Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 20 Jul 2017 15:04:30 -0400
From: Jesse Hertz <jesse_hertz@...le.com>
To: oss-security@...ts.openwall.com
Subject: Re: CoreOS membership to linux-distros (updated)

Additionally, Docker doesn't maintain a kernel distribution, whereas OpenVZ does, making this request strange to say the least.

I also think its disingenuous to imply there's "one patch" that divides a secure containerization system from another. Container/Kernel security is... quite complicated to say the least.
> On Jul 20, 2017, at 6:42 AM, Greg KH <greg@...ah.com> wrote:
> 
> On Thu, Jul 20, 2017 at 07:13:03AM +0300, gremlin@...mlin.ru wrote:
>> On 2017-07-18 14:56:23 -0700, Euan Kemp wrote:
>> 
>>> I???ve listed each criterion and why I think we, the Container
>>> Linux team at CoreOS, qualify.
>>> 
>>> 
>>>> 1. Be an actively maintained Unix-like operating system distro
>>>> with substantial use of Open Source components
>>> All components of the distro are open source, as are all the
>>> tools used to build it.
>> 
>> Prior to any decision to be made, I'd ask you to show the kernel
>> patch which you use to avoid escaping from the container to host
>> system (Docker allows such escape, OpenVZ does not). Could you,
>> please, show it?
> 
> All of CoreOS's kernel patches are public, here's their latest branch:
> 	https://github.com/coreos/linux/tree/v4.12.2-coreos
> 
> But what does a specific kernel patch have to do with linux-distro's
> membership requirements?
> 
> confused,
> 
> greg k-h


Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ