Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261257AbVALSy1 (ORCPT ); Wed, 12 Jan 2005 13:54:27 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261295AbVALSy1 (ORCPT ); Wed, 12 Jan 2005 13:54:27 -0500 Received: from fw.osdl.org ([65.172.181.6]:7610 "EHLO mail.osdl.org") by vger.kernel.org with ESMTP id S261257AbVALSti (ORCPT ); Wed, 12 Jan 2005 13:49:38 -0500 Date: Wed, 12 Jan 2005 10:49:36 -0800 From: Chris Wright To: Marcelo Tosatti Cc: Chris Wright , akpm@osdl.org, torvalds@osdl.org, alan@lxorguk.ukuu.org.uk, linux-kernel@vger.kernel.org Subject: Re: thoughts on kernel security issues Message-ID: <20050112104936.U469@build.pdx.osdl.net> References: <20050112094807.K24171@build.pdx.osdl.net> <20050112150611.GB32024@logos.cnet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20050112150611.GB32024@logos.cnet>; from marcelo.tosatti@cyclades.com on Wed, Jan 12, 2005 at 01:06:12PM -0200 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2667 Lines: 60 * Marcelo Tosatti (marcelo.tosatti@cyclades.com) wrote: > On Wed, Jan 12, 2005 at 09:48:07AM -0800, Chris Wright wrote: > > Right now most things come in via 1) lkml, 2) maintainers, 3) vendor-sec. > > It would be nice to have a more centralized place for all of this > > information to help track it, make sure things don't fall through > > the cracks, and make sure of timely fix and disclosure. > > I very much like the idea and I also think a "official" list of kernel security issues and > respective fixes is very much required, since not every Linux distribution is supposed > to have kernel developers working for them, going through the whole changelogs > looking for security issues, which is just silly. > > Disclosing and bookkeeping of security issues is a job of the Linux kernel team. Yes, I agree. > Alan used to list down security fixes between each v2.2 release, v2.4 has never > had such an official list (I'm trying to write CAN numbers on the changelogs lately), > neither v2.6. Its not a practical thing for Linus/Andrew to do, its a lot of > work. > > It would be interesting to have all developers to know about such initiative > and have them send their security fixes to be logged and disclosed - its obviously > impossible for you to read all changes in the kernel. And have Linus/Andrew > advocate in favour of it. > > IMO such initiative needs to be known by all contributors for > it to be effective. Indeed, it would be most effective as a collective effort. Of course, we'll never make 100%, but we could do better than now. > > In addition, I think it's worth considering keeping the current stable > > kernel version moving forward (point releases ala 2.6.x.y) for critical > > (mostly security) bugs. If nothing else, I can provide a subset of -ac > > patches that are only that. > > Yes, -ac has been playing that role. It is general consensus that > such point releases are required. > > Linus doesnt do it because it is too much extra work him (and he is focused > on other things), glad you have stepped up. > > > I volunteer to help with _all_ of the above. It's what I'm here for. > > Use me, abuse me ;-) > > You've been doing a lot of security work/auditing in the kernel for a long time, > which fits the job position nicely. > > I'm willing to help. Great, thanks! -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/