On 08/28/2018 10:13 PM, Justin Forbes wrote:
On Tue, Aug 28, 2018 at 4:13 AM, Tristan Santore
<tristan.santore(a)internexusconnect.net> wrote:
> On 26/08/18 16:04, Huzaifa Sidhpurwala wrote:
>>
>> On 08/10/2018 08:11 PM, Huzaifa Sidhpurwala wrote:
>>>
>>> Hello Folks,
>>>
>>> I am writing this email from Flock Fedora conference in Dresden,
>>> Germany. For those who do not know me, i work for the Red Hat Product
>>> Security Team and have been a fedora contributor for the last 8 odd
>>> years.
>>>
>>
>>
>> Thank you everyone who replied to my email, both on this mailing list
>> and privately. Please find below a short report on the overall progress
>> since my first email, followed by replies to some of your questions:
>>
>> 1.
https://pagure.io/fesco/issue/1935
>> Seems like FESCO likes this idea so far and in the next meeting it may
>> even be approved. YAY!!
>>
>> 2. Fedora security dashboard:
>> During FLOCK i sat in this very interesting talk on GSOC and outreachy.
>> And i thought about letting students do the dashboard via one of the
>> above projects. Good for them and us both :P
>>
>> Now to answer some of the questions:
>>
>> 1. Nag emails:
>> I think what myself and justin meant was more of "reminder emails", i
>> plan to send one this monday and see what people think. The email will
>> only say who needs to fix how many security fix and serve as a gentle
>> reminder, no nuclear explosions intended!
>>
>> 2. Documentation:
>> I realized that there was a shortage of docs for package maintainers on
>> how to handle security flaws. I wrote this short doc at:
>>
https://fedoraproject.org/wiki/Security:HowtoSecurityBugs
>>
>> This is more of a brain dump than anything else. Please feel free to
>> edit and add more content or point my mistakes and i can correct them.
>>
>> Lastly, based on all the replies i got, i am going to edit the security
>> team page and remove all those folks who are not active. In case you are
>> still interested do let me know, i can add you back!
>>
>>
>>
> Huzaifa,
>
> I would suggest a very polite reminder email. Along the lines of:
>
> Dear Package Maintainer,
>
> This is a friendly reminder, that the package <PACKAGEHERE>, has the
> following outstanding unpatched CVEs/Security issues.
>
> Question is, what to request or suggest....because I suspect that some
> maintainers probably need/could do with a few co-maintainers.
>
> And we must not forget, we have many community people doing package
> maintenance, in their own spare time, so to alienate those lovely people
> would be contra-productive.
>
Exactly, in fact i am thinking of sending a blanked email to
fedora-devel to start with, without mentioning any names etc, but just a
gentle reminder for everyone to fix their pkgs, of-course mentioning the
doc which just wrote.
>
> With regards to removing people from the Security Team Page, the question
> should be, are people not contributing, because there is too little guidance
> on procedures, information available and possibly SOPs (Standard Operating
> Procedures). I gen
erally think, that security is such an important topic
> these days, across the board, that the Fedora community should
set an
> example with guides on secure coding, secure infra advice, guides on the
> correct use of SElinux, including where to find good background information
> on its use. We ALL need to make a more concerted effort to improve the
> security landscape, in my very very humble opinion.
I more got the impression that people who have remained silent would
be removed. Not people who have expressed any sort of interest
recently. The "Security Team" has been effectively dead over the past
couple of years, and some of the people who had previously expressed
interest may no longer be around. Getting added back is as simple as
adding yourself. It's not punitive.
There is certainly a lack of guidance, and I think we are moving in
the right direction for fixing that. I am also planning to work on a
doc for "Procedures for creating a pull request for known CVEs" In an
attempt to hopefully get more people involved, the goal being people
who want to chip in can actually patch packages to fix known security
issues and a pull request is generally helpful to the maintainer
without stepping on toes.
Justin
> And thanks for taking a proactive role regarding this matter, really
> appreciate it, as surely do many others.
>
> I will be following the progress here with great interest.
>
> Kind regards,
>
> Tristan
>
>
> --
> Tristan Santore BSc MBCS
> TS4523-RIPE
> Network and Infrastructure Operations
> InterNexusConnect
> Mobile +44-78-55069812
> Tristan.Santore(a)internexusconnect.net
>
> Former Thawte Notary
> (Please note: Thawte has closed its WoT programme down,
> and I am therefore no longer able to accredit trust)
>
> For Fedora related issues, please email me at:
> TSantore(a)fedoraproject.org
>
> _______________________________________________
> security-team mailing list -- security-team(a)lists.fedoraproject.org
> To unsubscribe send an email to security-team-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/security-team@lists.fedorap...
_______________________________________________
security-team mailing list -- security-team(a)lists.fedoraproject.org
To unsubscribe send an email to security-team-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/security-team@lists.fedorap...
--
Huzaifa Sidhpurwala / Red Hat Product Security Team