|
|
Subscribe / Log in / New account

The Core Infrastructure Initiative census project

[Posted July 9, 2015 by corbet]

The Core Infrastructure Initiative (a Linux Foundation effort to direct resources to critical projects in need of help) has announced a census project to identify the development projects most in need of assistance. "Unlike the Fed’s stress tests, which are opaque, all of the census data and analysis is open source. We are eager for community involvement. We encourage developers to fork the project and experiment with different data sources, different parameters, and different algorithms to test out the concept of an automated risk assessment census. We are also eager for input to help sanitize and complete the data that was used in this first iteration of the census."
to post comments

The Core Infrastructure Initiative census project

Posted Jul 9, 2015 20:31 UTC (Thu) by tpo (subscriber, #25713) [Link] (2 responses)

Their census results are broken (duplicate entries in weird order), so that's what should be fixed first.
*t

The Core Infrastructure Initiative census project

Posted Jul 9, 2015 21:36 UTC (Thu) by ejratl (guest, #4925) [Link] (1 responses)

The duplicates have been fixed. The order is by "risk score". Click on any of the headings to re-order in your preferred order.

The Core Infrastructure Initiative census project

Posted Jul 10, 2015 0:28 UTC (Fri) by mtaht (subscriber, #11087) [Link]

To me stuff that runs as root - is an immediate risk factor. 'course, in my world, thats all of embedded.

The Core Infrastructure Initiative census project

Posted Jul 10, 2015 5:37 UTC (Fri) by pabs (subscriber, #43278) [Link] (3 responses)

Surely it would be a no-brainer to focus on security of the Linux kernel? In particular it would be great if LF funded merging grsec/PaX features into Linux.

The Core Infrastructure Initiative census project

Posted Jul 10, 2015 13:46 UTC (Fri) by ejratl (guest, #4925) [Link] (2 responses)

The Linux kernel gets a lot of attention and is a well-resourced project. The focus of CII is first on underserved projects. The grsecurity folks do great work, so it would be interesting to see a grant proposal from them and it would get attention and consideration by the CII Steering Committee. grsecurity has been around for a long time and the idea of upstreaming their work is always popular - why hasn't it been done already? (There were calls for this to happen over a decade ago, so I am genuinely curious what has happened in the interim.)

The Core Infrastructure Initiative census project

Posted Jul 12, 2015 1:03 UTC (Sun) by speedster1 (guest, #8143) [Link] (1 responses)

> grsecurity has been around for a long time and the idea of upstreaming their work is always popular - why hasn't it been done already?

That idea *is* always popular... among those not personally involved with getting the code into the kernel. When Brad Spencer actually tried this feat a long time ago, it revealed substantial culture and/or personality barriers between PAX/grsecurity and kernel projects, with neither side sufficiently motivated to overcome them. I think it would be a great service to the world if LF could manage to come up with a developer who can get along with both sides and qualified to be the in-kernel maintainer.

The Core Infrastructure Initiative census project

Posted Jul 12, 2015 10:27 UTC (Sun) by Wol (subscriber, #4433) [Link]

Simply put, the security people see security bugs as "this is an emergency". The kernel people (Linus especially) see it as "a bug is a bug". As a result, the security people trying to get their fixes seen as high priority simply annoys the senior kernel team.

And you can't really, objectively, come down on either side. If there are known exploits, then the kernel team *do* treat bugs as serious. But they take the attitude, mostly, "all bugs could be a security exploit, why prioritise?". (And they also take the attitude "if it's a bug, let's get it fixed!")

Cheers,
Wol

The Core Infrastructure Initiative census project

Posted Jul 10, 2015 5:43 UTC (Fri) by pabs (subscriber, #43278) [Link] (2 responses)

Some of the CVE counts are wrong, for example whois should be 1 CVE.

The Core Infrastructure Initiative census project

Posted Jul 10, 2015 13:53 UTC (Fri) by ejratl (guest, #4925) [Link] (1 responses)

CVE counts are pulled from Debian. For whois, the count is pulled from https://security-tracker.debian.org/tracker/source-packag... . This does show 1 CVE, but only CVEs since 2010 are counted by the Census program. I will update the webpage to make it more clear that only CVEs since 2010 get counted.

The Core Infrastructure Initiative census project

Posted Jul 13, 2015 3:30 UTC (Mon) by pabs (subscriber, #43278) [Link]

Why would you not count old CVEs?

The Core Infrastructure Initiative census project

Posted Jul 10, 2015 6:35 UTC (Fri) by josh (subscriber, #17465) [Link] (2 responses)

I'm surprised that 0 CVEs wasn't considered to be a serious warning sign. They hinted that it might be an indication that nobody has looked, but the methodology does not reflect that.

The Core Infrastructure Initiative census project

Posted Jul 10, 2015 11:34 UTC (Fri) by david.a.wheeler (subscriber, #72896) [Link] (1 responses)

On the other hand, 0 CVEs could indicate that the software is very secure, or that the software is not usually significantly related to security.

The Core Infrastructure Initiative census project

Posted Jul 10, 2015 14:37 UTC (Fri) by lamawithonel (subscriber, #86149) [Link]

Unless there's a formal proof, 0 CVEs total is a warning sign to me. Seeing a handful of CVEs that were promptly fixed is a better sign, IMO.

The Core Infrastructure Initiative census project

Posted Jul 10, 2015 13:04 UTC (Fri) by mcatanzaro (subscriber, #93033) [Link] (2 responses)

I checked for glib-networking on the first seven pages and didn't find it. It's one package with zero active developers that is responsible for handling TLS -- notably it implements its own certificate verification -- for all GNOME and GNOME-related applications, as well as non-GNOME applications that use GLib. If that's not important, I don't know what is....

The Core Infrastructure Initiative census project

Posted Jul 10, 2015 13:39 UTC (Fri) by ejratl (guest, #4925) [Link] (1 responses)

This is exactly the type of feedback that we are looking for. In the form of a pull request for an addition to projects-to-examine.csv, it would be ideal.

The Core Infrastructure Initiative census project

Posted Jul 10, 2015 16:13 UTC (Fri) by mcatanzaro (subscriber, #93033) [Link]

Will-do, thanks!


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds