Huzaifa Sidhpurwala <huzaifas(a)redhat.com> writes:
Hello Folks,
I am writing this email from Flock Fedora conference in Dresden,
Germany. For those who do not know me, i work for the Red Hat
Product
Security Team and have been a fedora contributor for the last 8
odd years.
To keep this short, i intend to reboot the Fedora Security Team.
I know
its been a while since there was some active work here. Also i
dont
intend to keep this limited to just pinging maintainers to patch
their
packages.
I welcome the initiative.
I have proposed the following initiatives/projects during my
talk at
Flock this year.
1. Scan packages for security on package entry!
Package reviewers already use the Fedora-PackageReview package.
Red Hat
Security Team is internally working on a fork of this to include
basic
security scanning like searching for CVEs in NIST database,
checking if
any unsafe calls are used etc. We will contribute this code back
to
upstream, once its ready. I propose we use this to ensure new
packages
dont security flaws.
Great idea.
2. Package Exit policy:
Details here:
https://pagure.io/fesco/issue/1935 and discussion
on
fedora-devel list. I spoke to some FESCO members during flock
this year
and it seems like they think positively about this.
We also discussed sharing stats about maintainers who dont patch
security issues (some sort of public shaming).
Public shaming is a fairly radical process (treatment). This can
be
extremely counterproductive. There are many volunteers who are not
under
the Red or Blue HAT and maintain packages.
Organized help for maintainers in maintaining the security of the
package through generating pull requests and fix the package from
other
people (volunteers) could rise number of skilled people to
contribute to
Fedora community.
3. Scan commits for existing packages to ensure no malicious
code is
being introduced:
Have not quite figured this out yet, but it seems this is
doable.
4. Fedora Security dashboard:
The intention here is to create a web dashboard, showing current
status
of security bugs per distros, sorted according to security
impact, and
other useful data. Just to show everyone where we are.
If you can think of anything else, other than the above, do let
me know,
i am open to ideas :)
Lastly if any one is not interested in continuing their
contribution to
security team, do let me know. If i dont get an email from you
stating
that you are still interested in the next two weeks, i will
remove your
name from:
https://fedoraproject.org/wiki/Security_Team_Roster
The intention is to get a clear picture of who all can help with
the
above tasks.
At last, I'm absolutely for in.
Looking forward for new tasks to contribute Fedora community.
Kind regards
--
Bojan Jovanović