Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Stefan Cornelius <dercorny <at> gentoo.org>
Subject: Security team meeting summary
Newsgroups: gmane.linux.gentoo.security
Date: Wednesday 22nd March 2006 15:02:30 UTC (over 10 years ago)
This is the summary of the IRC meeting the Gentoo Linux Security Team had
on
Monday, March 20, 20:00 UTC in #gentoo-security (freenode).
A raw IRC log of the meeting can be found here: 
http://dev.gentoo.org/~dercorny/security/sec-meeting-20060320.log


Agenda was:
-----------

1/ Project status
   a) GLSA team status
   b) Kernel team status
   c) Audit team status

2/ Improvements areas
   a) Maintainers involvement
   b) Recruitment
   c) Portage integration
   d) Other process or policy improvements

3/ Lead(s) election

4/ Public Q&A



1/ Project status:
------------------

 a) GLSA team status

The number of late GLSAs (means not delivered within the timeframe given by
the
policy) drastically increased by almost 50% [1]. Two main causes have been
identified:
 - The GLSA team is operating close or below to the critical mass of GLSA
   coordinators, which causes delays in certain areas like GLSA voting,
drafting
   and reviewing.
 - Package maintainer security awareness is bad: sometimes maintainers
don't
   care about security, don't fix bugs in time, don't respond or are
completely
   missing. This causes huge delays in the GLSA processing.
Possible methods to resolve these issues are discussed in "Improvements
areas".

[1] http://dev.gentoo.org/~koon/arch_ratings.png


 b) Kernel team status

Just as the GLSA team, the kernel team lacks the sufficient amount of
manpower
needed to operate as wished. As a result, the KISS project (a system
designed
to release kernel security advisories), originally thought to go live by
2005,
still isn't ready for production use since the manpower to keep it fully 
updated is lacking. Although KISS is closely tied to the kernel work, a
scout
and a coordinator, who help finding and handling kernel bugs, are needed to
fully implement it. Besides that, a draft of the kernel security policy [2]
has been presented, which is expected to reduce the workload for the
kernel team while improving the general enduser kernel security awareness.

[2] http://dev.gentoo.org/~johnm/files/kernel-security-policy.txt


 c) Audit team status

The overall status of the audit team isn't too bad. Altough the majority of
the
audit team is quite busy with non-gentoo stuff or inactive, a nice list of
high
profile security vulnerabilities was discovered. New developers and better
coordination within the team could help to improve the speed of the audit
project, so that bugs get dealt with faster.




2/ Improvement areas:
---------------------

 a) Maintainers involvement

Increasing the security awareness of maintainers is vital to the success of
the
Gentoo Linux Security Team. Unfortunately, missing or inactive maintainers
are a
general Gentoo problem. The security team can't deal with that alone
because it
has no means to punish bad maintainers, thus this has to be brought to the
Gentoo council. A powerful QA team could improve the situation by cleaning
out 
unmaintained packages or taking over if a maintainer doesn't reply in
timely
manner, but this will require changes in the QA policy which are still
being
discussed.


 b) Recruitment

As mentioned in the status reports above, every team badly needs more
developers. Since a lot of recruits drop out during recruitement or vanish
after
becoming a new developer, it was decided to rethink the recruitement
process.
The Security Team will now start to actively look for new members, for
example
by writing an article within the GWN. Also recruits should get more
attention
of senior developers, so that they feel involved and learn faster. The
progress
of the recruits should be followed closely, so that they can be upgraded
appropriate to their skills, additionally more documentation will be
written,
for example about GLSAmaker.
  

 c) Portage integration

A goal of the security project is to integrate glsa-check and other useful
security related tools into portage. glsa-check had a lot of improvements
recently but unfortunately the portage code is considered as not yet ready
for a glsa-check integration. Until this changes, portage 2.1 is expected
to 
bring up some new and interesting features in a security point of view,
like
security.mask or running glsa-check in a post_sync.


 d) Other process or policy improvements

Nothing special to mention here.




3/ Lead(s) election:
--------------------

 - Koon (Thierry Carrez) stepped back from operational lead
 - Plasmaroo (Tim Yamin) is old and new kernel subproject leader
 - Taviso (Tavis Ormandy) is old and new auditing subprojet leader
 - Jaervosz (Sune Kloppenborg Jeppesen) is old and new operational lead
 - DerCorny (Stefan Cornelius) is new operational lead



4/ Public Q&A:
--------------

Nothing special to mention here, too. The Gentoo Linux Security team is
always
open to new ideas or questions. Write an email to [email protected] or
visit
us on IRC, #gentoo-security in the freenode network.


EOF

-- 
[email protected] mailing list
 
CD: 2ms