[Security_sig] 5/12 Conf. call minutes

Chris Wright chrisw at osdl.org
Thu Jun 9 10:15:37 PDT 2005

	Chris Wright (OSDL)
	Emily Ratliff (IBM)
	Ed Reed (Novell)
	Joe Cihula (Intel)
	Mary Edie Meredith (OSDL)
	Matt Anderson (HP)

	- DCL security spec
	- any other business



Emily:  Newer version than draft 0.3?

Ed: No, waiting for feedback on current draft before moving foward.
Don't want to waste cycles in the wrong direction.

Chris: What feedback do you need?

Ed: Thrown against wall internally, to shake it down.  No huge pushback

Joe: Correct, we started with the list of threats, objectives,
assumptions, etc...before getting to requirements.

Ed: So full speed ahead, make sure internally consistent, etc.  I'll be
hard pressed to make much progress in the next two weeks, so a month
from now will be next round.  Mary, turn up the heat if that's not going
to cover it.

Ed: Need text for sample threats and objectives.

Ed: Mary, formatting needs?

Mary: I wouldn't worry too much about formatting now.

Mary: In the next two weeks, can we find someone else to work on it?

Chris: It would help if Ed can point us at specific pieces that need
specific work.

Ed: I'll rediff against my 0.4 and the release 0.3

Emily:  General question.  Do any of the Asian distros participate with

Chris:  Yes, there's an Asian office and the Asian groups meet together.
Given timezones we meet all together something like every other time
(for DCL, for example).

Mary: Yes there's quite a bit of interest from the Asian community.

Emily:  Security related?

Mary: Often performance (java), scalability, robustness (HA), open source
database, and of course localization.

Mary: Chris, how was your talk at Linux World Summit?

Chris: Went well, most interesting part was the questions that Microsoft
asked me regarding system security.  They had one interesting (albeit
simple) question...what are the top 3-5 issues that a user (admin) needs
to be aware of.  I don't think there's a great answer.  For one thing,
it depends on the applictions being used, but in general we're still
doing damage mitigation, fundamentally assuming that applications can
be broken.  I'm sure they felt happy about their forward view, as in
their use of c#, etc...

Joe: Sure, but ms security is still a bit of a theory vs. reality.  The
new features are often disabled for compatibility, or aren't protecting
legacy apps.

Chris: Agreed, that's what I mean be forward looking.  Not sure we have
the same forward looking view though (while we both have legacy apps

Ed: We don't have a lot of good best practices docs, esp since there's
not a lot of agreement on what they are.

Emily: Not even David Wheeler's doc?

Ed: I'd have to go back and look...

Joe: Even the doc is a bit theoretical.  People will use a distro, for
exmple, so distro secure defaults are probably more effective than docs.

Chris: I agree, the docs can't actively enforce anything.  So we
still have a gap between the documentation existing and the ideas,
technologies, etc. being put to use in projects.  Having the development
cycle actively use tools like static checkers, etc. so that at the
project level things are secure by default is that last mile.  I think
ms is actually making some interesting progress in that area.

Emily: Interesting, something Dave Jones was just blogging about.

Chris: Tools exist, (need improvement, sure), but still aren't making it
very far into the development practice.

Joe: MS is definitely developing in this area.

Chris: That's the difference between funding and a mandate vs. foss.

Emily: There's active research in universities, but it still seems to
become proprietary spin offs often (as in Coverity, or some of the work
we've helped with at UT)

More information about the security_sig mailing list