Here are my notes from the FAD last Friday, sorry it took so long to get out.
# Security Updates workflow
## Issues
- Current process is to slow
- Nothing can be done until Embargoes are lifted
## Plan
- Create a private Bugzilla group to allow for work on embargoed tickets
- Create a private mailing list with support for GPG re-encryption to each member
- Work with Release Engineering to make changes to Bodi and Koji to support building of
embargoed packages.
- Create a Security repo that contains recent security updates that is on a small number
of server that are refreshing the repo more often than normal mirrors.
## Workflow
- Embargoed CVE notification comes in
- Red Hat security team creates a ticket in private group for Fedora (currently only
happens after embargo is lifted)
- Security Response Team identifies individuals that need to know about the ticket and
involves them.
- New package is built in private section of Koji
- Tested and Karma is given in Bodhi
- Wait for embargo to be lifted
- Make Bugzilla ticket public
- Release pre-tested package to security repo as well as normal mirrors
# Apprenticeship
Only level that we are defining at this point is the entry level. To meet that requirement
the following is needed:
## Intro
- Name/FAS Info
- GPG Keys
- Interest/Why are you joining
-
## Team Engagement
* Join the mailing list
* Participate in meetings
## Required Reading
* Mission statement
* Goals
* Work flow
* Other training
## OJT
* Shadow mentor on through ticket process
* Take lead on a ticket with mentor as shadow
## Needed
In order to meet the above requirements new members need the following:
* Assign mentor
* Add to FAS Group
## Define: Mentor
* Full and active member of the team
* completed apprenticeship
* Active contributor
* Wants to mentor
Show replies by thread