On Wed, Aug 15, 2018 at 5:58 AM, Fabian Affolter <fab@fedoraproject.org> wrote:

On 08/10/2018 04:41 PM, Huzaifa Sidhpurwala wrote:
> We also discussed sharing stats about maintainers who dont patch
> security issues (some sort of public shaming).

After some thoughts I'm still not a big fan of the public shaming
approach. There are a lot of non-Red Hat employees who are doing package
maintenance on a voluntary base. Putting community members on display
for not doing something for whatever reason will send the wrong signal.
We want their support. Thus we should try to establish ways to support
them

While I agree somewhat, it accomplishes a few things. It lets users and developers see what needs updating. The real hope here is it gets people to generate pull requests and fix the package, making things easier on the maintainer. It also allows users to really see a list of known issues. It is not uncommon for Fedora to have multiple packages which accomplish the same task. Perhaps knowing which packages have frequent security issues, or completely unfixed long standing security issues, users can choose an appropriate alternative. It would make a nice historical record for FESCo to review when we ask for a packge to be orphaned due to unresponsive maintainer. Finally, it would likely encourage more packages to stay on top of security issues, even though they are not on the list currently. Basically raising awareness of security in the community. And I say that as someone who will be on the list every single month, though for different CVEs each time.

We don't even have to resort to direct shaming, we can leave the maintainer off of the list, just go by package name, CVE, severity. Maybe we could also include the number of days the CVE has been open. If we can also have the list send a direct email to each maintainer alerting them to their package showing up in the scan. I believe it is a tool to support maintainers for a few reasons. Packages often have several bugs open. It raises alert that one or more of those are security, and helps them know which to prioritize. It should also get other packagers actually creating fixes and filing pull requests in pagure.

Public shaming is an odd term and I used it at Flock quite a bit, but simply because it is an easy summary for a process which should be a tool to help package maintainers. I am guessing that the majority of the long standing major CVE packages don't have active maintainers. It might get more people who aren't maintaining a package any longer to orphan those packages. For people not paying any attention to Fedora anymore, they may not notice, but it makes it much more effective to take those packages to FESCo and review the impact of removing them.

> 3. Scan commits for existing packages to ensure no malicious code is
> being introduced:
> Have not quite figured this out yet, but it seems this is doable.

Adding additional checks should definitely be something that's
considered. This could become a close cooperation with the FPC because
it would be much easier if those guys are on our side.

As it came up in the crypto session, we should also be scanning for crypto and hopefully adding that to the review process.

> Lastly if any one is not interested in continuing their contribution to
> security team, do let me know.

Well, I'm still in.

Kind regards,

Fabian

_______________________________________________
security-team mailing list -- security-team@lists.fedoraproject.org
To unsubscribe send an email to security-team-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/security-team@lists.fedoraproject.org/message/DL6BIUPCOQTESQVKQIAATLXJ5JPTKLHY/