There has been a lot of talk about kernel security in the last weeks, partially a lot of talk on how to better address the issue upstream, and also a larger than usual stream of vulnerabilities discovered. I would like to propose here some possible adjustments that could hopefully decrease our overall reaction time to kernel vulnerabilities within Gentoo.
First, let me detail the current workflow from my perspective as a Hardened Gentoo kernel maintainer. As you are surely aware, there is a Gentoo Kernel team that nicely handles issues relating to main Gentoo kernels, including security. There are also teams, notably Hardened and $ARCH who maintain their own kernels independently of the Gentoo Kernel team proper. We will call them "external maintainers". Typically, a kernel security bug is reported to Gentoo bugzilla for tracking purposes. It is assigned to security@, our security team, who after a few hours or even days confirms the bug and passes it on to the kernel team proper. After a few more hours/days the kernel team proper catches the bug, and fixes their supported kernels at a pretty amazing speed. It is not until this point when external maintainers are added to the CC list and notified of the bug. These waiting periods could be do to Real Life (TM) factors, timezones, or what have you and aren't really the failure of any person involved. It would seem ideal to me to cut out this human factor as much as possible and get the word to every maintainer sooner, allowing him to solve it sooner. This might not always be effective, take a case where a vulnerability is disclosed but no patch is available, but could cut at least hours if not days from our response time. The first small step I've thought of to speed up notification is to create an alias for kernel-security@ which includes members of the kernel team proper and at least one maintainer for each external -sources. This will create a single point of contact for kernel issues, and for the kernel team proper, separate high priority security bugs from their usual flood of email to kernel@, possibly allowing them to catch it faster as a pleasant side effect. Ideally Bugzilla could CC this alias on the creation of Gentoo Security bugs in the Kernel component. I am sure any misconceptions in my analysis will be pointed out, and hopefully better ideas can be presented. I look forward to hearing your hearing your ideas on this topic. -- [email protected] mailing list
