8:56 a.m.
I just completed a meeting with Matthew Miller, FPL, regarding the future of
the FST. I believe we are ready to move forward with putting more
responsibility on the team.
The Problem
----------------
Security bugs come into Fedora/EPEL by way of Red Hat Product Security,
mostly. Any bug that has an embargo is not entered into Bugzilla (BZ) for
Fedora/EPEL until the embargo expires. Eventually we hope to develop a
trusted team that can actively work embargoed vulnerabilities to speed fixes to
users as soon as the embargo expires.
The Solution
----------------
The first piece of the solution will be an apprenticeship where new FST members
can prove themselves and get up to speed (similar to what Infrastructure has).
The second piece of the solution will be the establishment of a private group
in BZ that allows trusted members of the FST access to sensitive information.
Third is the possibility of private builds in Koji. While we can do private
builds to maintain confidentiality of the vulnerability it would be better to
make sure that the build is done correctly and is available for immediate QA.
Last is a "gentleman's agreement" that those in the trusted group will
maintain confidentiality and abide by certain information security measures to
prevent a leak of information.
It should be noted that none of these private mechanisms are in place to
maintain indefinite confidentiality; quite the opposite, in fact. ALL work done
in BZ will become public as soon as the embargo expires. This is important to
ensure transparency and openness in this process and so as soon as we possibly
can we want to provide the community with all the information that is
available.
The Work
------------
There is a lot of work that needs to be done to bring us to the point of being
ready to actively handle security issues (as opposed to just chasing after
vulnerabilities that are months/years old). The first, and most basic, is
education. It was suggested that we have some sort of apprenticeship where we
can bring in new people and help them get up to speed. This would also give
us time to instill the need for trust. I've started compiling information on
the apprenticeship[0] but it needs more eyes/hands.
We also need to work on a workflow that includes proper protections of
embargoed information and a policy for working with embargoed information.
Thoughts? Comments? Lets get a discussion going here.
--Eric
[0] https://fedoraproject.org/wiki/Security_Team_Apprenticeship
9:06 a.m.
On 11/30/2015 09:56 AM, Eric Christensen wrote:
I just completed a meeting with Matthew Miller, FPL, regarding the
future of
the FST. I believe we are ready to move forward with putting more
responsibility on the team.
<snip a lot of good content...>
We also need to work on a workflow that includes proper protections of
embargoed information and a policy for working with embargoed information.
Thoughts? Comments? Lets get a discussion going here.
--Eric
[0] https://fedoraproject.org/wiki/Security_Team_Apprenticeship
Thanks Eric for working on this. Sounds like a good general plan.
Figuring out what a "trusted" member is will probably be the hardest
part of the whole thing.
Took a look at the page, I'll try to add some stuff later.
When you talk about Skills for team members under background, are you
talking about adding list of skills for the background section or adding
to the requirements section? I think listing background skills that
help in this role will be helpful, but making it clear you don't have to
have all of them, just some of them (we can all contribute our bit of
expertise to the overall goals of the team).
Cheers,
David
2:23 p.m.
On Monday, 30 November 2015 8:26 PM, Eric Christensen wrote:
> I just completed a meeting with Matthew Miller, FPL, regarding the future of
the FST. I believe we are ready to move forward with putting more
responsibility on the team.
That's excellent!
The Solution:
-------------
The first piece of the solution will be an apprenticeship where new FST members
can prove themselves and get up to speed (similar to what Infrastructure has).
Is it a paid position or volunteer based?
The second piece of the solution will be the establishment of a
private group
in BZ that allows trusted members of the FST access to sensitive information.
Third is the possibility of private builds in Koji. While we can do private
builds to maintain confidentiality of the vulnerability it would be better to
make sure that the build is done correctly and is available for immediate QA.
I think this would require some training for the package maintainers and QA
team. OR we(FST) would have to do such builds, which I'm not sure is a good idea.
The Work:
---------
There is a lot of work that needs to be done to bring us to the point of being
ready to actively handle security issues (as opposed to just chasing after
vulnerabilities that are months/years old). The first, and most basic, is
education. It was suggested that we have some sort of apprenticeship where we
can bring in new people and help them get up to speed. This would also give
us time to instill the need for trust. I've started compiling information
on the apprenticeship[0] but it needs more eyes/hands.
We also need to work on a workflow that includes proper protections
of
embargoed information and a policy for working with embargoed information.
4:50 a.m.
This was always one of my concerns in Fedora, one step behind Red Hat for
security benefits no one. We must work together. These changes are quite
interesting, thank you.
On Mon, Nov 30, 2015 at 9:23 PM, P J P <pjp(a)fedoraproject.org> wrote:
> On Monday, 30 November 2015 8:26 PM, Eric Christensen wrote:
>> I just completed a meeting with Matthew Miller, FPL, regarding the
future of
> the FST. I believe we are ready to move forward with putting more
> responsibility on the team.
That's excellent!
> The Solution:
> -------------
> The first piece of the solution will be an apprenticeship where new FST
members
> can prove themselves and get up to speed (similar to what Infrastructure
has).
Is it a paid position or volunteer based?
> The second piece of the solution will be the establishment of a private
group
> in BZ that allows trusted members of the FST access to sensitive
information.
>
> Third is the possibility of private builds in Koji. While we can do
private
> builds to maintain confidentiality of the vulnerability it would be
better to
> make sure that the build is done correctly and is available for
immediate QA.
I think this would require some training for the package maintainers and
QA
team. OR we(FST) would have to do such builds, which I'm not sure is a
good idea.
> The Work:
> ---------
> There is a lot of work that needs to be done to bring us to the point of
being
> ready to actively handle security issues (as opposed to just chasing
after
> vulnerabilities that are months/years old). The first, and most basic,
is
> education. It was suggested that we have some sort of apprenticeship
where we
> can bring in new people and help them get up to speed. This would also
give
> us time to instill the need for trust. I've started compiling
information
> on the apprenticeship[0] but it needs more eyes/hands.
>
> We also need to work on a workflow that includes proper protections of
> embargoed information and a policy for working with embargoed
information.
>
> Thoughts? Comments? Lets get a discussion going here.
Yes, I'll go through the page(s) and get back with more inputs!
Thank you so much for sharing this. It's a great start! :)
---
-P J P
http://feedmug.com
_______________________________________________
security-team mailing list
security-team(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/security-team@lists.fedoraproj...
--
Francisco Alonso.
http://twitter.com/revskills
PGP: 0xE2E64DCA
--
2:39 p.m.
On Mon, 2015-11-30 at 09:56 -0500, Eric Christensen wrote:
The Work
------------
There is a lot of work that needs to be done to bring us to the point
of being ready to actively handle security issues (as opposed to just
chasing after vulnerabilities that are months/years old). The first,
and most basic, is education. It was suggested that we have some
sort of apprenticeship where we can bring in new people and help them
get up to speed. This would also give us time to instill the need
for trust. I've started compiling information on the
apprenticeship[0] but it needs more eyes/hands.
We also need to work on a workflow that includes proper protections
of embargoed information and a policy for working with embargoed
information.
Thoughts? Comments? Lets get a discussion going here.
Hey Eric,
Thanks for taking the time to have this conversation with Matt! Also,
I like where this is going. ;)
A private BZ and koji group would go a long way, but do we have a
capability to pre-stage a build for quick release once an embargo comes
up? For example, if a widely-used daemon has a critical vulnerability,
could we have the update "waiting in the wings" for a quick trip to the
mirrors once the embargo lifts?
I wasn't sure if there was a special process already in place for Red
Hat Enterprise Linux that we could potentially piggy-back onto.
--
Major Hayden
10:45 p.m.
On Mon, 2015-11-30 at 09:56 -0500, Eric Christensen wrote:
The Solution
----------------
The first piece of the solution will be an apprenticeship where new
FST members can prove themselves and get up to speed (similar to what
Infrastructure has).
This sounds sensible to me.
The second piece of the solution will be the establishment of a
private group in BZ that allows trusted members of the FST access to
sensitive information.
Third is the possibility of private builds in Koji. While we can do
private builds to maintain confidentiality of the vulnerability it
would be better to make sure that the build is done correctly and is
available for immediate QA.
Last is a "gentleman's agreement" that those in the trusted group
will maintain confidentiality and abide by certain information
security measures to prevent a leak of information.
It should be noted that none of these private mechanisms are in place
to maintain indefinite confidentiality; quite the opposite, in
fact. ALL work done in BZ will become public as soon as the embargo
expires. This is important to ensure transparency and openness in
this process and so as soon as we possibly can we want to provide the
community with all the information that is available.
The Work
------------
There is a lot of work that needs to be done to bring us to the point
of being ready to actively handle security issues (as opposed to just
chasing after vulnerabilities that are months/years old). The first,
and most basic, is education. It was suggested that we have some
sort of apprenticeship where we can bring in new people and help them
get up to speed. This would also give us time to instill the need
for trust. I've started compiling information on the
apprenticeship[0] but it needs more eyes/hands.
We also need to work on a workflow that includes proper protections
of embargoed information and a policy for working with embargoed
information.
Thoughts? Comments? Lets get a discussion going here.
I am new to using Fedora on a regular basis and just learning the
'Fedora Way' of doing things, but all of the ideas and plans sound
solid to me. I can only hope to be able to devote some time to learning
the skills necessary to help with this effort.
--
Charles Profitt
Open Source Advocate
https://ftbeowulf.wordpress.com/
4096R/37BEB021
D8A5 6061 25C3 28B7 2264 2B39 3E13 4DD2 37BE B021
10:34 a.m.
On Mon, Nov 30, 2015 at 09:56:26AM -0500, Eric Christensen wrote:
I just completed a meeting with Matthew Miller, FPL, regarding the
future of
the FST. I believe we are ready to move forward with putting more
responsibility on the team.
We also talked a little bit about the "Fedora Bat Signal" — the SOP for
handling communications and coordination when there's an incident. (See
brief thread here from October, too.) But I don't remember where we
ended up with that, because this call was a long time ago. :)
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader
3061
days inactive
3070
days old
security-team@lists.fedoraproject.org
6 comments
7 participants
participants (7)
-
charles profitt -
David Cafaro -
Eric Christensen -
F. Alonso -
Major Hayden -
Matthew Miller -
P J P