> On Monday, 30 November 2015 8:26 PM, Eric Christensen wrote:
>> I just completed a meeting with Matthew Miller, FPL, regarding the future of
> the FST. I believe we are ready to move forward with putting more
> responsibility on the team.
> The Solution:
> The first piece of the solution will be an apprenticeship where new FST members
> can prove themselves and get up to speed (similar to what Infrastructure has).
Is it a paid position or volunteer based?
> The second piece of the solution will be the establishment of a private group
> in BZ that allows trusted members of the FST access to sensitive information.
> Third is the possibility of private builds in Koji. While we can do private
> builds to maintain confidentiality of the vulnerability it would be better to
> make sure that the build is done correctly and is available for immediate QA.
I think this would require some training for the package maintainers and QA
team. OR we(FST) would have to do such builds, which I'm not sure is a good idea.
> The Work:
> There is a lot of work that needs to be done to bring us to the point of being
> ready to actively handle security issues (as opposed to just chasing after
> vulnerabilities that are months/years old). The first, and most basic, is
> education. It was suggested that we have some sort of apprenticeship where we
> can bring in new people and help them get up to speed. This would also give
> us time to instill the need for trust. I've started compiling information
> on the apprenticeship but it needs more eyes/hands.
> We also need to work on a workflow that includes proper protections of
> embargoed information and a policy for working with embargoed information.
> Thoughts? Comments? Lets get a discussion going here.
Yes, I'll go through the page(s) and get back with more inputs!
Thank you so much for sharing this. It's a great start! :)
-P J P
security-team mailing list