On Wednesday 09 July 2014 16:11:57 Eric H. Christensen wrote:

> On Wed, Jul 09, 2014 at 10:37:24PM +0400, Igor Gnatenko wrote:

> > first thank you for creating maillist. That's really useful.

> > Let me some qoute Eric and ask some questions.

> >

> > > As of 2014-06-10 there were 539 open security bugs in Fedora. With a

> > > little work we should be able to get this number down by figuring out

> > > if the vulnerability is still open, if a patch/release is available to

> > > fix it, or need to work upstream. We'll likely need to come up with a

> > > way to categorize these things in BZ to make it easier to do a search.

> Ahh, yes, my introduction to the mess that awaits us. :)

 

First of all: hello everybody!!! I am really glad that someone is taking the initiative into getting some security in our distros and systems :-)

 

>

> > Can you provide link where I can get this list of bugs?

>

> So, first, sorry for not immediately writing this message up when I

> subscribed you but I'm a little crowded with a lot of little things around

> and I have the attention span of... wait, what was I saying?

>

> Oh right, bugs. Yes, so I'll tell you where they are and let you run them

> down. You won't be able to search for them in a certain component as they

> are filed against the packages themselves. If you search using the

> keywords "SecurityTracking" you'll find them all. You should also be able

> to use the priority to comb through by priority*. You can easily search

> for a subset of the bugs and come up with what you're looking for like all

> the critical ones[0]. I'll go through and post links on the wiki to make

> it easier for everyone to find.

 

In a few minutes search I could not find a way to come up with a search that gave me such a number of open security bugs in Fedora. Would you mind sharing the specific parameters you used to get such a result?

 

[OFFTOPIC]

Please please please, now that we are on a "security-team" list, do not use url shorteners!!!! those things are only for limited characters environments like Twitter or the like ;-)

[/OFFTOPIC]

 

>

> So I see two tasks that need to really get going... now. First, we need to

> look at the critical bugs and make sure they are being addressed. Second,

> we need to look at all the unprioritized bugs and get them prioritized so

> we know where they are in the mix. The priorities come from the CVEs that

> they block but you'll have to dig it out of the whiteboard.

 

How do we make sure the bugs are being addressed? so far I only could see ourselves as a team of people "bugging" the package maintainers to patch their packages if they are involved in a CVE.

 

What can we *REALLY* do? (besides providing a patch for the code or the package?)

 

Maybe in the future we get some recognition from the fedora community and we have some voice/power...

 

>

> So we don't bump heads while working on things lets just send what you are

> working on to the list so we'll all know who has what for now. Lets

> concentrate on the urgent bugs and prioritizing. So if anyone wants to

> start working on 905373 just roger up for it on the list and start working.

 

I took the liberty of setting up an IRC Channel in irc.freenode.net: #fedora-security-team

 

Feel free to drop by and we can discuss things real time! :-)

 

>

> Thanks for everyone stepping up to help!

 

Thanks you for taking the time to organize everything!

 

>

> [0] http://red.ht/1lUHeBF

>

>

> * This is not always the case. There was a bug in the tools that

> automatically generate these bugs that failed to set the priority so we'll

> need to look at those. It's really two bugs but it gets complicated.

> People know about it and are working on a fix.

>

> -- Eric

>

> --------------------------------------------------

> Eric "Sparks" Christensen

> Fedora Project

>

> sparks@fedoraproject.org - sparks@redhat.com

> 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1

> --------------------------------------------------

> _______________________________________________

> security-team mailing list

> security-team@lists.fedoraproject.org

> https://lists.fedoraproject.org/mailman/listinfo/security-team


--

Marc Deop

System Engineer