So we need to get:
http://fedoraproject.org/wiki/Extras/Schedule/SecurityPolicy
in tip-top shape before thursday. So what suggestions have come up sofar:
You should cancel this deadline. If you stick to it you're going to end up
with a lot of poor decisions because they will be rushed. If you do have
something ready by Thursday, good. If not, it's not such a big deal then.
Also I think the times should be shorter then suggested by Josh, we're
talking about ping times here, not time till fix. Maybe we need another
word here. The biggest problem sofar is people who have been dead quiet
in bugzilla. So if I say the security team takes over if their is no
response within a week, I mean no response _at all_ if the maintainer
says yip that looks like a problem I'll look into it, then he has
responded and the response timer gets reset. so in this case as long as
a maintainer makes an entry about his progress every week all is ok and
the FE security team does not step in. The team could ofcourse offer
help suggest fixes, but we won't step in and push a fix, that is left to
the maintainer.
Pick an arbitrary time for now, whatever you think will work. I have
little doubt one month after you start, they will change :)
-I would like to suggest to send announcement to the list (and in the
same format) where FC security announcements get send, Josh is this
possible, can we get direct access, or maybe through you/ the whole
RH-security team?
I don't have control over the fedora announce list. You'll want to ask
notting as he owns that list.
-The FE security team needs a way to get involved in bugs / fixes
where
all the info is under embargo. Again Josh, can you/ the whole
RH-security team play a role here? We ofcourse only need to be in the
loop if a package within FE has a hole.
The Red Hat Security Response Team isn't authorized to forward such
information outside of Red Hat. If you have a concrete plan for dealing
with embargoed issues, it may be possible for extras to gain membership
into the various organizations that distribute such information . I admit
though, this is going to be difficult given the very public and transparent
nature of Extras.
I would suggest you begin by dealing with public issues and once a process
is refined, revisit this issue.
-I've used the word FE security team instead of SIG above because
I
think to the outside team sounds a lot better (professional) then SIG,
and this well help in being taking serious by the outside world (for
embargos for example) this has 2 disadvantages however:
*maintainers could get the idea that the team is responsible for the
security fixes, which its not they (the maintainers) are
*confusion with the redhat security team
So I'm not sure which name is better team or sig.
Don't worry about your name, just have a short, clear mission statement.
--
JB