fixes from review

* make each relevant heading a link * HP->HPE, fix spelling of Arxan * add mainline linuxkit insecure blurb Signed-off-by: Tycho Andersen <tycho@docker.com>
2025-10-31 11:59:11 +00:00 · 2017-05-24 11:35:14 -06:00
parent 020c84d01f
commit dfbbfee3b5
1 changed files with 10 additions and 9 deletions
--- a/reports/sig-security/2017-05-24.md
+++ b/reports/sig-security/2017-05-24.md
@@ -29,7 +29,7 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu
 * Administrivia
  * There is a code of conduct
-  * Attendees from Docker, Intel, HP, Google, IBM, ARM, Arksan (sp?) technologies
+  * Attendees from Docker, Intel, HPE, Google, IBM, ARM, Arkxan Technologies
 * What is LinuxKit?
  * LinuxKit is a toolkit for building container-focused Linuxen. i.e. distro
    building tool, not a distro itself
@@ -39,30 +39,30 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu
    distributed as Docker images
  * base OS is immutable, since daemons are containers
 * Projects
-  * Clear Containers
+  * [Clear Containers](../../projects/clear-containers/)
    * Question: what's the Intel feeling r.e. kvmtool, are they still
      interested in using it for clear containers?
-  * Kernel config
+  * [Kernel config](../../projects/kernel-config/)
    * working on a more-sane way to manage kernel config, centered around diffs
      from defconfig instead of whole configs
-  * Landlock
+  * [Landlock](../../projects/landlock/)
    * eBPF LSM that may be a better solution to some of the problems that
      SELinux can also solve
    * no assumptions about policy, subjects, objects, etc. made by other LSMs
  * LSM stacking
    * hopefully this decade :)
    * previous versions went up to a v22, but progress being made
-  * mirageSDK
+  * [mirageSDK](../../projects/miragesdk/)
    * re-write system daemons that have lots attack surface but don't get much
      attention (dhcpd is a great example, needs privs for netlink and such)
    * dhcpd works (used in Docker desktop client)
    * hoping to submit to google clusterfuzz
-  * okernel
+  * [okernel](../../projects/okernel/)
    * improve the linux kernel's ability to protect its own integrity
    * leverage modern CPU support for things like EPT, to split the kernel into
      two parts
    * https://github.com/linux-okernel/linux-okernel
-  * Wireguard
+  * [Wireguard](../../projects/wireguard/)
    * new "VPN" tunnel, meant to replace IPSec or OpenVPN
    * much smaller codebase
    * modern crypto
@@ -70,7 +70,7 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu
      base64 encoded keys
    * kernel module for now, working on upstreaming
    * exposes a network device, so everything going through it is secure
-  * IMA namespacing
+  * [IMA namespacing](../../projects/wireguard/)
    * IMA itself is designed to detect any changes to files
    * allows users to specify policies about which files to check
    * EVM protects changes to file xattrs, etc.
@@ -78,7 +78,8 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu
      custom policies per-mount-namespace policies
 * "hardened" channel
  * maybe don't call it "hardened", since it really means "testing" (staging,
-    probational)
+    probational), "hardened" also makes it sound like mainline LinuxKit isn't
    secure somehow
  * require CI for graduation
 * wrap up
  * forum link above