This was always one of my concerns in Fedora, one step behind Red Hat for security benefits no one. We must work together. These changes are quite interesting, thank you.



On Mon, Nov 30, 2015 at 9:23 PM, P J P <pjp@fedoraproject.org> wrote:
> On Monday, 30 November 2015 8:26 PM, Eric Christensen wrote:
>> I just completed a meeting with Matthew Miller, FPL, regarding the future of
> the FST.  I believe we are ready to move forward with putting more
> responsibility on the team.


  That's excellent!


> The Solution:
> -------------
> The first piece of the solution will be an apprenticeship where new FST members
> can prove themselves and get up to speed (similar to what Infrastructure has).


  Is it a paid position or volunteer based?


> The second piece of the solution will be the establishment of a private group
> in BZ that allows trusted members of the FST access to sensitive information.
>
> Third is the possibility of private builds in Koji.  While we can do private
> builds to maintain confidentiality of the vulnerability it would be better to
> make sure that the build is done correctly and is available for immediate QA.


  I think this would require some training for the package maintainers and QA
team. OR we(FST) would have to do such builds, which I'm not sure is a good idea.


> The Work:
> ---------
> There is a lot of work that needs to be done to bring us to the point of being
> ready to actively handle security issues (as opposed to just chasing after
> vulnerabilities that are months/years old).  The first, and most basic, is
> education.  It was suggested that we have some sort of apprenticeship where we
> can bring in new people and help them get up to speed.  This would also give
> us time to instill the need for trust.  I've started compiling information
> on the apprenticeship[0] but it needs more eyes/hands.

>

> We also need to work on a workflow that includes proper protections of
> embargoed information and a policy for working with embargoed information.

>
> Thoughts?  Comments?  Lets get a discussion going here.

  Yes, I'll go through the page(s) and get back with more inputs!


Thank you so much for sharing this. It's a great start! :)
---
  -P J P
http://feedmug.com
_______________________________________________
security-team mailing list
security-team@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/security-team@lists.fedoraproject.org



--

Francisco Alonso. 
http://twitter.com/revskills 
PGP: 0xE2E64DCA
--