Hi,
I'm +1 to this if we can come with some documentation for new contributors
that are up to help (like me).
Br,
El mié., 15 ago. 2018 a las 19:09, Justin Forbes (<jforbes(a)redhat.com>)
escribió:
On Wed, Aug 15, 2018 at 5:58 AM, Fabian Affolter
<fab(a)fedoraproject.org>
wrote:
> On 08/10/2018 04:41 PM, Huzaifa Sidhpurwala wrote:
> > We also discussed sharing stats about maintainers who dont patch
> > security issues (some sort of public shaming).
>
> After some thoughts I'm still not a big fan of the public shaming
> approach. There are a lot of non-Red Hat employees who are doing package
> maintenance on a voluntary base. Putting community members on display
> for not doing something for whatever reason will send the wrong signal.
> We want their support. Thus we should try to establish ways to support
> them
While I agree somewhat, it accomplishes a few things. It lets users and
developers see what needs updating. The real hope here is it gets people
to generate pull requests and fix the package, making things easier on the
maintainer. It also allows users to really see a list of known issues. It
is not uncommon for Fedora to have multiple packages which accomplish the
same task. Perhaps knowing which packages have frequent security issues,
or completely unfixed long standing security issues, users can choose an
appropriate alternative. It would make a nice historical record for FESCo
to review when we ask for a packge to be orphaned due to unresponsive
maintainer. Finally, it would likely encourage more packages to stay on top
of security issues, even though they are not on the list currently.
Basically raising awareness of security in the community. And I say that
as someone who will be on the list every single month, though for different
CVEs each time.
We don't even have to resort to direct shaming, we can leave the
maintainer off of the list, just go by package name, CVE, severity. Maybe
we could also include the number of days the CVE has been open. If we can
also have the list send a direct email to each maintainer alerting them to
their package showing up in the scan. I believe it is a tool to support
maintainers for a few reasons. Packages often have several bugs open. It
raises alert that one or more of those are security, and helps them know
which to prioritize. It should also get other packagers actually creating
fixes and filing pull requests in pagure.
Public shaming is an odd term and I used it at Flock quite a bit, but
simply because it is an easy summary for a process which should be a tool
to help package maintainers. I am guessing that the majority of the long
standing major CVE packages don't have active maintainers. It might get
more people who aren't maintaining a package any longer to orphan those
packages. For people not paying any attention to Fedora anymore, they may
not notice, but it makes it much more effective to take those packages to
FESCo and review the impact of removing them.
>
> 3. Scan commits for existing packages to ensure no malicious code is
> > being introduced:
> > Have not quite figured this out yet, but it seems this is doable.
>
> Adding additional checks should definitely be something that's
> considered. This could become a close cooperation with the FPC because
> it would be much easier if those guys are on our side.
>
As it came up in the crypto session, we should also be scanning for crypto
and hopefully adding that to the review process.
>
> > Lastly if any one is not interested in continuing their contribution to
> > security team, do let me know.
>
> Well, I'm still in.
>
> Kind regards,
>
> Fabian
>
>
>
> _______________________________________________
> security-team mailing list -- security-team(a)lists.fedoraproject.org
> To unsubscribe send an email to
> security-team-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/security-team@lists.fedorap...
>
>
_______________________________________________
security-team mailing list -- security-team(a)lists.fedoraproject.org
To unsubscribe send an email to
security-team-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/security-team@lists.fedorap...
--
Eduard Lucena
Móvil: +56962318010
GNU/Linux User #589060
Ubuntu User #8749
Fedora Marketing Representative