On Wed, Jul 09, 2014 at 10:37:24PM +0400, Igor Gnatenko wrote: > first thank you for creating maillist. That's really useful. > Let me some qoute Eric and ask some questions. > > > As of 2014-06-10 there were 539 open security bugs in Fedora. With a > > little work we should be able to get this number down by figuring out > > if the vulnerability is still open, if a patch/release is available to > > fix it, or need to work upstream. We'll likely need to come up with a > > way to categorize these things in BZ to make it easier to do a search. Ahh, yes, my introduction to the mess that awaits us. :)

> Can you provide link where I can get this list of bugs? So, first, sorry for not immediately writing this message up when I subscribed you but I'm a little crowded with a lot of little things around and I have the attention span of... wait, what was I saying? Oh right, bugs. Yes, so I'll tell you where they are and let you run them down. You won't be able to search for them in a certain component as they are filed against the packages themselves. If you search using the keywords "SecurityTracking" you'll find them all. You should also be able to use the priority to comb through by priority*. You can easily search for a subset of the bugs and come up with what you're looking for like all the critical ones[0]. I'll go through and post links on the wiki to make it easier for everyone to find.

So I see two tasks that need to really get going... now. First, we need to look at the critical bugs and make sure they are being addressed. Second, we need to look at all the unprioritized bugs and get them prioritized so we know where they are in the mix. The priorities come from the CVEs that they block but you'll have to dig it out of the whiteboard.

So we don't bump heads while working on things lets just send what you are working on to the list so we'll all know who has what for now. Lets concentrate on the urgent bugs and prioritizing. So if anyone wants to start working on 905373 just roger up for it on the list and start working.

Thanks for everyone stepping up to help!

[0] http://red.ht/1lUHeBF * This is not always the case. There was a bug in the tools that automatically generate these bugs that failed to set the priority so we'll need to look at those. It's really two bugs but it gets complicated. People know about it and are working on a fix. -- Eric -------------------------------------------------- Eric "Sparks" Christensen Fedora Project sparks(a)fedoraproject.org - sparks(a)redhat.com 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 -------------------------------------------------- _______________________________________________ security-team mailing list security-team(a)lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/security-team

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Wed, Jul 09, 2014 at 11:26:36PM +0200, Marc Deop Argemí wrote: > On Wednesday 09 July 2014 16:11:57 Eric H. Christensen wrote: > > On Wed, Jul 09, 2014 at 10:37:24PM +0400, Igor Gnatenko wrote: > > > Can you provide link where I can get this list of bugs? > > > > So, first, sorry for not immediately writing this message up when I > > subscribed you but I'm a little crowded with a lot of little things around > > and I have the attention span of... wait, what was I saying? > > > > Oh right, bugs. Yes, so I'll tell you where they are and let you run them > > down. You won't be able to search for them in a certain component as they > > are filed against the packages themselves. If you search using the > > keywords "SecurityTracking" you'll find them all. You should also be able > > to use the priority to comb through by priority*. You can easily search > > for a subset of the bugs and come up with what you're looking for like all > > the critical ones[0]. I'll go through and post links on the wiki to make > > it easier for everyone to find. > > In a few minutes search I could not find a way to come up with a search that gave > me such a number of open security bugs in Fedora. Would you mind sharing the > specific parameters you used to get such a result? Product: Fedora Keywords: SecurityTracking Priority: urgent (this will get you the most critical security bugs) You can leave Priority blank and get all of the bugs but that will be a mess. > [OFFTOPIC] > Please please please, now that we are on a "security-team" list, do not use url > shorteners!!!! those things are only for limited characters environments like > Twitter or the like ;-) > [/OFFTOPIC] No, they aren't just for limited character environments. I'd much prefer see the short url in an email than: https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASS... That said, these links will be placed on a wiki page so they are easier to get to. Bug URLs aren't as long and messy as the above and shouldn't need to be shortened. > > So I see two tasks that need to really get going... now. First, we need to > > look at the critical bugs and make sure they are being addressed. Second, > > we need to look at all the unprioritized bugs and get them prioritized so > > we know where they are in the mix. The priorities come from the CVEs that > > they block but you'll have to dig it out of the whiteboard. > > How do we make sure the bugs are being addressed? so far I only could see > ourselves as a team of people "bugging" the package maintainers to patch their > packages if they are involved in a CVE. > > What can we *REALLY* do? (besides providing a patch for the code or the > package?) > > Maybe in the future we get some recognition from the fedora community and we > have some voice/power... And that's what this experiment is all about. We really don't need to *bug* people about this stuff but rather do the work if they won't. If a security bug comes up and the packager doesn't seem involved then we need to go upstream and see if there is a fix. If upstream has a fix then we need to make sure the packager knows that the fix is available and that it needs to get shipped. If upstream isn't aware we need to open a ticket upstream and link it with our ticket. Once we have a fix and the packager(s) seem unwilling to take action we need to go to FESCo and ask for them to take action. I'm assuming it will be rare to have to go to such measures as to go to FESCo. > > So we don't bump heads while working on things lets just send what you are > > working on to the list so we'll all know who has what for now. Lets > > concentrate on the urgent bugs and prioritizing. So if anyone wants to > > start working on 905373 just roger up for it on the list and start working. > > I took the liberty of setting up an IRC Channel in irc.freenode.net: #fedora- > security-team Yeah, I thought about using #fedora-security but, like the security list, it seems to be more end-user questions/advice than actual work. I'll join up now. - --Eric - -------------------------------------------------- Eric "Sparks" Christensen Red Hat, Inc - Product Security sparks(a)redhat.com - sparks(a)fedoraproject.org 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - -------------------------------------------------- _______________________________________________ security-team mailing list security-team(a)lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/security-team

From: "Eric H. Christensen" <sparks(a)fedoraproject.org&gt; To: "Fedora Security Team" <security-team(a)lists.fedoraproject.org&gt; Sent: Tuesday, July 15, 2014 2:46:51 PM Subject: Re: First message in list with some questions ;) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, Jul 15, 2014 at 01:13:03AM -0400, joat wrote: > Am I searching properly if I end up showing 47 Urgent bugs for Fedora? > Note: I had to use the "Browse" (beta) function before a Priority option > showed up. It wasn't there under the simple or advanced search tabs. I think there should be more. I'll work on the wiki pages today and get the links posted. - --Eric _______________________________________________ security-team mailing list security-team(a)lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/security-team