Re: Linux Kernel Audit Project?

From: John Richard Moser
Date: Mon Jan 17 2005 - 02:49:39 EST

Next message: Paul Mackerras: "Re: Horrible regression with -CURRENT from "Don't busy-lock-loop in preemptable spinlocks" patch"
Previous message: John Richard Moser: "Re: Linux Kernel Audit Project?"
In reply to: Dave Jones: "Re: Linux Kernel Audit Project?"
Next in thread: Adrian Bunk: "Re: Linux Kernel Audit Project?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Damn that sucks. I think stable releases need every patch audited
before they get Linus' blessing, and unfortunately it seems we don't
have the required 150+ people jumping up to volunteer. :(

Yes I have unrealistic goals. Sane, but unrealistic. Perhaps
collaboration with the major distributions to volunteer developers to do
the auditing? We need SOMETHING; there's been too much line noise here
about kernel security holes. Whether this is new or people are just
noticing and overreacting now, it's still not good.

Unfortunately, "Something" requires manpower. Manpower requires people
who aren't busy doing other things, like improving preemptiveness,
rewriting the VM system, enhancing the scheduler, or writing new
drivers. And unfortunately, not only is everyone busy with all of that;
but we NEED all of that too.

Well, maybe you can't start up a group now, or implement audit policy;
but perhaps the invitation needs to be there. I see there are no -audit
or -security lists on vger; perhaps somebody should start a
linux-kernel-audit@vger list just to get the ball rolling. If it grows
big enough, then you can consider some policy about having the changes
audited FIRST before releasing; for now that's just not feasible.

Dave Jones wrote:
> On Mon, Jan 17, 2005 at 02:17:37AM -0500, John Richard Moser wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Is there an official Linux Kernel Audit Project to actively and
> > aggressively security audit all patches going into the Linux Kernel, or
> > do they just get a cursory scan for bugs and obvious screwups?
>
> There were at least two such projects that crashed and burned
> that I recall, the last was "active" about 3 years ago, and
> accomplished very little.
>
> Dave
>

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB622KhDd4aOud5P8RAnJcAJ4n9Pt6JbYRlu2cmSTt91xM7IO8fACffUA7
rzoWMpWXPrNUxk+v/fDNeN8=
=Mxal
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paul Mackerras: "Re: Horrible regression with -CURRENT from "Don't busy-lock-loop in preemptable spinlocks" patch"
Previous message: John Richard Moser: "Re: Linux Kernel Audit Project?"
In reply to: Dave Jones: "Re: Linux Kernel Audit Project?"
Next in thread: Adrian Bunk: "Re: Linux Kernel Audit Project?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]