On Tuesday 16 January 2007 08:19, Josh Bressers wrote:
With the current plans to merge Fedora Core and Extras, we need to
create a
unified security team to handle the various security flaws that emerge
within the distribution. I've been thinking about this quite a bit, and I
think the goal that needs to be kept in mind is "Keep Fedora users secure".
That goal is fairly vague on purpose. Here's how I'm thinking this can be
done.
Initially, we're going to ignore embargoed issues. Every time a security
conversation comes up, people start creating overly complex processes to
handle them. Once there is a concrete team and process, this can be
investigated. In the meantime, we'll just deal with issues once they're
public.
This seems sane. :)
<snip>
The biggest missing puzzle piece is the lack of tools. I'm
currently
working on some tools to more easily track CVE ids via a clever bugzilla
interface. I have some notes on how I plan to do this elsewhere. I can
post them at a later date if anyone is interested. The bigger tool I'm
looking for is the package release tool. It's likely that the security
team will want to view the text of all security updates and edit it if
needed. I've mailed lmacken requesting this ability, he has informed me
that the functionality is there. I'm of the impression that as long as the
team has the right tools, we can operate very efficiently and handle the
current inflow of issues.
What would be nice i Think is a tool that puts cve's
with packages even before
bugzilla tickets are filed. this would need to tie into the package
database under development and the cve database. So we could see what CVE's
are out there for what packages that we have and bugzilla tickets filed and
would ignore CVE's for things we don't package.
I wonder if we should have monthly meetings. at least while a framework is
being developed.
how exactly is security handled inside Red Hat. Can we use existing
framework's tools?
I really hope we get some of Red Hat's security team involved in Fedora.
--
,-._|\ Dennis Gilmore, RHCE
/Aussie\ Proud Australian
\_.--._/ | Aurora | Fedora |
v