Am I searching properly if I end up showing 47 Urgent bugs for Fedora?  Note: I had to use the "Browse" (beta) function before a Priority option showed up.  It wasn't there under the simple or advanced search tabs.

- Tim


On Thu, Jul 10, 2014 at 1:44 PM, Eric H. Christensen <sparks@fedoraproject.org> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Wed, Jul 09, 2014 at 11:26:36PM +0200, Marc Deop Argemí wrote:
> On Wednesday 09 July 2014 16:11:57 Eric H. Christensen wrote:
> > On Wed, Jul 09, 2014 at 10:37:24PM +0400, Igor Gnatenko wrote:
> > > Can you provide link where I can get this list of bugs?
> >
> > So, first, sorry for not immediately writing this message up when I
> > subscribed you but I'm a little crowded with a lot of little things around
> > and I have the attention span of...   wait, what was I saying?
> >
> > Oh right, bugs.  Yes, so I'll tell you where they are and let you run them
> > down.  You won't be able to search for them in a certain component as they
> > are filed against the packages themselves.  If you search using the
> > keywords "SecurityTracking" you'll find them all.  You should also be able
> > to use the priority to comb through by priority*.  You can easily search
> > for a subset of the bugs and come up with what you're looking for like all
> > the critical ones[0].  I'll go through and post links on the wiki to make
> > it easier for everyone to find.
>
> In a few minutes search I could not find a way to come up with a search that gave
> me such a  number of open security bugs in Fedora. Would you mind sharing the
> specific parameters you used to get such a result?

Product: Fedora
Keywords: SecurityTracking
Priority: urgent (this will get you the most critical security bugs)

You can leave Priority blank and get all of the bugs but that will be a mess.

> [OFFTOPIC]
> Please please please, now that we are on a "security-team" list, do not use url
> shorteners!!!! those things are only for limited characters environments like
> Twitter or the like ;-)
> [/OFFTOPIC]

No, they aren't just for limited character environments.  I'd much prefer see the short url in an email than:

https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2636275&priority=urgent&query_format=advanced

That said, these links will be placed on a wiki page so they are easier to get to.  Bug URLs aren't as long and messy as the above and shouldn't need to be shortened.

> > So I see two tasks that need to really get going... now.  First, we need to
> > look at the critical bugs and make sure they are being addressed.  Second,
> > we need to look at all the unprioritized bugs and get them prioritized so
> > we know where they are in the mix.  The priorities come from the CVEs that
> > they block but you'll have to dig it out of the whiteboard.
>
> How do we make sure the bugs are being addressed? so far I only could see
> ourselves as a team of people "bugging" the package maintainers to patch their
> packages if they are involved in a CVE.
>
> What can we *REALLY* do? (besides providing a patch for the code or the
> package?)
>
> Maybe in the future we get some recognition from the fedora community and we
> have some voice/power...

And that's what this experiment is all about.  We really don't need to *bug* people about this stuff but rather do the work if they won't.

If a security bug comes up and the packager doesn't seem involved then we need to go upstream and see if there is a fix.  If upstream has a fix then we need to make sure the packager knows that the fix is available and that it needs to get shipped.  If upstream isn't aware we need to open a ticket upstream and link it with our ticket.  Once we have a fix and the packager(s) seem unwilling to take action we need to go to FESCo and ask for them to take action.  I'm assuming it will be rare to have to go to such measures as to go to FESCo.

> > So we don't bump heads while working on things lets just send what you are
> > working on to the list so we'll all know who has what for now.  Lets
> > concentrate on the urgent bugs and prioritizing.  So if anyone wants to
> > start working on 905373 just roger up for it on the list and start working.
>
> I took the liberty of setting up an IRC Channel in irc.freenode.net: #fedora-
> security-team

Yeah, I thought about using #fedora-security but, like the security list, it seems to be more end-user questions/advice than actual work.  I'll join up now.

- --Eric

- --------------------------------------------------
Eric "Sparks" Christensen
Red Hat, Inc - Product Security

sparks@redhat.com - sparks@fedoraproject.org
097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBCgAGBQJTvtEQAAoJEB/kgVGp2CYvCEAL/RZpMQnKTvOoSwYk+gLjYo1c
lCuVWWSm1slv8wzxzrOJPcnM73iwI2hKknua9KpG0WVIYJS92tv8d2RMvhTkBc+0
cBbeXX3j69mhD+dft+4XvOwMEE+mHYFj9jiCYKL17GX/WFhc5Stx3Rbb4iwib7rx
l8p5qeQGAeZPN9m7Kly3wLp5OJVueiyzLR2TC9aaSAWd0+eWE5kSpkQ1dkJzDV73
JBmytwDaZKZ8MzPZIgcp7MWf863xi5FfACkd3XmYfe/LSaUL2awSAhqLg04k7Nyk
cJ0vWMZ/bRgYTtpSukzkVHGYfeXTAecabv5+DBNtMjF/ShRrEBldjG2EFihOhJDc
mfC6Z2TH2aSLX7/OG0xS3AE5oq2Ge8GPPg5dHPOT7dPoBp3ZMII56MbJDO4kP4hJ
pwO1wo/5+iuehQma4goCcolmNRPCsXoMZmilsvi1dm0zmiDZSMBSp6Yhw0cvFA6F
XBa6OopGUiPVTHIXoaciZIuu4c655tTP69tpcwhR+g==
=BfQl
-----END PGP SIGNATURE-----
_______________________________________________
security-team mailing list
security-team@lists.fedoraproject.org
https://lists.fedoraproject.org/mailman/listinfo/security-team