[Ksummit-2013-discuss] Topic Proposal: Handling Security Issues in the kernel
jmorris at namei.org
Sat Aug 10 01:56:39 UTC 2013
On Fri, 9 Aug 2013, James Bottomley wrote:
> We seem to have reached the point in kernel development where "security"
> is the magic word to escape from any kind of due process (it is, in
> fact, starting to be used in much the same way the phrase "war on
> terror" is used to abrogate due process usually required by the US
> constitution). A couple of recent example are:
> In both cases we had commits with cryptic messages, little explanation
> and practically no review all in the name of security.
This issue definitely needs discussion. The cryptic / silent fixes are
really only helping the bad guys. They are watching these commits and
doing security analysis on them.
We don't have people with appropriate skill who are dedicated to doing
security analysis on these kinds of fixes. Perhaps the community via LF
could find a way to make this happen, e.g. resourcing 2-3 security
researchers to work specifically on mainline security triage.
> I'd like to start discussions with the big one:
> * Do we need to handle security vulnerabilities in secret?
That is an excellent question. I think some expert input on the
discussion would be useful from distro security response and security
<jmorris at namei.org>
More information about the Ksummit-2013-discuss