security-team [ARCHIVED] September 2015

security-team@lists.fedoraproject.org

10 participants
19 discussions

[Fedocal] Reminder meeting : Security Team Meeting
by Nobody 30 Sep '15

30 Sep '15

Dear all, You are kindly invited to the meeting: Security Team Meeting on 2015-10-01 from 14:00:00 to 15:00:00 UTC At fedora-meeting(a)irc.freenode.net The meeting will be about: More information available at: [https://fedoraproject.org/wiki/Security_Team_meetings](https://fedoraprojec… Source: https://apps.fedoraproject.org/calendar/meeting/2849/

1 0

Security Team meeting minutes for 2015-09-24
by Eric Christensen 24 Sep '15

24 Sep '15

====================================================================================================== #fedora-meeting: Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings ====================================================================================================== Meeting started by Sparks at 14:00:57 UTC. The full logs are available at http://meetbot.fedoraproject.org/fedora-meeting/2015-09-24/fedora_security_… . Meeting summary --------------- * Roll Call (Sparks, 14:01:02) * LINK: https://lists.fedoraproject.org/pipermail/security-team/2015-September/0003… (mhayden, 14:06:07) * Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" (Sparks, 14:09:53) * Follow up on last week's tasks (Sparks, 14:09:59) * Outstanding BZ Tickets (Sparks, 14:12:01) * Thursday's numbers: Critical 0 (0), Important 42 (-2), Moderate 409 (+7), Low 152 (-4), Total 603 (Sparks, 14:12:10) * The recent BZ upgrade has broken my script so I'll need to get that worked out OR I can just start using/relying on mhayden's script. (Sparks, 14:12:42) * IDEA: Use mhayden's script to create a dashboard and host it somewhere (fedorapeople?) (Sparks, 14:16:54) * IDEA: Somehow push information to fedmsg (Sparks, 14:17:18) * LINK: https://github.com/major/fedora-meeting-report (mhayden, 14:17:57) * LINK: https://github.com/major/fedora-meeting-report (Sparks, 14:18:06) * ACTION: Sparks to add "issues" to fedora-meeting-report on github (Sparks, 14:19:25) * Handling embargoed issues (Sparks, 14:23:25) * We now have security(a)fp.o going to security-private(a)l.fp.o and we have a few people subscribed to security-private(a)l.fp.o. (Sparks, 14:24:19) * FabioOlive Started a discussion on security-team(a)l.fp.o regarding moving the FST into a more proactive role of handling security bugs. (Sparks, 14:25:33) * 1,639 views on the fedoramag blog post about the security team (mhayden, 14:26:54) * It appears we *could* create a GPG key and put it on several Yubikeys and hand those out. (Sparks, 14:27:17) * ACTION: Sparks to talk with mattdm regarding private security tickets in BZ. (Sparks, 14:38:19) * Open floor discussion/questions/comments (Sparks, 14:51:06) * https://sparkslinux.wordpress.com/?s=keysigning (Sparks, 14:57:00) * ACTION: Sparks to start a discussion on the FST list regarding an online video GPG key signing event. (Sparks, 14:57:51) Meeting ended at 15:00:08 UTC. Action Items ------------ * Sparks to add "issues" to fedora-meeting-report on github * Sparks to talk with mattdm regarding private security tickets in BZ. * Sparks to start a discussion on the FST list regarding an online video GPG key signing event. Action Items, by person ----------------------- * Sparks * Sparks to add "issues" to fedora-meeting-report on github * Sparks to talk with mattdm regarding private security tickets in BZ. * Sparks to start a discussion on the FST list regarding an online video GPG key signing event. * **UNASSIGNED** * (none) People Present (lines said) --------------------------- * Sparks (97) * FabioOlive (24) * mhayden (22) * Astradeus (20) * zodbot (5) * threebean (3) * d-caf (2) * Southern_Gentlem (2) * CRob (1) 14:00:57 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:00:57 <zodbot> Meeting started Thu Sep 24 14:00:57 2015 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:57 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:01:00 <Sparks> #meetingname Fedora Security Team 14:01:00 <zodbot> The meeting name has been set to 'fedora_security_team' 14:01:02 <Sparks> #topic Roll Call 14:01:04 * Sparks 14:01:06 * d-caf 14:01:09 * Astradeus 14:02:50 * mhayden 14:03:19 <Sparks> Oh good, the BZ upgrade broke my script. 14:03:52 <Sparks> mhayden: Does your script still work? 14:04:00 * mhayden looks 14:04:08 <Sparks> mhayden: Mine is coming back as "2" for each category. 14:04:20 <Sparks> Oh which I'm assuming is incorrect. 14:04:33 <mhayden> sorry, forgot to send out the summary today 14:05:28 <mhayden> Sparks: sent to ML just now 14:05:32 <Sparks> TU 14:06:07 <mhayden> https://lists.fedoraproject.org/pipermail/security-team/2015-September/0003… 14:07:53 <Sparks> Okay, the agenda has been updated. 14:09:53 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:09:59 <Sparks> #topic Follow up on last week's tasks 14:10:06 <Sparks> mhayden to work with Ryan to get the article published 14:10:19 <Sparks> mhayden: This happened. Anything you'd like to say here? 14:10:32 <mhayden> thanks for the help in getting that together, everyone 14:10:35 * mhayden will go check the stats 14:11:04 <Sparks> FabioOlive to write up a summary of the embargo discussion and send it to the security team list. 14:11:23 <Sparks> This happened as well. I haven't responded, yet, but I have some ideas. 14:11:52 * Sparks thinks FabioOlive is not feeling well this morning and won't be joining us. 14:12:01 <Sparks> #topic Outstanding BZ Tickets 14:12:10 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 42 (-2), Moderate 409 (+7), Low 152 (-4), Total 603 14:12:42 <Sparks> #info The recent BZ upgrade has broken my script so I'll need to get that worked out OR I can just start using/relying on mhayden's script. 14:13:01 <Sparks> Anyone have anything regarding BZ tickets? 14:13:05 <mhayden> i just merged in Astradeus' sqlite changes in github 14:13:48 <Astradeus> and i just verified, that that version still works with bugzilla 14:13:49 <Sparks> mhayden: I wonder how difficult it would be to use your script to create a web "dashboard" with pretty charts and such. 14:13:51 <mhayden> i'll give it a test 14:14:09 <mhayden> Sparks: if we have a database accessible, not terribly difficult 14:14:17 <mhayden> could even generate static html with it 14:14:20 <Sparks> We can still report basic numbers here but I've always wanted something better. 14:14:42 <Sparks> mhayden: I'll happily help out but I'm not really sure how to get from here to there. 14:15:31 <Sparks> mhayden: Maybe show how many FST members have how many tickets and their trends (how many tickets have each FST member helped close, etc). 14:16:04 <Sparks> mhayden: And it would be really nice if we could somehow feed that kind of data into fedmsg 14:16:08 <mhayden> totally 14:16:21 <mhayden> i'd be glad to help but $dayjob is heating up for the next 1-2 months :/ 14:16:41 <Astradeus> i'd have some time, but i'd need requests ;) 14:16:54 <Sparks> #idea Use mhayden's script to create a dashboard and host it somewhere (fedorapeople?) 14:17:17 <threebean> where is this script? 14:17:18 <Sparks> #idea Somehow push information to fedmsg 14:17:32 <Sparks> mhayden: Should we just use github for devel? 14:17:43 <Sparks> mhayden: And, if so, could you post the URL? 14:17:57 <mhayden> https://github.com/major/fedora-meeting-report 14:17:58 <Astradeus> and i'd need someone to assist me a little bit with fedora infrastructure 14:18:06 <Sparks> #link https://github.com/major/fedora-meeting-report 14:18:19 <Sparks> mhayden: What's it written in? 14:18:28 <mhayden> python 14:18:36 * Sparks goes to find his python book 14:18:58 * mhayden has his head in openstack all day ;) 14:18:59 <threebean> ty. FYI, we expect to have fedmsg messages from bugzilla in early 2016 (like, January). but the date has been pushed back many times now.. 14:19:15 <mhayden> threebean: i will buy you a breakfast taco when that's working :) 14:19:23 <mhayden> (that's like currency in south texas) 14:19:25 <Sparks> #action Sparks to add "issues" to fedora-meeting-report on github 14:19:26 <threebean> I will totally eat it, mhayden. 14:20:05 <Sparks> threebean: That will be awesome when that happens. 14:21:57 <Sparks> Okay, anything else on this? 14:22:59 <d-caf> nope, I'm still slammed at work so not much progress 14:23:10 <Sparks> d-caf: Understood 14:23:18 * Sparks summons FabioOlive to the room 14:23:25 <Sparks> #topic Handling embargoed issues 14:23:33 <Sparks> Sorry, I just added this to the agenda 14:23:44 <FabioOlive> .fas fleite 14:23:44 <zodbot> FabioOlive: fleite 'Fabio Olive Leite' <fabio.olive(a)gmail.com> 14:23:59 <FabioOlive> hmm that should have changed to fabio(a)olive.pro.br by now 14:24:19 <Sparks> #info We now have security(a)fp.o going to security- private(a)l.fp.o and we have a few people subscribed to security-private(a)l.fp.o. 14:24:52 <Sparks> FabioOlive: https://admin.fedoraproject.org/accounts 14:25:33 <Sparks> #info FabioOlive Started a discussion on security- team(a)l.fp.o regarding moving the FST into a more proactive role of handling security bugs. 14:25:47 <Sparks> Does anyone have anything they'd like to discuss regarding that? 14:26:36 <FabioOlive> how do we manage a private key for encrypted reports? 14:26:48 <Sparks> FabioOlive: I spoke with bress the other day... 14:26:54 <mhayden> #info 1,639 views on the fedoramag blog post about the security team 14:27:11 <Sparks> It appears we *could* create a GPG key and put it on several Yubikeys and hand those out. 14:27:17 <Sparks> #info It appears we *could* create a GPG key and put it on several Yubikeys and hand those out. 14:28:23 <Sparks> There would be a cost for the Yubikeys but, to me, that's the best way to handle distributing keys. 14:29:06 <Sparks> s/best/better 14:29:19 <FabioOlive> that is interesting, considering there is a cost, do we want to limit the participation in the private list? 14:29:27 <Sparks> There is likely a best way but it involves using hard/software that's proprietary 14:29:35 <FabioOlive> like 3 or 4 people at most, and obviously without too much turnover 14:29:48 <Sparks> That was my thought. 14:30:20 <Sparks> The responsibility of those people should be to open/manage a BZ ticket that's "private" and use that to keep upstream and packagers informed. 14:30:25 <Sparks> IMO 14:31:29 <FabioOlive> yeah. any ideas for how we handle the BZs? if we can't have private BZs, do we want to have "empty" BZs or something? 14:32:12 <Sparks> I wonder if we *could* have private BZs in this case. We'd end up making the entire ticket public at some point in the future is that still bad? 14:32:17 <Sparks> mattdm: ^^^ 14:32:27 * Sparks ponders who to talk with regarding that. 14:33:49 <Astradeus> what use do 'empty' BZs have? 14:35:00 <FabioOlive> yeah, they would just signal "a bug in component X", so it would be dumb 14:35:27 <FabioOlive> and if we open an empty bug and later on fill it with security stuff, it becomes obvious for the future "empty" bugs 14:35:46 <FabioOlive> sorry, I'm feeling particularly stupid today, been a bit sick 14:36:06 <Sparks> I don't like that idea. We need a sane place to do work. 14:36:06 <Astradeus> so it would be for statistics? 14:36:20 <FabioOlive> yeah, forget I ever mentioned "empty" bugs 14:37:25 <Sparks> FabioOlive: I mean, it's an idea but I don't think it's very useful for what I feel we need. 14:37:30 <FabioOlive> yeah 14:37:46 <Sparks> Okay, I'll talk with mattdm OOB and see what he thinks. 14:37:50 <Sparks> Anyone have anything else? 14:37:56 <Astradeus> anyone has an idea on the traffic on those security@-lists? 14:38:19 <Sparks> #action Sparks to talk with mattdm regarding private security tickets in BZ. 14:38:32 <Sparks> Astradeus: What's the question? 14:38:52 <Astradeus> i mean if it's 4 embargo-worthy tickets a months i'd say just keep it without a BZ-ticket until it is public 14:39:22 <Sparks> Astradeus: Well, how do we communicate, securely, with upstream and the packager? 14:39:39 <Sparks> Astradeus: And if we don't then what's the purpose of knowing about an embargoed issue ahead of time? 14:41:15 <FabioOlive> Sparks: can we use the private list only for getting the notification and assigning a responsible FST member to deal with it? then this FST member emails the maintainer privately, using their GPG key, and the maintainer talks to the upstream project, privately, to obtain the fix? 14:41:30 <Astradeus> so the idea is that only a few people have the private gpg key and have some means to distribute the issue to a bigger group (=security team or something alike) if necessary? 14:41:48 <FabioOlive> so the security-private list would serve only as a central point of contact and "dispatching" the work to the right maintainer 14:42:11 <FabioOlive> and maybe taking over the work in case of a non- responsive maintainer 14:42:25 <Astradeus> more or less what FabioOlive said^^ 14:42:27 <Sparks> FabioOlive: Assuming that's all possible... 14:42:56 <FabioOlive> yeah, I'm trying to think of the workflow, and then we figure out the resources needed given the workflow 14:43:17 <Sparks> FabioOlive: Which is why I liked the idea of using BZ... It's a fairly common, secure means of communicating with all parties involved. 14:43:26 <FabioOlive> the goal being that we can prepare a security update during embargo in order to build and approve immediately after unembargo 14:43:55 <FabioOlive> Sparks: yeah, but can Fedora use private bugs? I don't know that, my only use of BZ has been with my Red Hat credentials. 14:44:27 <Astradeus> Sparks: what stops us from getting the same method for private tickets in BZ as the RH people? 14:44:37 <Sparks> FabioOlive: Assuming we can. I'm going to talk with mattdm and then whomever he says I should talk with to get an answer on that. 14:44:55 <Sparks> Astradeus: Trust 14:45:18 <Astradeus> Sparks: so there is only one kind of private tickets? 14:45:46 <Sparks> Astradeus: Well, there are private and there are public. The private tickets are private to a specific group. 14:46:16 <Sparks> Astradeus: Well, the specific group and whomever you add onto that ticket. 14:47:39 <Astradeus> i thought of asking for a tickettype whose tickets are private to e.g. the group "fedora-security" 14:48:00 <FabioOlive> yeah, we would need a fedora-security group in bugzilla, and having the people in the private security list be on that group 14:48:13 <Sparks> Yes. 14:48:15 <Sparks> That 14:48:42 <Astradeus> but lets see, what new info we'll have next week :) 14:49:05 <Sparks> Okay, we'll carry this over to next week with a hopeful update on the listserv. 14:49:05 <FabioOlive> :) 14:49:11 <Sparks> Anyone have anything else before we move on? 14:51:06 <Sparks> #topic Open floor discussion/questions/comments 14:51:12 <Sparks> Anyone have anything? 14:51:38 <Astradeus> is it interesting in any way that medium-severity-tickets are growing? 14:51:52 <Sparks> Astradeus++ For his db work on mhayden's script 14:51:58 <Astradeus> thx :) 14:52:03 <Sparks> Astradeus++ 14:52:05 <mhayden> Astradeus++ 14:52:05 <zodbot> mhayden: Karma for astra changed to 2 (for the f22 release cycle): https://badges.fedoraproject.org/tags/cookie/any 14:52:11 <mhayden> MACAROONS FOR EVERYONE 14:52:15 <Sparks> What the heck? 14:52:17 <Astradeus> oha :) 14:52:30 <mhayden> wut 14:52:39 <CRob> yum 14:52:41 <Sparks> Astradeus: Medium-severity tickets will always be growing. 14:53:01 <Sparks> Astradeus: We can attack them as soon as we get all the Important ones out of the way. :) 14:53:45 * Sparks contemplates an online video GPG key signing event for FST 14:54:47 * Sparks notes no one took the bait 14:54:50 <Sparks> Okay then 14:55:08 <Astradeus> i did think about it in terms like "what is this" ^^ 14:55:34 <FabioOlive> Sparks: like people gather in a videoconf and speak their key fingerprints and people sign each others keys? 14:55:35 <Sparks> Astradeus: Ever participated in a key-signing event? 14:56:04 <Sparks> FabioOlive: I was thinking that if we all wrote them down and provided ID then it would be like doing it face-to-face 14:56:39 <Astradeus> Sparks: yes, standard key signing 14:56:39 <FabioOlive> yeah, as long as we can confirm the fingerprints in a way that is not easy to tamper with, like online video, maybe it will work :) 14:56:48 <Astradeus> never with video so far 14:56:52 * Sparks contemplates a blog post 14:57:00 <Sparks> #info https://sparkslinux.wordpress.com/?s=keysigning 14:57:11 <Sparks> Shameless plug 14:57:16 <FabioOlive> Sparks: let's try it out, wouldn't hurt 14:57:51 <Sparks> #action Sparks to start a discussion on the FST list regarding an online video GPG key signing event. 14:57:58 <Sparks> Anyone have anything else? 14:57:59 <Southern_Gentlem> Sparks, as long as its a live video of theperson 14:58:05 <Sparks> Southern_Gentlem: Right 14:58:23 <FabioOlive> then show a piece of paper with the ID printed out and spell it out 14:58:35 * Sparks figured putting something on his blog might yield someone's input of why it wouldn't be a good idea 14:58:37 <FabioOlive> multiple redundant confirmations of the information that would be hard to tamper with 14:58:52 <Southern_Gentlem> upload keys and eveyone display there keys 14:59:23 <Sparks> Okay, anything else before we sign off for the day? 14:59:33 * Sparks notes there is another meeting starting immenently 15:00:05 <Sparks> Okay, thanks for coming out! See you all on the interwebz. 15:00:08 <Sparks> #endmeeting

1 0

Fedora Security Team Report - 2015-09-24
by Major Hayden 24 Sep '15

24 Sep '15

__ _ / _| ___ __| | ___ _ __ __ _ | |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report | _| __/ (_| | (_) | | | (_| | Report date: 2015-09-24 09:04:42.961752 |_| \___|\__,_|\___/|_| \__,_| ------------------------------------------------------------------------------- +Tickets by Priority--+-------+---------+ | Priority | Count | Owned | Unowned | +-------------+-------+-------+---------+ | medium | 409 | 43 | 366 | | low | 152 | 14 | 138 | | high | 42 | 25 | 17 | | unspecified | 4 | 0 | 4 | +-------------+-------+-------+---------+ +Tickets by Status-+-------+---------+ | Status | Count | Owned | Unowned | +----------+-------+-------+---------+ | NEW | 520 | 64 | 456 | | ON_QA | 51 | 12 | 39 | | ASSIGNED | 23 | 6 | 17 | | MODIFIED | 13 | 0 | 13 | +----------+-------+-------+---------+ +Tickets by Severity--+-------+---------+ | Severity | Count | Owned | Unowned | +-------------+-------+-------+---------+ | medium | 409 | 43 | 366 | | low | 152 | 14 | 138 | | high | 44 | 25 | 19 | | unspecified | 2 | 0 | 2 | +-------------+-------+-------+---------+ +Tickets by Component+-------+---------+ | Component | Count | Owned | Unowned | +------------+-------+-------+---------+ | cacti | 10 | 0 | 10 | | bugzilla | 10 | 0 | 10 | | xen | 9 | 0 | 9 | | nagios | 9 | 9 | 0 | | qemu | 8 | 4 | 4 | | glibc | 7 | 0 | 7 | | quassel | 7 | 0 | 7 | | mingw-icu | 7 | 0 | 7 | | mingw-pcre | 6 | 0 | 6 | +------------+-------+-------+---------+ +Tickets by Distro Version-------+---------+ | Distro Version | Count | Owned | Unowned | +----------------+-------+-------+---------+ | el6 | 212 | 37 | 175 | | 22 | 127 | 3 | 124 | | 21 | 125 | 7 | 118 | | el5 | 68 | 20 | 48 | | epel7 | 35 | 4 | 31 | | 23 | 33 | 11 | 22 | | unspecified | 3 | 0 | 3 | | rawhide | 3 | 0 | 3 | | 6.6 | 1 | 0 | 1 | +----------------+-------+-------+---------+ -- Major Hayden

1 0

[Fedocal] Reminder meeting : Security Team Meeting
by Nobody 23 Sep '15

23 Sep '15

Dear all, You are kindly invited to the meeting: Security Team Meeting on 2015-09-24 from 14:00:00 to 15:00:00 UTC At fedora-meeting(a)irc.freenode.net The meeting will be about: More information available at: [https://fedoraproject.org/wiki/Security_Team_meetings](https://fedoraprojec… Source: https://apps.fedoraproject.org/calendar/meeting/2849/

1 0

Discussion about handling embargoes
by Fabio Olive Leite 23 Sep '15

23 Sep '15

Hello everyone, On the last FST meeting I took the action item of summarizing to the list the discussion about how we can handle embargoes and private information about vulnerabilities being a 100% open project and only having public build infrastructure. This is not simply an extract from the logs, as it has some commentary, opinions, suggestions, and likely also some mistakes, as it took me a few days to be able to come back to this action item. The Fedora Project, as an independent entity, has a Security Team of its own, but the reality is that the majority of the work is reactive, getting maintainers to update packages after vulnerabilities become public, or handled by Red Hat Product Security engineers when packages span both Fedora and RHEL. There is nothing wrong with Red Hat engineers maintaining Fedora packages, but there should not be a dependence on Red Hat people to perform the work. The main question brought up in the meeting was: how can Fedora deal with embargoed vulnerabilities and prepare updates in a timely fashion if all of its infrastructure is public and open? How can Fedora have a private team of trusted individuals to receive embargoed notifications and prepare an update to be available after unembargo? Clearly it must be possible to do so, since other community projects such as Debian, Gentoo and the BSDs have also earned the trust of companies and organizations and do get embargoed notifications of vulnerabilities. The Fedora Security Team must organize the right resources to make this happen as well. Florian Weimer noted that it wasn't magical for Debian, they just set up with the team, the processes and policies, hoping for the best. In Debian the folks in the Security team are all Debian Developers, so there is some level of trust. Maybe for Fedora we could go with a few Proven Packagers? Maybe what we need to do is come up with a policy stating how we deal with embargoed information, form a team with 3-4 trusted individuals that can receive embargoed information and subscribe them to the security-private mailing list, and then try to win the trust of other distros and vendors that we will do the right thing. There was also the discussion of how much can Fedora benefit from embargoed notifications. The answer seems to be "not much", but one possibility is that, upon receiving the notification to the private list, one of the members of the list gets in touch with the affected package maintainer and helps them prepare a patched package that would be submitted to the build system immediately after the embargo is lifted. This would at least buy us several hours, and we may be able to have updates out on the same day as the vulnerabilities go public. On a later conversation with Sparks, we were also considering how quickly we can push a security update through our mirrors system. It wouldn't be much use to rush a security fix out to the master repositories and have it take days to reach all the mirrors. Would we need some kind of "security-updates" repository that would only carry security fixes while they are fresh and not mirrored everywhere else? Maybe a small centralized repository would not need to handle too much load, if it only contains security fixes for a small period of time while they are still being copied to the other mirrors. Let's discuss this on the list and see what are the next actions on this effort. Cheers! -- Fábio Olivé --- Seja hoje melhor do que você foi ontem. PGP: F1C1 1876 3922 1906 6631 0C31 92A5 9276 250D 8380

3 2

Our post went live!
by Major Hayden 22 Sep '15

22 Sep '15

Woot! http://fedoramagazine.org/security-wranglers-fedora/ -- Major Hayden

4 3

Security Team meeting minutes from 2015-09-17
by Eric Christensen 17 Sep '15

17 Sep '15

1 0

Publishing the Fedora Magazine post about Security Team
by Major Hayden 17 Sep '15

17 Sep '15

Hey Ryan, We've just wrapped up a post on the Fedora Magazine blog (post 9982) and it's in Pending Review. Could you let us know when this might be published? Thanks for your help! -- Major Hayden

1 0

Fedora Security Team Report - 2015-09-17
by Major Hayden 17 Sep '15

17 Sep '15

__ _ / _| ___ __| | ___ _ __ __ _ | |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report | _| __/ (_| | (_) | | | (_| | Report date: 2015-09-17 08:46:09.070521 |_| \___|\__,_|\___/|_| \__,_| ------------------------------------------------------------------------------- +Tickets by Priority--+-------+---------+ | Priority | Count | Owned | Unowned | +-------------+-------+-------+---------+ | medium | 406 | 43 | 363 | | low | 156 | 14 | 142 | | high | 44 | 25 | 19 | | unspecified | 4 | 0 | 4 | +-------------+-------+-------+---------+ +Tickets by Status-+-------+---------+ | Status | Count | Owned | Unowned | +----------+-------+-------+---------+ | NEW | 521 | 71 | 450 | | ON_QA | 52 | 5 | 47 | | ASSIGNED | 24 | 6 | 18 | | MODIFIED | 13 | 0 | 13 | +----------+-------+-------+---------+ +Tickets by Severity--+-------+---------+ | Severity | Count | Owned | Unowned | +-------------+-------+-------+---------+ | medium | 406 | 43 | 363 | | low | 156 | 14 | 142 | | high | 46 | 25 | 21 | | unspecified | 2 | 0 | 2 | +-------------+-------+-------+---------+ +Tickets by Component--+-------+---------+ | Component | Count | Owned | Unowned | +--------------+-------+-------+---------+ | qemu | 11 | 4 | 7 | | cacti | 10 | 0 | 10 | | bugzilla | 10 | 0 | 10 | | nagios | 9 | 9 | 0 | | xen | 8 | 0 | 8 | | glibc | 7 | 0 | 7 | | quassel | 7 | 0 | 7 | | mingw-icu | 7 | 0 | 7 | | avr-binutils | 6 | 0 | 6 | +--------------+-------+-------+---------+ +Tickets by Distro Version-------+---------+ | Distro Version | Count | Owned | Unowned | +----------------+-------+-------+---------+ | el6 | 210 | 37 | 173 | | 22 | 130 | 3 | 127 | | 21 | 126 | 7 | 119 | | el5 | 67 | 20 | 47 | | epel7 | 37 | 4 | 33 | | 23 | 33 | 11 | 22 | | unspecified | 3 | 0 | 3 | | rawhide | 3 | 0 | 3 | | 6.6 | 1 | 0 | 1 | +----------------+-------+-------+---------+ -- Major Hayden

1 0

FST post in Fedora Magazine [DRAFT]
by Major Hayden 16 Sep '15

16 Sep '15

Hey folks, I finally cobbled together a draft post for the Fedora Magazine about our team: https://gist.github.com/major/2dbb21b8f42dd882439d Feel free to send me diffs and I'll gladly apply them. I also need some help with a creative title. ;) -- Major Hayden

7 20

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

security-team [ARCHIVED] September 2015