This was always one of my concerns in Fedora, one step behind Red Hat for
security benefits no one. We must work together. These changes are quite
interesting, thank you.
On Mon, Nov 30, 2015 at 9:23 PM, P J P <pjp(a)fedoraproject.org> wrote:
> On Monday, 30 November 2015 8:26 PM, Eric Christensen wrote:
>> I just completed a meeting with Matthew Miller, FPL, regarding the
> the FST. I believe we are ready to move forward with putting more
> responsibility on the team.
> The Solution:
> The first piece of the solution will be an apprenticeship where new FST
> can prove themselves and get up to speed (similar to what Infrastructure
Is it a paid position or volunteer based?
> The second piece of the solution will be the establishment of a private
> in BZ that allows trusted members of the FST access to sensitive
> Third is the possibility of private builds in Koji. While we can do
> builds to maintain confidentiality of the vulnerability it would be
> make sure that the build is done correctly and is available for
I think this would require some training for the package maintainers and
team. OR we(FST) would have to do such builds, which I'm not sure is a
> The Work:
> There is a lot of work that needs to be done to bring us to the point of
> ready to actively handle security issues (as opposed to just chasing
> vulnerabilities that are months/years old). The first, and most basic,
> education. It was suggested that we have some sort of apprenticeship
> can bring in new people and help them get up to speed. This would also
> us time to instill the need for trust. I've started compiling
> on the apprenticeship but it needs more eyes/hands.
> We also need to work on a workflow that includes proper protections of
> embargoed information and a policy for working with embargoed
> Thoughts? Comments? Lets get a discussion going here.
Yes, I'll go through the page(s) and get back with more inputs!
Thank you so much for sharing this. It's a great start! :)
-P J P
security-team mailing list