<div dir="ltr">Am I searching properly if I end up showing 47 Urgent bugs for Fedora? Note: I had to use the "Browse" (beta) function before a Priority option showed up. It wasn't there under the simple or advanced search tabs.<div>
<br></div><div>- Tim</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jul 10, 2014 at 1:44 PM, Eric H. Christensen <span dir="ltr"><<a href="mailto:sparks@fedoraproject.org" target="_blank">sparks@fedoraproject.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
</div><div class="">On Wed, Jul 09, 2014 at 11:26:36PM +0200, Marc Deop Argemí wrote:<br>
> On Wednesday 09 July 2014 16:11:57 Eric H. Christensen wrote:<br>
> > On Wed, Jul 09, 2014 at 10:37:24PM +0400, Igor Gnatenko wrote:<br>
</div><div class="">> > > Can you provide link where I can get this list of bugs?<br>
> ><br>
> > So, first, sorry for not immediately writing this message up when I<br>
> > subscribed you but I'm a little crowded with a lot of little things around<br>
> > and I have the attention span of... wait, what was I saying?<br>
> ><br>
> > Oh right, bugs. Yes, so I'll tell you where they are and let you run them<br>
> > down. You won't be able to search for them in a certain component as they<br>
> > are filed against the packages themselves. If you search using the<br>
> > keywords "SecurityTracking" you'll find them all. You should also be able<br>
> > to use the priority to comb through by priority*. You can easily search<br>
> > for a subset of the bugs and come up with what you're looking for like all<br>
> > the critical ones[0]. I'll go through and post links on the wiki to make<br>
> > it easier for everyone to find.<br>
><br>
> In a few minutes search I could not find a way to come up with a search that gave<br>
> me such a number of open security bugs in Fedora. Would you mind sharing the<br>
> specific parameters you used to get such a result?<br>
<br>
</div>Product: Fedora<br>
Keywords: SecurityTracking<br>
Priority: urgent (this will get you the most critical security bugs)<br>
<br>
You can leave Priority blank and get all of the bugs but that will be a mess.<br>
<div class=""><br>
> [OFFTOPIC]<br>
> Please please please, now that we are on a "security-team" list, do not use url<br>
> shorteners!!!! those things are only for limited characters environments like<br>
> Twitter or the like ;-)<br>
> [/OFFTOPIC]<br>
<br>
</div>No, they aren't just for limited character environments. I'd much prefer see the short url in an email than:<br>
<br>
<a href="https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2636275&priority=urgent&query_format=advanced" target="_blank">https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2636275&priority=urgent&query_format=advanced</a><br>
<br>
That said, these links will be placed on a wiki page so they are easier to get to. Bug URLs aren't as long and messy as the above and shouldn't need to be shortened.<br>
<div class=""><br>
> > So I see two tasks that need to really get going... now. First, we need to<br>
> > look at the critical bugs and make sure they are being addressed. Second,<br>
> > we need to look at all the unprioritized bugs and get them prioritized so<br>
> > we know where they are in the mix. The priorities come from the CVEs that<br>
> > they block but you'll have to dig it out of the whiteboard.<br>
><br>
> How do we make sure the bugs are being addressed? so far I only could see<br>
> ourselves as a team of people "bugging" the package maintainers to patch their<br>
> packages if they are involved in a CVE.<br>
><br>
> What can we *REALLY* do? (besides providing a patch for the code or the<br>
> package?)<br>
><br>
> Maybe in the future we get some recognition from the fedora community and we<br>
> have some voice/power...<br>
<br>
</div>And that's what this experiment is all about. We really don't need to *bug* people about this stuff but rather do the work if they won't.<br>
<br>
If a security bug comes up and the packager doesn't seem involved then we need to go upstream and see if there is a fix. If upstream has a fix then we need to make sure the packager knows that the fix is available and that it needs to get shipped. If upstream isn't aware we need to open a ticket upstream and link it with our ticket. Once we have a fix and the packager(s) seem unwilling to take action we need to go to FESCo and ask for them to take action. I'm assuming it will be rare to have to go to such measures as to go to FESCo.<br>
<div class=""><br>
> > So we don't bump heads while working on things lets just send what you are<br>
> > working on to the list so we'll all know who has what for now. Lets<br>
> > concentrate on the urgent bugs and prioritizing. So if anyone wants to<br>
> > start working on 905373 just roger up for it on the list and start working.<br>
><br>
> I took the liberty of setting up an IRC Channel in <a href="http://irc.freenode.net" target="_blank">irc.freenode.net</a>: #fedora-<br>
> security-team<br>
<br>
</div>Yeah, I thought about using #fedora-security but, like the security list, it seems to be more end-user questions/advice than actual work. I'll join up now.<br>
<br>
- --Eric<br>
<div class=""><br>
- --------------------------------------------------<br>
Eric "Sparks" Christensen<br>
</div>Red Hat, Inc - Product Security<br>
<br>
<a href="mailto:sparks@redhat.com">sparks@redhat.com</a> - <a href="mailto:sparks@fedoraproject.org">sparks@fedoraproject.org</a><br>
<div class="">097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1<br>
</div><div class="">- --------------------------------------------------<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1<br>
<br>
</div>iQGcBAEBCgAGBQJTvtEQAAoJEB/kgVGp2CYvCEAL/RZpMQnKTvOoSwYk+gLjYo1c<br>
lCuVWWSm1slv8wzxzrOJPcnM73iwI2hKknua9KpG0WVIYJS92tv8d2RMvhTkBc+0<br>
cBbeXX3j69mhD+dft+4XvOwMEE+mHYFj9jiCYKL17GX/WFhc5Stx3Rbb4iwib7rx<br>
l8p5qeQGAeZPN9m7Kly3wLp5OJVueiyzLR2TC9aaSAWd0+eWE5kSpkQ1dkJzDV73<br>
JBmytwDaZKZ8MzPZIgcp7MWf863xi5FfACkd3XmYfe/LSaUL2awSAhqLg04k7Nyk<br>
cJ0vWMZ/bRgYTtpSukzkVHGYfeXTAecabv5+DBNtMjF/ShRrEBldjG2EFihOhJDc<br>
mfC6Z2TH2aSLX7/OG0xS3AE5oq2Ge8GPPg5dHPOT7dPoBp3ZMII56MbJDO4kP4hJ<br>
pwO1wo/5+iuehQma4goCcolmNRPCsXoMZmilsvi1dm0zmiDZSMBSp6Yhw0cvFA6F<br>
XBa6OopGUiPVTHIXoaciZIuu4c655tTP69tpcwhR+g==<br>
=BfQl<br>
-----END PGP SIGNATURE-----<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
security-team mailing list<br>
<a href="mailto:security-team@lists.fedoraproject.org">security-team@lists.fedoraproject.org</a><br>
<a href="https://lists.fedoraproject.org/mailman/listinfo/security-team" target="_blank">https://lists.fedoraproject.org/mailman/listinfo/security-team</a><br>
</div></div></blockquote></div><br></div>