On Mon, Feb 10, 2025 at 01:03:02PM -0800, James Morris wrote: Good morning, I hope the week is starting well for everyone. > The Call for Participation for the 2025 Linux Security Summit North > America (LSS-NA) is now open. > > LSS-NA 2025 is a technical forum for collaboration between Linux > developers, researchers, and end-users. Its primary aim is to foster > community efforts in deeply analyzing and solving Linux operating system > security challenges, including those in the Linux kernel. Presentations > are expected to focus deeply on new or improved technology and how it > advances the state of practice for addressing these challenges. > > Key dates: > > - CFP Closes: Monday, March 10 at 11:59 PM MDT / 10:59 PM PDT > - CFP Notifications: Monday, March 31 > - Schedule Announcement: Wednesday, April 2 > - Presentation Slide Due Date: Tuesday, June 24 > - Event Dates: Thursday, June 26 ??? Friday, June 27 > > Location: Denver, Colorado, USA (co-located with OSS). I reflected a great deal before responding to this note and finally elected to do so. Given the stated desire of this conference to 'focus deeply on new or improved technologies' for advancing the state of practice in addressing the security challenges facing Linux, and presumably by extension, the technology industry at large. I'm not not sure what defines membership in the Linux 'security community'. I first presented at the Linux Security Summit in 2015, James you were moderating the event and sitting in the first row. If there is a desire by the Linux Foundation to actually promote security innovation, it would seem the most productive use of everyone's time would be to have a discussion at this event focusing on how this can best be accomplished in the context of the current Linux development environment. If we have done nothing else with our Quixote/TSEM initiative, I believe we have demonstrated that Linux security development operates under the 'omniscient maintainer' model, a concept that is the subject of significant discussion in other venues of the Linux community: https://lore.kernel.org/lkml/CAEg-Je9BiTsTmaadVz7S0=Mj3PgKZSu4EnFixf+65bcbuu7+WA@xxxxxxxxxxxxxx/ I'm not here to debate whether that is a good or bad model. I do believe, that by definition, it constrains the innovation that can successfully emerge to something that an 'omniscient' maintainer understands, feels comfortable with or is not offended by. It should be lost on no one that the history of the technology industry has largely been one of disruptive innovation that is completely missed by technology incumbents. The future may be the BPF/LSM, although no one has yet publically demonstrated the ability to implement something on the order of SeLinux, TOMOYO or Apparmor through that mechanism. It brings as an advantage the ability to innovate without constraints as to would be considered 'acceptable' security. Unfortunately, a careful review of the LSM mailing list would suggest that the BPF/LSM, as a solution, is not politically popular in some quarters of the Linux security community. There have been public statements that there isn't much concern if BPF breaks, as the concept of having external security policy is not something that should be supported. We took an alternative approach with TSEM, but after two years of submissions, no code was ever reviewed. I'm not here to bitch about that, however, the simple fact is that two years with no progress is an eternity in the technology industry, particularly security, and will serve to drive security innovation out of the kernel. One can make a reasoned and informed argument that has already happened. One of the questions worthy of debate at a conference with the objectives stated above. I apologize if these reflections are less than popular but they are intended to stimulate productive discussion, if the actual intent of the conference organizers is to focus deeply on new and improved security technology. There is far more technology potentially available than there are good answers to the questions as to how to effectively exploit it. > James Morris > <jmorris@xxxxxxxxx> Best wishes for a productive week. As always, Dr. Greg The Quixote Project - Flailing at the Travails of Cybersecurity https://github.com/Quixote-Project
