[Ksummit-discuss] [CORE TOPIC] dev/maintainer workflow security

Kees Cook keescook at chromium.org
Mon Jul 13 23:15:03 UTC 2015


On Sat, Jul 11, 2015 at 9:38 AM, Theodore Ts'o <tytso at mit.edu> wrote:
> On Sat, Jul 11, 2015 at 04:02:02PM +0000, Jason Cooper wrote:
>>
>> Could we have some sort of post-vuln/CVE conversation dissecting the
>> vulnerability and how it got there?  Or, perhaps select a few for
>> process-dissection to be presented at the summit?
>
> Kees did a really good presentation entitled "security anti-patterns"
> a year or two ago at a kernel summit (the one at Edinburgh if I
> remember correctly?).  Kees, do you think it would be worth updating
> and re-doing that presentation?  And perhaps at a wider set of venues
> beyond just the kernel summit....

I can, yeah, but I sort of think stuff like that is really just
"reference material", and sometimes too specific. Reviewers (and
authors) need to think about high-level risks, not just mechanical
flaws. I would agree that beefing up reviewer roles could really help
this part of the problem, though.

-Kees

-- 
Kees Cook
Chrome OS Security


More information about the Ksummit-discuss mailing list