Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 20 Jul 2017 15:04:30 -0400
From: Jesse Hertz <jesse_hertz@...le.com>
To: oss-security@...ts.openwall.com
Subject: Re: CoreOS membership to linux-distros (updated)

Additionally, Docker doesn't maintain a kernel distribution, whereas OpenVZ does, making this request strange to say the least.

I also think its disingenuous to imply there's "one patch" that divides a secure containerization system from another. Container/Kernel security is... quite complicated to say the least.
> On Jul 20, 2017, at 6:42 AM, Greg KH <greg@...ah.com> wrote:
> 
> On Thu, Jul 20, 2017 at 07:13:03AM +0300, gremlin@...mlin.ru wrote:
>> On 2017-07-18 14:56:23 -0700, Euan Kemp wrote:
>> 
>>> I???ve listed each criterion and why I think we, the Container
>>> Linux team at CoreOS, qualify.
>>> 
>>> 
>>>> 1. Be an actively maintained Unix-like operating system distro
>>>> with substantial use of Open Source components
>>> All components of the distro are open source, as are all the
>>> tools used to build it.
>> 
>> Prior to any decision to be made, I'd ask you to show the kernel
>> patch which you use to avoid escaping from the container to host
>> system (Docker allows such escape, OpenVZ does not). Could you,
>> please, show it?
> 
> All of CoreOS's kernel patches are public, here's their latest branch:
> 	https://github.com/coreos/linux/tree/v4.12.2-coreos
> 
> But what does a specific kernel patch have to do with linux-distro's
> membership requirements?
> 
> confused,
> 
> greg k-h


Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.