentoo.org mailing list
Re: Security Project goals for 2005 [ In reply to ]
On Sunday 16 January 2005 12.13, Thierry Carrez wrote:
> Here are the proposed objectives for the Security Project in 2005 :
>
> - Recruit new team members
> It's very important to increase the size of our team, to ensure
> that Gentoo will keep offering the same high level of security watch at
> all times, to better spread the load and to allow team members to take
> other tasks in the Gentoo project.
>
> - Put new procedures in place to ensure kernel security
> We will create a new kernel security subproject and a new kernel
> security announcements system, to give our users live information on the
> security vulnerabilities their kernels are exposed to and allow them to
> planify kernel updates.
>
> - Improve auditing
> Put together a bigger team of auditors to find and report new
> vulnerabilities in packages present in Portage.
>
> - Get official CVE compatibility
> Complete all steps required to get official MITRE CVE compatibility
> certification.

This sounds absolutely great, especially in view of the recent discussions on
this list. Thanks for the enormous effort you're all putting into Gentoo
Linux!

/Johan

--
gentoo-security@gentoo.org mailing list
Re: Security Project goals for 2005 [ In reply to ]
I'm interested in a job as maby a new team member, maby a trail period.

On Mon, 17 Jan 2005 21:16:57 +0100
Johan Ekenberg <johan@ekenberg.se> wrote:

> On Sunday 16 January 2005 12.13, Thierry Carrez wrote:
> > Here are the proposed objectives for the Security Project in 2005 :
> >
> > - Recruit new team members
> > It's very important to increase the size of our team, to ensure
> > that Gentoo will keep offering the same high level of security watch at
> > all times, to better spread the load and to allow team members to take
> > other tasks in the Gentoo project.
> >
> > - Put new procedures in place to ensure kernel security
> > We will create a new kernel security subproject and a new kernel
> > security announcements system, to give our users live information on the
> > security vulnerabilities their kernels are exposed to and allow them to
> > planify kernel updates.
> >
> > - Improve auditing
> > Put together a bigger team of auditors to find and report new
> > vulnerabilities in packages present in Portage.
> >
> > - Get official CVE compatibility
> > Complete all steps required to get official MITRE CVE compatibility
> > certification.
>
> This sounds absolutely great, especially in view of the recent discussions on
> this list. Thanks for the enormous effort you're all putting into Gentoo
> Linux!
>
> /Johan
>
> --
> gentoo-security@gentoo.org mailing list
>
>


--
Philippe Delodder
Student Toegepaste Informatica 2de jaar
gpg-ID : E06A7CBE

--
gentoo-security@gentoo.org mailing list