From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com Message-ID: <510BD22C.2010100@linux.vnet.ibm.com> Date: Fri, 01 Feb 2013 09:33:16 -0500 From: Corey Bryant MIME-Version: 1.0 References: <510A8F11.6050908@linux.vnet.ibm.com> <874nhxb16r.fsf@codemonkey.ws> In-Reply-To: <874nhxb16r.fsf@codemonkey.ws> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [kernel-hardening] Secure Open Source Project Guide To: kernel-hardening@lists.openwall.com Cc: Anthony Liguori , Kees Cook , Frank Novak , George Wilson , Joel Schopp , Kevin Wolf , Warren Grunbok II List-ID: On 01/31/2013 02:30 PM, Anthony Liguori wrote: > Kees Cook writes: > >> On Thu, Jan 31, 2013 at 7:34 AM, Corey Bryant wrote: >>> In light of events like this http://lwn.net/Articles/535149/ "China, GitHub >>> and the man-in-the-middle (Greatfire)", we are thinking that a guide for >>> securing open source projects is needed. For example, recommending pull >>> requests or commits be PGP signed are a few things we've discussed that >>> could defend against a MITM attack inserting malicious code. >>> >>> Does anyone have any thoughts as to where we could publish such a guide? >>> Perhaps the Linux Foundation? >>> >>> I believe we have the resources on this mailing list to work through the >>> details and put together a succinct guide that we could take to a wider >>> audience. >> >> Yeah, sounds good. I think we could easily use the kernel-security >> wiki to work on it initially, and if it needs a different home in the >> end, we can move it then. > > If someone picks a home, I'll do a brain dump of some of my concerns and > what I think can be done about it. > > Regards, > > Anthony Liguori > That would be great. Thanks Anthony. -- Regards, Corey Bryant >> >> -Kees >> >> -- >> Kees Cook >> Chrome OS Security > > >