[Ksummit-discuss] [TECH TOPIC] Security

Dan Carpenter dan.carpenter at oracle.com
Sat Sep 22 13:16:40 UTC 2018


Sort of related to this.  I think we should have a public email list to
discuss potential security problems.  We've actually talked about making
the security at kernel.org list public at some point when people started
flooding it with static checker warnings about potential SELinux missing
checks.

The downsides are 1) Maintainers will be annoyed.  They don't want me or
anyone to forward them static checker output (they are polite about
this).  But they also want to be the first to know about real bugs found
by static analysis.  These are conflicting and impossible desires...  2)
Script kiddies will follow the list and learn about bugs earlier.  I
don't see this as a huge issue if we restricted it to driver specific
bugs.

Security work is lonely.  Everyone expects *all* the bugs to be fixed
perfectly and in absolute secrecy.

Every other special interest group has a mailing list linux in
automotive or small kernels.  Security would be the same.  Also I
sometimes see obviously bad security fixes.  There is one integer
overflow fixes which I have re-fixed three times.  Older me is able to
review other people's integer overflow fixes and spot bugs.  It would be
good to have a way to share that knowledge.

Most maintainers do not want to deal with more than a 5% false positive
rate in static checker warnings.  I, on the other hand, regularly deal
with a 95% false positive checks and there are probably other people
like me who can spend a whole day looking and feel happy to find one
bug.

regards,
dan carpenter


More information about the Ksummit-discuss mailing list