On Mon, 2015-11-30 at 09:56 -0500, Eric Christensen wrote:
The Work
------------
There is a lot of work that needs to be done to bring us to the point
of being ready to actively handle security issues (as opposed to just
chasing after vulnerabilities that are months/years old). The first,
and most basic, is education. It was suggested that we have some
sort of apprenticeship where we can bring in new people and help them
get up to speed. This would also give us time to instill the need
for trust. I've started compiling information on the
apprenticeship[0] but it needs more eyes/hands.
We also need to work on a workflow that includes proper protections
of embargoed information and a policy for working with embargoed
information.
Thoughts? Comments? Lets get a discussion going here.
Hey Eric,
Thanks for taking the time to have this conversation with Matt! Also,
I like where this is going. ;)
A private BZ and koji group would go a long way, but do we have a
capability to pre-stage a build for quick release once an embargo comes
up? For example, if a widely-used daemon has a critical vulnerability,
could we have the update "waiting in the wings" for a quick trip to the
mirrors once the embargo lifts?
I wasn't sure if there was a special process already in place for Red
Hat Enterprise Linux that we could potentially piggy-back onto.
--
Major Hayden