I just completed a meeting with Matthew Miller, FPL, regarding the future of
the FST. I believe we are ready to move forward with putting more
responsibility on the team.
Security bugs come into Fedora/EPEL by way of Red Hat Product Security,
mostly. Any bug that has an embargo is not entered into Bugzilla (BZ) for
Fedora/EPEL until the embargo expires. Eventually we hope to develop a
trusted team that can actively work embargoed vulnerabilities to speed fixes to
users as soon as the embargo expires.
The first piece of the solution will be an apprenticeship where new FST members
can prove themselves and get up to speed (similar to what Infrastructure has).
The second piece of the solution will be the establishment of a private group
in BZ that allows trusted members of the FST access to sensitive information.
Third is the possibility of private builds in Koji. While we can do private
builds to maintain confidentiality of the vulnerability it would be better to
make sure that the build is done correctly and is available for immediate QA.
Last is a "gentleman's agreement" that those in the trusted group will
maintain confidentiality and abide by certain information security measures to
prevent a leak of information.
It should be noted that none of these private mechanisms are in place to
maintain indefinite confidentiality; quite the opposite, in fact. ALL work done
in BZ will become public as soon as the embargo expires. This is important to
ensure transparency and openness in this process and so as soon as we possibly
can we want to provide the community with all the information that is
There is a lot of work that needs to be done to bring us to the point of being
ready to actively handle security issues (as opposed to just chasing after
vulnerabilities that are months/years old). The first, and most basic, is
education. It was suggested that we have some sort of apprenticeship where we
can bring in new people and help them get up to speed. This would also give
us time to instill the need for trust. I've started compiling information on
the apprenticeship but it needs more eyes/hands.
We also need to work on a workflow that includes proper protections of
embargoed information and a policy for working with embargoed information.
Thoughts? Comments? Lets get a discussion going here.