On 2/17/2025 4:45 AM, Dr. Greg wrote: > On Mon, Feb 10, 2025 at 01:03:02PM -0800, James Morris wrote: > > Good morning, I hope the week is starting well for everyone. > >> The Call for Participation for the 2025 Linux Security Summit North >> America (LSS-NA) is now open. >> >> LSS-NA 2025 is a technical forum for collaboration between Linux >> developers, researchers, and end-users. Its primary aim is to foster >> community efforts in deeply analyzing and solving Linux operating system >> security challenges, including those in the Linux kernel. Presentations >> are expected to focus deeply on new or improved technology and how it >> advances the state of practice for addressing these challenges. >> >> Key dates: >> >> - CFP Closes: Monday, March 10 at 11:59 PM MDT / 10:59 PM PDT >> - CFP Notifications: Monday, March 31 >> - Schedule Announcement: Wednesday, April 2 >> - Presentation Slide Due Date: Tuesday, June 24 >> - Event Dates: Thursday, June 26 ??? Friday, June 27 >> >> Location: Denver, Colorado, USA (co-located with OSS). > I reflected a great deal before responding to this note and finally > elected to do so. Given the stated desire of this conference to > 'focus deeply on new or improved technologies' for advancing the state > of practice in addressing the security challenges facing Linux, and > presumably by extension, the technology industry at large. > > I'm not not sure what defines membership in the Linux 'security > community'. I first presented at the Linux Security Summit in 2015, > James you were moderating the event and sitting in the first row. > > If there is a desire by the Linux Foundation to actually promote > security innovation, it would seem the most productive use of > everyone's time would be to have a discussion at this event focusing > on how this can best be accomplished in the context of the current > Linux development environment. > > If we have done nothing else with our Quixote/TSEM initiative, I > believe we have demonstrated that Linux security development operates > under the 'omniscient maintainer' model, a concept that is the subject > of significant discussion in other venues of the Linux community: > > https://lore.kernel.org/lkml/CAEg-Je9BiTsTmaadVz7S0=Mj3PgKZSu4EnFixf+65bcbuu7+WA@xxxxxxxxxxxxxx/ > > I'm not here to debate whether that is a good or bad model. I do > believe, that by definition, it constrains the innovation that can > successfully emerge to something that an 'omniscient' maintainer > understands, feels comfortable with or is not offended by. > > It should be lost on no one that the history of the technology > industry has largely been one of disruptive innovation that is > completely missed by technology incumbents. > > The future may be the BPF/LSM, although no one has yet publically > demonstrated the ability to implement something on the order of > SeLinux, TOMOYO or Apparmor through that mechanism. It brings as an > advantage the ability to innovate without constraints as to would be > considered 'acceptable' security. > > Unfortunately, a careful review of the LSM mailing list would suggest > that the BPF/LSM, as a solution, is not politically popular in some > quarters of the Linux security community. There have been public > statements that there isn't much concern if BPF breaks, as the concept > of having external security policy is not something that should be > supported. > > We took an alternative approach with TSEM, but after two years of > submissions, no code was ever reviewed. 1. Not true. 2. I have suggested changes to the way you submit patches that will make reviewing your code easier. You have ignored these suggestions. 3. Recommendations have been made about your approach. Your arguments have been heard. > I'm not here to bitch about > that, however, the simple fact is that two years with no progress is > an eternity in the technology industry, particularly security, and > will serve to drive security innovation out of the kernel. > > One can make a reasoned and informed argument that has already > happened. One of the questions worthy of debate at a conference with > the objectives stated above. > > I apologize if these reflections are less than popular but they are > intended to stimulate productive discussion, if the actual intent of > the conference organizers is to focus deeply on new and improved > security technology. Please propose a talk for the summit. Talks have a limited duration, so do be concise. > > There is far more technology potentially available than there are good > answers to the questions as to how to effectively exploit it. > >> James Morris >> <jmorris@xxxxxxxxx> > Best wishes for a productive week. > > As always, > Dr. Greg > > The Quixote Project - Flailing at the Travails of Cybersecurity > https://github.com/Quixote-Project >
