On Monday, 30 November 2015 8:26 PM, Eric Christensen wrote:
> I just completed a meeting with Matthew Miller, FPL, regarding the future of
the FST. I believe we are ready to move forward with putting more
responsibility on the team.
The first piece of the solution will be an apprenticeship where new FST members
can prove themselves and get up to speed (similar to what Infrastructure has).
Is it a paid position or volunteer based?
The second piece of the solution will be the establishment of a
in BZ that allows trusted members of the FST access to sensitive information.
Third is the possibility of private builds in Koji. While we can do private
builds to maintain confidentiality of the vulnerability it would be better to
make sure that the build is done correctly and is available for immediate QA.
I think this would require some training for the package maintainers and QA
team. OR we(FST) would have to do such builds, which I'm not sure is a good idea.
There is a lot of work that needs to be done to bring us to the point of being
ready to actively handle security issues (as opposed to just chasing after
vulnerabilities that are months/years old). The first, and most basic, is
education. It was suggested that we have some sort of apprenticeship where we
can bring in new people and help them get up to speed. This would also give
us time to instill the need for trust. I've started compiling information
on the apprenticeship but it needs more eyes/hands.
We also need to work on a workflow that includes proper protections
embargoed information and a policy for working with embargoed information.
> Thoughts? Comments? Lets get a discussion going here.
Yes, I'll go through the page(s) and get back with more inputs!
Thank you so much for sharing this. It's a great start! :)
-P J P