A couple days ago I discussed (in #gentoo-security) with Robert
(rbu@g.o) a solution
to the Kernel security issue. Robert has a good plan to keep the
bugzilla data in bugzilla, that is, don't take away the essentials
from bugzilla. And that is by implementing a tagging system for each
bug. In the whiteboard field for each bug could go something like so
(this is taken from our IRC convo):
[linux < 2.6.22] [genpatches < 2.6.20-3] [xen-sources < 2.6.18-r2]
Which would translate as kernel.org upstream released 2.6.22 with a
fix, genpatches released 2.6.20-3 with a fix, and xen-sources released
2.6.18-r2 with the patch applied.
A tool could then be written to parse the bugzilla entries and
generate reports. Then when all the sources have been patched a GLSA
can be released.
I like this idea because all the data stays in bugzilla, so you can go
to bugzilla and get all the information you need about each bug.
I don't see why this tool cannot be available for users to.. in the
same form that KISS was. I came across these screenshots:
http://dev.gentoo.org/~dsd/misc/kiss1.jpg http://dev.gentoo.org/~dsd/misc/kiss2.jpg What if KISS was an external tool like shown in those pictures, but
parsed the bugzilla entries and generated reports like I talked about
above. Robert's whiteboard tagging system is a great one, but the
system needs a way to view the status of all the sources together and
individually similarly to what is show in those screenshots.. and why
not make this a website? A single GLSA could still be released per bug
once all sources had been patched, but KISS could be a place for users
to go (if they feel so inclined) to get an overall and granular status
report of the various sources in portage.
Perhaps KISS could offer an email notification option. A user could
"subscribe" to several sources and be notified about their security
status. The user could even specify what sort of information he
wanted: vulnerability report, severity levels, patches released, etc.
Those are just some thoughts I had. I already tossed my hat in but
I've got medium C experience, and I am pretty experienced with hosting
setups, and simple web development (PHP mainly). I would be willing to
work on something like I described above.. bugzilla parsing, a nice
Web display, etc.
Casey
On Thu, Feb 21, 2008 at 8:09 AM, Robert Joslyn <rjmars97@gmail.com> wrote:
> I would like to help as well. I have limited C experience unfortunately,
> and most of that is programming PIC microcontrollers. Been using Gentoo for
> years, and would love to give something back.
>
>
> Robert
>
>
>
>
> On Thu, Feb 21, 2008 at 4:34 AM, George Prowse <cokehabit@gmail.com> wrote:
> > Im interested, no C knowledge but plenty of time, passed the dev exam
> > and a willingness to learn. It's been on my agenda for a long time.
> >
> >
> >
> >
> > nick loeve wrote:
> > > I can help also... i have limited free time but am willing to put in
> > > some hours...
> > >
> > > I have medium C knowledge, reasonable kernel experience, and also a
> > > strong linux background
> > >
> > > On Thu, Feb 21, 2008 at 8:02 AM, Arthur Bispo de Castro
> > > <arthur@las.ic.unicamp.br> wrote:
> > >> I'm interested... little C knowledge, very curious about kernel, strong
> > >> linux background...
> > >>
> > >> is there another prereq to join this?
> > >>
> > >>
> > >>
> > >> On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote:
> > >> > I am interested too :)
> > >> >
> > >> > No C knowledge but strong linux background and very organized guy.
> > >> >
> > >> > On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote:
> > >> > > It would probably help if we knew how many people were interested.
> > >> > >
> > >> > > I am. +1
> > >> > >
> > >> > > Casey
> > >> > >
> > >> > > On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson
> <propolice@gmail.com> wrote:
> > >> > > > Alright how do we proceed to get this team started.
> > >> > > >
> > >> > > > ed*eonsec
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > > On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@gentoo.org>
> wrote:
> > >> > > > >
> > >> > > > >
> > >> > > > > On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg
> wrote:
> > >> > > > > > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
> > >> > > > > > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
> > >> > > > > > > > What specific kernel knowledge is needed to get a
> Kernel advisory up
> > >> > > > > > > > and running ?
> > >> > > > > > >
> > >> > > > > > > Between becoming aware of a vulnerability in Linux and
> drafting an advisory
> > >> > > > > > > for one or all kernel sources comes the part where you
> review which
> > >> > > > > > > versions of which kernel sources are affected and
> unaffected. You also
> > >> > > > > > > need to pay attention to specifics of the added
> patchsets, which might
> > >> > > > > > > duplicate vulnerabilities.
> > >> > > > > > >
> > >> > > > > > > Parts of the job can indeed be done without Kernel and C
> knowledge, but
> > >> > > > > > > some cannot. So if we draft a new kernel security
> *team*, people without C
> > >> > > > > > > and kernel knowledge are helpful -- some others need to
> have it, though.
> > >> > > > > > >
> > >> > > > > > > Robert
> > >> > > > > >
> > >> > > > > > To be honest, 99% of what is done in the kernel security
> team can be done with
> > >> > > > > > no C knowledge at all.
> > >> > > > > >
> > >> > > > > > I'm not an expert C person - far from it - but I
> eventually became the head of
> > >> > > > > > Kernel Security until I retired a few months ago.
> > >> > > > > >
> > >> > > > > > Most of it is bug handling. The major problem is a
> social, not a technical
> > >> > > > > > one. Because of the manner in which our kernels are
> organized, a single
> > >> > > > > > vulnerability involves checking upstream version numbers,
> coordinating them
> > >> > > > > > into our downstream version numbers for all sources,
> checking to see if the
> > >> > > > > > sources are effected, figuring out who to CC for the bugs,
> then harassing
> > >> > > > > > them until they do it.
> > >> > > > > >
> > >> > > > > > Unlike other security sources, any attempt to hardmask the
> package is shutdown
> > >> > > > > > instantly. The chaos that would result from a kernel
> hardmask, even one of
> > >> > > > > > the lesser used ones, caused me to only successfully order
> one over my entire
> > >> > > > > > career in Gentoo Kernsec... even though more around 30
> would have been
> > >> > > > > > needed. It is not infrequently that bugs will last six
> months without any
> > >> > > > > > action coming about them, and users are blissfully
> unaware.
> > >> > > > > >
> > >> > > > > > I am happy to give my input as the former head of Kernel
> Security, but it is
> > >> > > > > > my personal opinion that any advances in kernel security
> will require the
> > >> > > > > > full cooperation of security, and letting the head of
> kernel security be able
> > >> > > > > > to actually enforce threats, as that seems to be the only
> way bugs ever get
> > >> > > > > > resolved. Pleading didn't work - I tried.
> > >> > > > > >
> > >> > > > > > -Harlan Lieberman-Berg
> > >> > > > > > Gentoo Developer Emeritus
> > >> > > > >
> > >> > > > >
> > >> > > > > Every word of what you said is painfully true. The only way
> to
> > >> > > > > accomplish this would be with an Iron Fist(fail) or a team
> of ~15 guys
> > >> > > > > who do nothing but patch and push new kernels and the PR
> that goes along
> > >> > > > > with them every few days.
> > >> > > > > --
> > >> > > > > Ned Ludd <solar@gentoo.org>
> > >> > > > >
> > >> > > > >
> > >> > > > >
> > >> > > > > --
> > >> > > > > gentoo-security@lists.gentoo.org mailing list
> > >> > > > >
> > >> > > > >
> > >> > > > --
> > >> > > > gentoo-security@lists.gentoo.org mailing list
> > >> > > >
> > >> > > >
> > >> >
> > >> > --
> > >> > gentoo-security@lists.gentoo.org mailing list
> > >>
> > >> --
> > >> Arthur Bispo de Castro
> > >> Laboratório de Administração e Segurança (LAS/IC)
> > >> Universidade Estadual de Campinas (UNICAMP)
> > >> --
> > >>
> > >>
> > >> gentoo-security@lists.gentoo.org mailing list
> > >>
> > >>
> > >
> > >
> > >
> >
> > --
> > gentoo-security@lists.gentoo.org mailing list
> >
> >
>
>
--
gentoo-security@lists.gentoo.org mailing list