Fedora Activity Day: Security I
03 Nov 2014Last Saturday a few of us gathered to work on Fedora Security. This FAD (Fedora Activity Day) was the second in recent times held in Pune, after the testing FAD held in August.
[caption id="" align="aligncenter" width="640"] Security FAD[/caption]
The goal of the FAD was to get introduced to the newly-formed Fedora Security Team, pick up a few bug reports that were tagged as security-relevant bug reports, and triage them. Fixing the bugs wasn't part of the agenda, as actually pushing package updates needs one to be a provenpackager or the maintainer of the package.
We were assembled at the Red Hat Pune office. I took a shot at transcribing PJP's intro talk on the #fedora-india IRC channel, and a couple of people joined remotely in the triaging activity, which was quite nice to see.
The FAD wiki page had all the relevant information on how to go about triaging the bugs, so it was all quite straightforward from there.
I got a bit bored by just going through bug reports, without much "action" happening -- it depended on the bug we selected on whether we just needed to set needinfo? on the assignee of the bug, or actually check progress of packages upstream, whether a patch was available, etc. I just looked through bugs which looked relevant to virtualization, and then wanted to look at different ways to contribute.
PJP suggested looking at some fuzzers, and actually running them. He pointed me to Radamsa as an example. That does look like a good tool to generate some random input to programs, and see how they behave under unexpected input. I didn't actually get to run it, but now have an idea on what to do when I feel bored again.
While reading about Radamsa, I also thought a bit on how to fuzz qemu. Nothing concrete came up, but one thought is to send weird stuff from guests to the host, by way of weirdly-formatted network packets (to test virtio-net or other net device emulations), or block device requests (to test virtio-blk / virtio-scsi / ide / ahci). That's an idea for a side project.
There also was a Docker meetup running at the same time at the office, so I dropped in there a couple of times to see what they were upto. The organizers had split the session into talks + hackathon; and both were very well-attended. In my lurking there, I overheard what Kubernetes is about, and a few terminologies it introduces into the tech world: minions and pods. I'm sure we're going to run out of words in the English language to re-purpose to technical usage very soon.
The FAD was originally supposed to happen in September, but got delayed to November. For the next installation of Fedora-related activities, we may do an F21 release party along with a few user talks. Regular FADs should resume in January, I suppose.