On Tue, Apr 08, 2014 at 08:34:26AM -0500, Major Hayden wrote:
This is a great idea and would really be valuable in the types of
situations we had yesterday. I ended up jumping on Twitter/G+ to
spread the news about package updates. Having a team dedicated to the
fixing and the communications would help keep people better informed.
With that said, I'd be glad to help. I'm sure we can come up with
some technologies and processes relatively quickly. Something as
simple as a call to join #fedora-eoc (emergency operations center)
might be a good stopgap.
I created
https://fedorahosted.org/fesco/ticket/1278 to help track this
idea. It's more a security SIG thing than FESCo, but I think it's important
enough that it deserves tracking somewhere.
Copying from that:
We need to have responders for
* coordination (it helps when one person has the "incident lead" baton;
can be passed around as needed)
* communications (drafting and sending community messages; email, web,
social media)
* package fixing (ideally package maintainer is security expert, second
best is package maintainer + security expert, third is security expert
with provenpackager privileges or assistance from someone who has them,
or last resort, provenpackager alone)
* quality assurance (again, ideally someone with security expertise to
advise and coordinate, but fast widespread testing at all levels helps)
release engineering (lots of work getting an update out as an exception
to normal flow)
and the ability to get at least one person in each role out of bed in the
event of an emergency.
--
Matthew Miller mattdm(a)mattdm.org <
http://mattdm.org/>