From: Siddhesh Poyarekar <siddhesh@gotplt.org>
To: Ian Kelling <iank@fsf.org>,
Overseers mailing list <overseers@sourceware.org>
Cc: gdb@sourceware.org, Mark Wielaard <mark@klomp.org>,
libc-alpha@sourceware.org, binutils@sourceware.org,
gcc@gcc.gnu.org,
Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Subject: Re: Toolchain Infrastructure project statement of support
Date: Sun, 23 Oct 2022 12:17:36 -0400 [thread overview]
Message-ID: <58918ca9-70dd-8724-82e0-684350e2207e@gotplt.org> (raw)
In-Reply-To: <874jvufrqy.fsf@fsf.org>
On 2022-10-23 07:33, Ian Kelling wrote:
> Siddhesh Poyarekar via Overseers <overseers@sourceware.org> writes:
>
>> I personally do not think the current sourceware infrastructure, even
>> with the roadmap it promises is a viable alternative to what LF IT can
>> provide. There is a significant resource gap (e.g.
> ....
>> established security and administration practices,
> ...
>> that we seem to disagree about.
>
>
> Let's consider some "established security and administration practices"
>
> curl -v http://vger.kernel.org | head
> ...
> < Server: Apache/2.0.52 (Red Hat)
> < X-Powered-By: PHP/4.3.9
>
> This is RHEL 3, released in 2003, according to
> https://people.redhat.com/crunge/RHEL3-package-lists.pdf,
>
> The final end of support for this distro was on 2014-01-30.
>
> There are CVE's for that version of Apache. I assume their apache is not
> running in a configuration that makes them actually exploitable, but it
> is still better security practice upgrade.
>
> The kernel is likely from RHEL 3 too. I'm reminded of Greg KH beating the
> drum that old kernels need upgrades for security, especially because the
> kernel devs don't always check if a bug is a security issue and
> especially not for really old kernels (
> https://thenewstack.io/design-system-can-update-greg-kroah-hartman-linux-security/
> )
>
> Notice that link is http because https is not supported by the apache
> from 2003. Linux kernel development works through patches on mailing
> lists, and how do you find the patches if you aren't already subscribed
> to a list? You'd naturally go to the lists main webpage,
> http://vger.kernel.org, and click "LIST INFO",
> http://vger.kernel.org/vger-lists.html, and then click one of the list
> archive links, or maybe the subscribe link. So, those vger.kerne.org
> pages are an essential part of retrieving upstream kernel patches and
> security information for some people. And being http only, my isp or
> anyone in my network path could alter them to be malicious urls that
> that appear to give the correct result, but actually give malicious
> kernel patches, or hides away a security relevant patch. Obviously,
> https for security sensitive pages like these is a basic 101 security
> practice in 2022.
+Konstantin from LF IT since he's better equipped to speak to this,
although ISTM that they started migrating off vger last year[1].
Sid
[1] https://www.kernel.org/lists-linux-dev.html
Sid
next prev parent reply other threads:[~2022-10-23 16:17 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-12 16:43 Carlos O'Donell
2022-10-12 18:13 ` Andrew Pinski
2022-10-13 18:25 ` Christopher Faylor
2022-10-14 12:33 ` Siddhesh Poyarekar
2022-10-17 15:10 ` Mark Wielaard
2022-10-17 16:11 ` Siddhesh Poyarekar
2022-10-18 9:50 ` Mark Wielaard
2022-10-18 15:17 ` Siddhesh Poyarekar
2022-10-18 16:42 ` Christopher Faylor
2022-10-18 18:13 ` Siddhesh Poyarekar
2022-10-18 18:14 ` Siddhesh Poyarekar
2022-10-18 18:47 ` Paul Smith
2022-10-21 0:33 ` Alexandre Oliva
2022-10-23 8:59 ` Ian Kelling
2022-10-23 13:27 ` Siddhesh Poyarekar
2022-10-23 15:16 ` Frank Ch. Eigler
2022-10-23 16:07 ` Siddhesh Poyarekar
2022-10-23 16:32 ` Siddhesh Poyarekar
2022-10-23 17:01 ` Jeff Law
2022-10-23 22:35 ` Christopher Faylor
2022-10-23 17:09 ` Frank Ch. Eigler
2022-10-23 17:38 ` Jeff Law
2022-10-24 1:51 ` Siddhesh Poyarekar
2022-10-24 12:40 ` Corinna Vinschen
2022-10-23 20:57 ` Christopher Faylor
2022-10-23 21:17 ` Siddhesh Poyarekar
2022-10-23 21:59 ` Christopher Faylor
2022-10-24 1:29 ` Siddhesh Poyarekar
2022-10-23 11:33 ` Ian Kelling
2022-10-23 16:17 ` Siddhesh Poyarekar [this message]
2022-10-23 18:56 ` Konstantin Ryabitsev
2022-10-23 21:19 ` Alexandre Oliva
2022-10-23 22:07 ` Christopher Faylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=58918ca9-70dd-8724-82e0-684350e2207e@gotplt.org \
--to=siddhesh@gotplt.org \
--cc=binutils@sourceware.org \
--cc=gcc@gcc.gnu.org \
--cc=gdb@sourceware.org \
--cc=iank@fsf.org \
--cc=konstantin@linuxfoundation.org \
--cc=libc-alpha@sourceware.org \
--cc=mark@klomp.org \
--cc=overseers@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).