FESCo has asked me to bring this back up, and this seems like the right
place for it. See
https://fedorahosted.org/fesco/ticket/1278, and the
very basic outline of a SOP from Paul Frields at
https://fedoraproject.org/wiki/User:Pfrields/Critical_security_update_SOP.
To paste from the ticket:
We need to have responders for
coordination (it helps when one person has the "incident lead"
baton; can be passed around as needed)
communications (drafting and sending community messages; email,
web, social media)
package fixing (ideally package maintainer is security expert,
second best is package maintainer + security expert, third is security
expert with provenpackager privileges or assistance from someone who
has them, or last resort, provenpackager alone)
quality assurance (again, ideally someone with security expertise
to advise and coordinate, but fast widespread testing at all levels
helps)
release engineering (lots of work getting an update out as an
exception to normal flow)
and the ability to get at least one person in each role out of bed in
the event of an emergency.
I expect that in many cases, there are also roles like "communication
with $otherproject security team", and possible handoff from whereever
we learned about the vulnerability.
Security Team, are you interested in helping develop this procedure
(and putting it somewhere so we know what to do in a fire drill)?
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader