Mailing List Archive

Security team meeting summary
This is the summary of the IRC meeting the Gentoo Linux Security Team had on
Monday, March 20, 20:00 UTC in #gentoo-security (freenode).
A raw IRC log of the meeting can be found here:
http://dev.gentoo.org/~dercorny/security/sec-meeting-20060320.log


Agenda was:
-----------

1/ Project status
a) GLSA team status
b) Kernel team status
c) Audit team status

2/ Improvements areas
a) Maintainers involvement
b) Recruitment
c) Portage integration
d) Other process or policy improvements

3/ Lead(s) election

4/ Public Q&A



1/ Project status:
------------------

a) GLSA team status

The number of late GLSAs (means not delivered within the timeframe given by the
policy) drastically increased by almost 50% [1]. Two main causes have been
identified:
- The GLSA team is operating close or below to the critical mass of GLSA
coordinators, which causes delays in certain areas like GLSA voting, drafting
and reviewing.
- Package maintainer security awareness is bad: sometimes maintainers don't
care about security, don't fix bugs in time, don't respond or are completely
missing. This causes huge delays in the GLSA processing.
Possible methods to resolve these issues are discussed in "Improvements areas".

[1] http://dev.gentoo.org/~koon/arch_ratings.png


b) Kernel team status

Just as the GLSA team, the kernel team lacks the sufficient amount of manpower
needed to operate as wished. As a result, the KISS project (a system designed
to release kernel security advisories), originally thought to go live by 2005,
still isn't ready for production use since the manpower to keep it fully
updated is lacking. Although KISS is closely tied to the kernel work, a scout
and a coordinator, who help finding and handling kernel bugs, are needed to
fully implement it. Besides that, a draft of the kernel security policy [2]
has been presented, which is expected to reduce the workload for the
kernel team while improving the general enduser kernel security awareness.

[2] http://dev.gentoo.org/~johnm/files/kernel-security-policy.txt


c) Audit team status

The overall status of the audit team isn't too bad. Altough the majority of the
audit team is quite busy with non-gentoo stuff or inactive, a nice list of high
profile security vulnerabilities was discovered. New developers and better
coordination within the team could help to improve the speed of the audit
project, so that bugs get dealt with faster.




2/ Improvement areas:
---------------------

a) Maintainers involvement

Increasing the security awareness of maintainers is vital to the success of the
Gentoo Linux Security Team. Unfortunately, missing or inactive maintainers are a
general Gentoo problem. The security team can't deal with that alone because it
has no means to punish bad maintainers, thus this has to be brought to the
Gentoo council. A powerful QA team could improve the situation by cleaning out
unmaintained packages or taking over if a maintainer doesn't reply in timely
manner, but this will require changes in the QA policy which are still being
discussed.


b) Recruitment

As mentioned in the status reports above, every team badly needs more
developers. Since a lot of recruits drop out during recruitement or vanish after
becoming a new developer, it was decided to rethink the recruitement process.
The Security Team will now start to actively look for new members, for example
by writing an article within the GWN. Also recruits should get more attention
of senior developers, so that they feel involved and learn faster. The progress
of the recruits should be followed closely, so that they can be upgraded
appropriate to their skills, additionally more documentation will be written,
for example about GLSAmaker.


c) Portage integration

A goal of the security project is to integrate glsa-check and other useful
security related tools into portage. glsa-check had a lot of improvements
recently but unfortunately the portage code is considered as not yet ready
for a glsa-check integration. Until this changes, portage 2.1 is expected to
bring up some new and interesting features in a security point of view, like
security.mask or running glsa-check in a post_sync.


d) Other process or policy improvements

Nothing special to mention here.




3/ Lead(s) election:
--------------------

- Koon (Thierry Carrez) stepped back from operational lead
- Plasmaroo (Tim Yamin) is old and new kernel subproject leader
- Taviso (Tavis Ormandy) is old and new auditing subprojet leader
- Jaervosz (Sune Kloppenborg Jeppesen) is old and new operational lead
- DerCorny (Stefan Cornelius) is new operational lead



4/ Public Q&A:
--------------

Nothing special to mention here, too. The Gentoo Linux Security team is always
open to new ideas or questions. Write an email to security@gentoo.org or visit
us on IRC, #gentoo-security in the freenode network.


EOF

--
gentoo-security@gentoo.org mailing list