On Wed, Oct 21, 2015 at 03:45:23PM -0400, Eric Christensen wrote:
> FESCo has asked me to bring this back up, and this seems like
the right
> place for it. See
https://fedorahosted.org/fesco/ticket/1278, and the
> very basic outline of a SOP from Paul Frields at
>
https://fedoraproject.org/wiki/User:Pfrields/Critical_security_update_SOP.
We've been talking about this [informally] for the past few weeks and I think
what Paul has written up makes a lot of sense. There are a few pieces that
need to be moved around the board or approved by someone above my paygrade
(you?).
Sure — probably Council, and I can help with that.
> coordination (it helps when one person has the
"incident lead"
> baton; can be passed around as needed)
Traditionally this has been Red Hat Product Security. I say this
because they are the ones that are handling incoming and are notified
of a security threat. The problem with letting Product Security
handle coordination is that they don't really care about Fedora
(well, don't care isn't really the correct words to use but Fedora
really doesn't have the proper tooling for doing what Red Hat does
with staging security fixes).
Yeah, I think, traditionally, RH product security has had their own
coordiation, and Fedora tries to follow along as best we can.
Hopefully, having a Fedora-focused coordination role will actually make
that easier for the RH side too, because it'll be clear from _that_
side who to coordinate with and how.
> communications (drafting and sending community messages;
email,
> web, social media)
Does Fedora have a PIO?
I don't know because I don't know what that means. :)
This is why I, and others, have argued for a separate channel in
which to send out high-priority security fixes. We shouldn't have to
run around finding the correct person to do a special push. We should
be able to dump them into the security channel and make it available
sooner.
+1. That's
https://fedorahosted.org/rel-eng/ticket/5886.
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader