Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 01 Feb 2013 09:41:55 -0500
From: Corey Bryant <coreyb@...ux.vnet.ibm.com>
To: Solar Designer <solar@...nwall.com>
CC: kernel-hardening@...ts.openwall.com, Kees Cook <keescook@...omium.org>,
        Anthony Liguori <aliguori@...ibm.com>, Frank Novak <fnovak@...ibm.com>,
        George Wilson <gcwilson@...ibm.com>,
        Joel Schopp <jschopp@...ux.vnet.ibm.com>,
        Kevin Wolf <kwolf@...hat.com>,
        Warren Grunbok II <wgrunbok@...t.ibm.com>
Subject: Re: Secure Open Source Project Guide



On 02/01/2013 09:17 AM, Solar Designer wrote:
> Corey, Kees, all -
>
> Why don't we bring this to the oss-security mailing list?  I think this
> topic is not in any way specific nor limited to the Linux kernel.  There
> are ~10x more people on oss-security than on kernel-hardening, and this
> topic is a better fit for oss-security than for kernel-hardening.  There
> is a wiki for the oss-security group, where such content is welcome.
> Anyone can register for an account and edit.
>
> Info on the oss-security mailing list:
>
> http://oss-security.openwall.org/wiki/mailing-lists/oss-security
>
> Subscribe here:
>
> http://oss-security.openwall.org/subscribe
>
> (Of course, Kees and many others in here are already on oss-security as
> well.  Not all, though.)
>
> On Thu, Jan 31, 2013 at 04:10:03PM -0500, Corey Bryant wrote:
>> We should probably start by gathering a list of ideas to include in the
>> guide.  Some initial ideas that come to mind are:
>>
>> * Secure programming practices (Secure "Programming for Linux
>>    and Unix HOWTO" is a good reference for Linux though probably
>>    out of date)
>
> CERT's Secure Coding resources are more current, but they're focused on
> programming languages and I think they don't cover operating system
> specific pitfalls (e.g., Linux netlink).
>
>> * Performing secure code reviews and detecting common
>>    vulnerabilities
>> * Ensuring code is reviewed by trusted parties and proper patch
>>    tagging is used
>> * Signing of releases, pull requests, patches, commits, etc by
>>    trusted parties
>> * Removing vulnerabilities with automated tooling (Static/Dynamic
>>    analysis, Fuzzing)
>
> We have some relevant links here:
>
> http://oss-security.openwall.org/wiki/
>
> and more specifically:
>
> http://oss-security.openwall.org/wiki/tools
> http://oss-security.openwall.org/wiki/links
> http://oss-security.openwall.org/wiki/code-reviews
>
> More content (and better organization of content) on the oss-security
> wiki is welcome - including on all topics you listed above.
>
> Thanks,
>
> Alexander
>
>

Thanks Alexander.  I agree, this really is targeting OSS in general so I 
think it makes sense to move to the oss-security mailing list and wiki. 
  Is anyone opposed to this or have a better idea?

And maybe we can find a good place to link to our Linux Security 
Workgroup wiki on the OSS wiki: 
http://kernsec.org/wiki/index.php/Linux_Security_Workgroup

-- 
Regards,
Corey Bryant

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.