Feb 24, 2008, 6:43 AM
Post #27 of 28
(2558 views)
Permalink
On Friday 22 February 2008 04:55:17 Casey Link wrote:
> Here are some day to day duties that will be need to get done.This
> isn't exhaustive just the results of a few minutes of brainstorming:
>
> * Stalking the places vulnerabilities are announced (CVE, mailing
> lists, etc) to create the relevant bug.
The Security team is more or less already doing this. We could quite easily
start filing kernel stuff again.
> * Determine which upstream (kernel.org) version has the fix and make
> the whiteboard entry in bugzilla.
> * Determine which sources are affected
> * Nag kernel maintainers to patch their sources
> * Find patches and discussion to link to the kernel maintainers to
> ease their patching (and ideally encourage them to patch faster)
> * As sources are patched update the whiteboard
> * Release glsas of unaffected packages (?)
The GLSA format/DTD per se was deemed unfit for kernel sources. I guess you
could add what is needed to the Resolution section though.
>
> Some framework and specification needs to be laid, but that is a
> general outline of the process I think. None of those duties require
> programming experience at all. Of course crafting patches to send to
> the kernel maintainers would be another helpful thing to do. Ideally
> this would be made pretty simple with some nifty tools, however
> manpower is going to be required regardless.
>
> There are still the glaring issues of (1) the best way to notify users
> of vulnerabilities, and (2) how to enforce rapid-ish response by
> kernel maintainers. I think the best way to approach (2) is to be
> amicable towards the maintainers. Point them in the right direction,
> send them patches, etc., rather than spamming "OMG! Patch
> foo-sources!" every day. Maybe we could give them candy or something.
I think we should try to get all security supported kernel maintainers to
abide by some timetable laid down in a coming kernel security policy. If
kernel maintainers don't want to do that I guess their sources should go back
to unstable. Before anything is final kernel maintainers and council should
be consulted.
--
Sune Kloppenborg Jeppesen
Gentoo Linux Security Team
>
> Casey
>
> On Thu, Feb 21, 2008 at 9:26 PM, Eduardo Tongson <propolice@gmail.com>
wrote:
> > Yes. We should each have assigned tasks which will depend on our
> > respective skill and trait.
> >
> > -- ed*eonsec
> >
> > On Fri, Feb 22, 2008 at 3:28 AM, doppelgaenger <bm2600@gmail.com> wrote:
> > > George Prowse wrote:
> > > > Eduardo Tongson wrote:
> > > >> Nice plan. I think you are more able to lead. Can we communicate
> > > >> more in email perhaps a google group or list. IRC is not efficient
> > > >> for people in different timezones.
> > > >>
> > > >> -- ed*eonsec
> > > >
> > > > I agree, a list or group would be better at pooling the people at
> > > > your disposal
> > >
> > > I also think it would be a good idea to set up some requirements
> > > profile so people can identify them self in some kind of matrix ?
> > >
> > > I basically volunteer but not sure what use I could be with a
> > > background as an ISO, limited time and basic C knowledge.
> > >
> > > --doppelgaenger
> > >
> > >
> > > --
> > > gentoo-security@lists.gentoo.org mailing list
> >
> > --
> > gentoo-security@lists.gentoo.org mailing list
--
gentoo-security@lists.gentoo.org mailing list