On Wednesday 05 April 2006 16:24, Hans de Goede wrote:
-a wiki/Extras/Security page that tells users what todo and expect
when
they find a security problem. My suggestion:
-user should search in bugzilla (by CVE in summary if there is a CVE)
Maybe we can create a special form for by CVE searching?
-if its not in bugzilla user should submit it there.
-this lists gets auto-cc-ed
-the maintainer handles it, asking for help (on this list) as needed
To make this work / get some real tracking:
-if a maintainer finds a bug or pushes a new version with a bug fixed
he/she should put this bug in bugzilla and close it immediatly.
This seems very sane. This is how we do Legacy as well.
-a place and an easy way to send FE security announcements last time
I brought this up I landed in some xml mumbo jumbo jungle, what wrong
with a plain email, with a simple plain text template as base for
someone wishing todo an announcement to fill in.
Fedora-announce is a great place. We need to make the Fedora Updates software
available for Extras (and Legacy) to use. I've talked to Luke Macken who
wrote it and he is very for getting it cleaned up and modularized enough so
that we can use it for external projects. We should do this before we get
into xml update metadata land. This is a solveable problem.
Unfortunatly although many maintainers do a great job even on
security
some don't thus we need:
-some kinda rules (FESco action!) when someone can step on a maintainers
toes by pushing a fix to CVS and building it because the maintainer is
not responding to a security bugzilla entry in a timely fashion. I know
that currently anyone can do this if they feel like it, but I for one
would like to have a FESco declared policy for this where I can point a
maintainer at when he gets pissed (iow I want to be able to hind behind
FESco, yes!)
So one thing that this SIG can do is come up with and vette a security policy
that FESCo will bless and make official. Again, this is a solveable problem.
Lets get on it. I proposed a policy, lets start from there.
--
Jesse Keating
Release Engineer: Fedora