This was always one of my concerns in Fedora, one step behind Red Hat for
security benefits no one. We must work together. These changes are quite
interesting, thank you.
On Mon, Nov 30, 2015 at 9:23 PM, P J P <pjp(a)fedoraproject.org> wrote:
> On Monday, 30 November 2015 8:26 PM, Eric Christensen wrote:
>> I just completed a meeting with Matthew Miller, FPL, regarding the
future of
> the FST. I believe we are ready to move forward with putting more
> responsibility on the team.
That's excellent!
> The Solution:
> -------------
> The first piece of the solution will be an apprenticeship where new FST
members
> can prove themselves and get up to speed (similar to what Infrastructure
has).
Is it a paid position or volunteer based?
> The second piece of the solution will be the establishment of a private
group
> in BZ that allows trusted members of the FST access to sensitive
information.
>
> Third is the possibility of private builds in Koji. While we can do
private
> builds to maintain confidentiality of the vulnerability it would be
better to
> make sure that the build is done correctly and is available for
immediate QA.
I think this would require some training for the package maintainers and
QA
team. OR we(FST) would have to do such builds, which I'm not sure is a
good idea.
> The Work:
> ---------
> There is a lot of work that needs to be done to bring us to the point of
being
> ready to actively handle security issues (as opposed to just chasing
after
> vulnerabilities that are months/years old). The first, and most basic,
is
> education. It was suggested that we have some sort of apprenticeship
where we
> can bring in new people and help them get up to speed. This would also
give
> us time to instill the need for trust. I've started compiling
information
> on the apprenticeship[0] but it needs more eyes/hands.
>
> We also need to work on a workflow that includes proper protections of
> embargoed information and a policy for working with embargoed
information.
>
> Thoughts? Comments? Lets get a discussion going here.
Yes, I'll go through the page(s) and get back with more inputs!
Thank you so much for sharing this. It's a great start! :)
---
-P J P
http://feedmug.com
_______________________________________________
security-team mailing list
security-team(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/security-team@lists.fedoraproj...
--
Francisco Alonso.
http://twitter.com/revskills
PGP: 0xE2E64DCA
--