On Tue, Aug 28, 2018 at 4:13 AM, Tristan Santore
<tristan.santore(a)internexusconnect.net> wrote:
On 26/08/18 16:04, Huzaifa Sidhpurwala wrote:
>
> On 08/10/2018 08:11 PM, Huzaifa Sidhpurwala wrote:
>>
>> Hello Folks,
>>
>> I am writing this email from Flock Fedora conference in Dresden,
>> Germany. For those who do not know me, i work for the Red Hat Product
>> Security Team and have been a fedora contributor for the last 8 odd
>> years.
>>
>
>
> Thank you everyone who replied to my email, both on this mailing list
> and privately. Please find below a short report on the overall progress
> since my first email, followed by replies to some of your questions:
>
> 1.
https://pagure.io/fesco/issue/1935
> Seems like FESCO likes this idea so far and in the next meeting it may
> even be approved. YAY!!
>
> 2. Fedora security dashboard:
> During FLOCK i sat in this very interesting talk on GSOC and outreachy.
> And i thought about letting students do the dashboard via one of the
> above projects. Good for them and us both :P
>
> Now to answer some of the questions:
>
> 1. Nag emails:
> I think what myself and justin meant was more of "reminder emails", i
> plan to send one this monday and see what people think. The email will
> only say who needs to fix how many security fix and serve as a gentle
> reminder, no nuclear explosions intended!
>
> 2. Documentation:
> I realized that there was a shortage of docs for package maintainers on
> how to handle security flaws. I wrote this short doc at:
>
https://fedoraproject.org/wiki/Security:HowtoSecurityBugs
>
> This is more of a brain dump than anything else. Please feel free to
> edit and add more content or point my mistakes and i can correct them.
>
> Lastly, based on all the replies i got, i am going to edit the security
> team page and remove all those folks who are not active. In case you are
> still interested do let me know, i can add you back!
>
>
>
Huzaifa,
I would suggest a very polite reminder email. Along the lines of:
Dear Package Maintainer,
This is a friendly reminder, that the package <PACKAGEHERE>, has the
following outstanding unpatched CVEs/Security issues.
Question is, what to request or suggest....because I suspect that some
maintainers probably need/could do with a few co-maintainers.
And we must not forget, we have many community people doing package
maintenance, in their own spare time, so to alienate those lovely people
would be contra-productive.
With regards to removing people from the Security Team Page, the question
should be, are people not contributing, because there is too little guidance
on procedures, information available and possibly SOPs (Standard Operating
Procedures). I generally think, that security is such an important topic
these days, across the board, that the Fedora community should set an
example with guides on secure coding, secure infra advice, guides on the
correct use of SElinux, including where to find good background information
on its use. We ALL need to make a more concerted effort to improve the
security landscape, in my very very humble opinion.
I more got the impression that people who have remained silent would
be removed. Not people who have expressed any sort of interest
recently. The "Security Team" has been effectively dead over the past
couple of years, and some of the people who had previously expressed
interest may no longer be around. Getting added back is as simple as
adding yourself. It's not punitive.
There is certainly a lack of guidance, and I think we are moving in
the right direction for fixing that. I am also planning to work on a
doc for "Procedures for creating a pull request for known CVEs" In an
attempt to hopefully get more people involved, the goal being people
who want to chip in can actually patch packages to fix known security
issues and a pull request is generally helpful to the maintainer
without stepping on toes.
Justin
> And thanks for taking a proactive role regarding this matter, really
> appreciate it, as surely do many others.
>
> I will be following the progress here with great interest.
>
> Kind regards,
>
> Tristan
>
>
> --
> Tristan Santore BSc MBCS
> TS4523-RIPE
> Network and Infrastructure Operations
> InterNexusConnect
> Mobile +44-78-55069812
> Tristan.Santore(a)internexusconnect.net
>
> Former Thawte Notary
> (Please note: Thawte has closed its WoT programme down,
> and I am therefore no longer able to accredit trust)
>
> For Fedora related issues, please email me at:
> TSantore(a)fedoraproject.org
>
> _______________________________________________
> security-team mailing list -- security-team(a)lists.fedoraproject.org
> To unsubscribe send an email to security-team-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: