On Wednesday 09 July 2014 16:11:57 Eric H. Christensen wrote:
On Wed, Jul 09, 2014 at 10:37:24PM +0400, Igor Gnatenko wrote:
> first thank you for creating maillist. That's really useful.
> Let me some qoute Eric and ask some questions.
>
> > As of 2014-06-10 there were 539 open security bugs in Fedora. With a
> > little work we should be able to get this number down by figuring out
> > if the vulnerability is still open, if a patch/release is available to
> > fix it, or need to work upstream. We'll likely need to come up with a
> > way to categorize these things in BZ to make it easier to do a search.
Ahh, yes, my introduction to the mess that awaits us. :)
First of all: hello everybody!!! I am really glad that someone is taking the initiative
into getting some security in our distros and systems :-)
> Can you provide link where I can get this list of bugs?
So, first, sorry for not immediately writing this message up when I
subscribed you but I'm a little crowded with a lot of little things around
and I have the attention span of... wait, what was I saying?
Oh right, bugs. Yes, so I'll tell you where they are and let you run them
down. You won't be able to search for them in a certain component as they
are filed against the packages themselves. If you search using the
keywords "SecurityTracking" you'll find them all. You should also be able
to use the priority to comb through by priority*. You can easily search
for a subset of the bugs and come up with what you're looking for like all
the critical ones[0]. I'll go through and post links on the wiki to make
it easier for everyone to find.
In a few minutes search I could not find a way to come up with a search that gave
me such a number of open security bugs in Fedora. Would you mind sharing the
specific parameters you used to get such a result?
[OFFTOPIC]
Please please please, now that we are on a "security-team" list, do not use url
shorteners!!!! those things are only for limited characters environments like
Twitter or the like ;-)
[/OFFTOPIC]
So I see two tasks that need to really get going... now. First, we need to
look at the critical bugs and make sure they are being addressed. Second,
we need to look at all the unprioritized bugs and get them prioritized so
we know where they are in the mix. The priorities come from the CVEs that
they block but you'll have to dig it out of the whiteboard.
How do we make sure the bugs are being addressed? so far I only could see
ourselves as a team of people "bugging" the package maintainers to patch their
packages if they are involved in a CVE.
What can we *REALLY* do? (besides providing a patch for the code or the
package?)
Maybe in the future we get some recognition from the fedora community and we
have some voice/power...
So we don't bump heads while working on things lets just send what you are
working on to the list so we'll all know who has what for now. Lets
concentrate on the urgent bugs and prioritizing. So if anyone wants to
start working on 905373 just roger up for it on the list and start working.
I took the liberty of setting up an IRC Channel in
irc.freenode.net: #fedora-
security-team
Feel free to drop by and we can discuss things real time! :-)
Thanks for everyone stepping up to help!
Thanks you for taking the time to organize everything!
[0]
http://red.ht/1lUHeBF
* This is not always the case. There was a bug in the tools that
automatically generate these bugs that failed to set the priority so we'll
need to look at those. It's really two bugs but it gets complicated.
People know about it and are working on a fix.
-- Eric
--------------------------------------------------
Eric "Sparks" Christensen
Fedora Project
sparks(a)fedoraproject.org - sparks(a)redhat.com
097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
--------------------------------------------------
_______________________________________________
security-team mailing list
security-team(a)lists.fedoraproject.org
https://lists.fedoraproject.org/mailman/listinfo/security-team
--
Marc Deop[1]
*System Engineer*
--------
[1] mailto:marc@marcdeop.com