[Announce] Linux Security Summit North America 2025 CfP

[Announce] Linux Security Summit North America 2025 CfP

[James Morris]

[-- Attachment #1: Type: text/plain, Size: 1071 bytes --]

The Call for Participation for the 2025 Linux Security Summit North 
America (LSS-NA) is now open.

LSS-NA 2025 is a technical forum for collaboration between Linux 
developers, researchers, and end-users. Its primary aim is to foster 
community efforts in deeply analyzing and solving Linux operating system 
security challenges, including those in the Linux kernel. Presentations 
are expected to focus deeply on new or improved technology and how it 
advances the state of practice for addressing these challenges.

Key dates:

    - CFP Closes:  Monday, March 10 at 11:59 PM MDT / 10:59 PM PDT
    - CFP Notifications: Monday, March 31
    - Schedule Announcement: Wednesday, April 2
    - Presentation Slide Due Date: Tuesday, June 24
    - Event Dates: Thursday, June 26 – Friday, June 27

Location: Denver, Colorado, USA (co-located with OSS).

Full details may be found here: 
https://events.linuxfoundation.org/linux-security-summit-north-america/

Follow LSS event updates here:
https://social.kernel.org/LinuxSecSummit



-- 
James Morris
<jmorris@namei.org>

Re: [Announce] Linux Security Summit North America 2025 CfP

[Dr. Greg]

On Mon, Feb 10, 2025 at 01:03:02PM -0800, James Morris wrote:

Good morning, I hope the week is starting well for everyone.

> The Call for Participation for the 2025 Linux Security Summit North 
> America (LSS-NA) is now open.
> 
> LSS-NA 2025 is a technical forum for collaboration between Linux 
> developers, researchers, and end-users. Its primary aim is to foster 
> community efforts in deeply analyzing and solving Linux operating system 
> security challenges, including those in the Linux kernel. Presentations 
> are expected to focus deeply on new or improved technology and how it 
> advances the state of practice for addressing these challenges.
>
> Key dates:
> 
>     - CFP Closes:  Monday, March 10 at 11:59 PM MDT / 10:59 PM PDT
>     - CFP Notifications: Monday, March 31
>     - Schedule Announcement: Wednesday, April 2
>     - Presentation Slide Due Date: Tuesday, June 24
>     - Event Dates: Thursday, June 26 ??? Friday, June 27
> 
> Location: Denver, Colorado, USA (co-located with OSS).

I reflected a great deal before responding to this note and finally
elected to do so.  Given the stated desire of this conference to
'focus deeply on new or improved technologies' for advancing the state
of practice in addressing the security challenges facing Linux, and
presumably by extension, the technology industry at large.

I'm not not sure what defines membership in the Linux 'security
community'.  I first presented at the Linux Security Summit in 2015,
James you were moderating the event and sitting in the first row.

If there is a desire by the Linux Foundation to actually promote
security innovation, it would seem the most productive use of
everyone's time would be to have a discussion at this event focusing
on how this can best be accomplished in the context of the current
Linux development environment.

If we have done nothing else with our Quixote/TSEM initiative, I
believe we have demonstrated that Linux security development operates
under the 'omniscient maintainer' model, a concept that is the subject
of significant discussion in other venues of the Linux community:

https://lore.kernel.org/lkml/CAEg-Je9BiTsTmaadVz7S0=Mj3PgKZSu4EnFixf+65bcbuu7+WA@mail.gmail.com/

I'm not here to debate whether that is a good or bad model.  I do
believe, that by definition, it constrains the innovation that can
successfully emerge to something that an 'omniscient' maintainer
understands, feels comfortable with or is not offended by.

It should be lost on no one that the history of the technology
industry has largely been one of disruptive innovation that is
completely missed by technology incumbents.

The future may be the BPF/LSM, although no one has yet publically
demonstrated the ability to implement something on the order of
SeLinux, TOMOYO or Apparmor through that mechanism.  It brings as an
advantage the ability to innovate without constraints as to would be
considered 'acceptable' security.

Unfortunately, a careful review of the LSM mailing list would suggest
that the BPF/LSM, as a solution, is not politically popular in some
quarters of the Linux security community.  There have been public
statements that there isn't much concern if BPF breaks, as the concept
of having external security policy is not something that should be
supported.

We took an alternative approach with TSEM, but after two years of
submissions, no code was ever reviewed.  I'm not here to bitch about
that, however, the simple fact is that two years with no progress is
an eternity in the technology industry, particularly security, and
will serve to drive security innovation out of the kernel.

One can make a reasoned and informed argument that has already
happened.  One of the questions worthy of debate at a conference with
the objectives stated above.

I apologize if these reflections are less than popular but they are
intended to stimulate productive discussion, if the actual intent of
the conference organizers is to focus deeply on new and improved
security technology.

There is far more technology potentially available than there are good
answers to the questions as to how to effectively exploit it.

> James Morris
> <jmorris@namei.org>

Best wishes for a productive week.

As always,
Dr. Greg

The Quixote Project - Flailing at the Travails of Cybersecurity
              https://github.com/Quixote-Project

Re: [Announce] Linux Security Summit North America 2025 CfP

[Casey Schaufler]

On 2/17/2025 4:45 AM, Dr. Greg wrote:
> On Mon, Feb 10, 2025 at 01:03:02PM -0800, James Morris wrote:
>
> Good morning, I hope the week is starting well for everyone.
>
>> The Call for Participation for the 2025 Linux Security Summit North 
>> America (LSS-NA) is now open.
>>
>> LSS-NA 2025 is a technical forum for collaboration between Linux 
>> developers, researchers, and end-users. Its primary aim is to foster 
>> community efforts in deeply analyzing and solving Linux operating system 
>> security challenges, including those in the Linux kernel. Presentations 
>> are expected to focus deeply on new or improved technology and how it 
>> advances the state of practice for addressing these challenges.
>>
>> Key dates:
>>
>>     - CFP Closes:  Monday, March 10 at 11:59 PM MDT / 10:59 PM PDT
>>     - CFP Notifications: Monday, March 31
>>     - Schedule Announcement: Wednesday, April 2
>>     - Presentation Slide Due Date: Tuesday, June 24
>>     - Event Dates: Thursday, June 26 ??? Friday, June 27
>>
>> Location: Denver, Colorado, USA (co-located with OSS).
> I reflected a great deal before responding to this note and finally
> elected to do so.  Given the stated desire of this conference to
> 'focus deeply on new or improved technologies' for advancing the state
> of practice in addressing the security challenges facing Linux, and
> presumably by extension, the technology industry at large.
>
> I'm not not sure what defines membership in the Linux 'security
> community'.  I first presented at the Linux Security Summit in 2015,
> James you were moderating the event and sitting in the first row.
>
> If there is a desire by the Linux Foundation to actually promote
> security innovation, it would seem the most productive use of
> everyone's time would be to have a discussion at this event focusing
> on how this can best be accomplished in the context of the current
> Linux development environment.
>
> If we have done nothing else with our Quixote/TSEM initiative, I
> believe we have demonstrated that Linux security development operates
> under the 'omniscient maintainer' model, a concept that is the subject
> of significant discussion in other venues of the Linux community:
>
> https://lore.kernel.org/lkml/CAEg-Je9BiTsTmaadVz7S0=Mj3PgKZSu4EnFixf+65bcbuu7+WA@mail.gmail.com/
>
> I'm not here to debate whether that is a good or bad model.  I do
> believe, that by definition, it constrains the innovation that can
> successfully emerge to something that an 'omniscient' maintainer
> understands, feels comfortable with or is not offended by.
>
> It should be lost on no one that the history of the technology
> industry has largely been one of disruptive innovation that is
> completely missed by technology incumbents.
>
> The future may be the BPF/LSM, although no one has yet publically
> demonstrated the ability to implement something on the order of
> SeLinux, TOMOYO or Apparmor through that mechanism.  It brings as an
> advantage the ability to innovate without constraints as to would be
> considered 'acceptable' security.
>
> Unfortunately, a careful review of the LSM mailing list would suggest
> that the BPF/LSM, as a solution, is not politically popular in some
> quarters of the Linux security community.  There have been public
> statements that there isn't much concern if BPF breaks, as the concept
> of having external security policy is not something that should be
> supported.
>
> We took an alternative approach with TSEM, but after two years of
> submissions, no code was ever reviewed.

1. Not true.
2. I have suggested changes to the way you submit patches that will
   make reviewing your code easier. You have ignored these suggestions.
3. Recommendations have been made about your approach. Your arguments
   have been heard.

>   I'm not here to bitch about
> that, however, the simple fact is that two years with no progress is
> an eternity in the technology industry, particularly security, and
> will serve to drive security innovation out of the kernel.
>
> One can make a reasoned and informed argument that has already
> happened.  One of the questions worthy of debate at a conference with
> the objectives stated above.
>
> I apologize if these reflections are less than popular but they are
> intended to stimulate productive discussion, if the actual intent of
> the conference organizers is to focus deeply on new and improved
> security technology.

Please propose a talk for the summit. Talks have a limited duration,
so do be concise.

>
> There is far more technology potentially available than there are good
> answers to the questions as to how to effectively exploit it.
>
>> James Morris
>> <jmorris@namei.org>
> Best wishes for a productive week.
>
> As always,
> Dr. Greg
>
> The Quixote Project - Flailing at the Travails of Cybersecurity
>               https://github.com/Quixote-Project
>

[Announce] Linux Security Summit Europe 2025 CfP

[Reshetova, Elena]

The Call for Participation for the 2025 Linux Security Summit Europe 
 (LSS-EU) is now open.

LSS-EU 2025 is a technical forum for collaboration between Linux 
developers, researchers, and end-users. Its primary aim is to foster 
community efforts in deeply analyzing and solving Linux operating system 
security challenges, including those in the Linux kernel. Presentations 
are expected to focus deeply on new or improved technology and how it 
advances the state of practice for addressing these challenges.

Key dates:

    - CFP Closes:  Tuesday, 6 May at 23:59 CEST / 14:59 PDT
    - CFP Notifications: Thursday, 29 May
    - Schedule Announcement: Friday, 30 May
    - Presentation Slide Due Date: Tuesday, 26 August
    - Event Dates: Thursday, August 28 – Friday, August 29

Location: Amsterdam, Netherlands (co-located with OSS).

Full details may be found here: 
https://events.linuxfoundation.org/linux-security-summit-europe/

Follow LSS event updates here:
https://social.kernel.org/LinuxSecSummit