From: John Richard Moser <nigelenki@comcast.net>
To: Dave Jones <davej@redhat.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Linux Kernel Audit Project?
Date: Mon, 17 Jan 2005 02:47:32 -0500 [thread overview]
Message-ID: <41EB6D94.9040500@comcast.net> (raw)
In-Reply-To: <20050117073217.GC13827@redhat.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Damn that sucks. I think stable releases need every patch audited
before they get Linus' blessing, and unfortunately it seems we don't
have the required 150+ people jumping up to volunteer. :(
Yes I have unrealistic goals. Sane, but unrealistic. Perhaps
collaboration with the major distributions to volunteer developers to do
the auditing? We need SOMETHING; there's been too much line noise here
about kernel security holes. Whether this is new or people are just
noticing and overreacting now, it's still not good.
Unfortunately, "Something" requires manpower. Manpower requires people
who aren't busy doing other things, like improving preemptiveness,
rewriting the VM system, enhancing the scheduler, or writing new
drivers. And unfortunately, not only is everyone busy with all of that;
but we NEED all of that too.
Well, maybe you can't start up a group now, or implement audit policy;
but perhaps the invitation needs to be there. I see there are no -audit
or -security lists on vger; perhaps somebody should start a
linux-kernel-audit@vger list just to get the ball rolling. If it grows
big enough, then you can consider some policy about having the changes
audited FIRST before releasing; for now that's just not feasible.
Dave Jones wrote:
> On Mon, Jan 17, 2005 at 02:17:37AM -0500, John Richard Moser wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Is there an official Linux Kernel Audit Project to actively and
> > aggressively security audit all patches going into the Linux Kernel, or
> > do they just get a cursory scan for bugs and obvious screwups?
>
> There were at least two such projects that crashed and burned
> that I recall, the last was "active" about 3 years ago, and
> accomplished very little.
>
> Dave
>
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB622KhDd4aOud5P8RAnJcAJ4n9Pt6JbYRlu2cmSTt91xM7IO8fACffUA7
rzoWMpWXPrNUxk+v/fDNeN8=
=Mxal
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2005-01-17 7:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-17 7:17 Linux Kernel Audit Project? John Richard Moser
2005-01-17 7:31 ` Alban Browaeys
2005-01-17 7:32 ` Dave Jones
2005-01-17 7:47 ` John Richard Moser [this message]
2005-01-17 12:38 ` Adrian Bunk
2005-01-17 18:06 ` John Richard Moser
2005-01-17 7:40 ` John Richard Moser
2005-01-17 12:23 ` Alan Cox
2005-01-17 18:12 ` John Richard Moser
2005-01-17 18:16 ` Theodore Ts'o
2005-01-17 20:09 ` John Richard Moser
2005-01-17 13:11 ` Diego Calleja
2005-01-17 18:07 ` John Richard Moser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41EB6D94.9040500@comcast.net \
--to=nigelenki@comcast.net \
--cc=davej@redhat.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox