3:53 p.m.
OK, it seems there is no longer an Extras security SIG. I'm going to
contact the FESCO and get this ball moving properly. I'll send a notice to
this list when there is something to post.
--
JB
4:37 p.m.
On Wednesday 05 April 2006 15:53, Josh Bressers wrote:
OK, it seems there is no longer an Extras security SIG. I'm
going to
contact the FESCO and get this ball moving properly. I'll send a notice to
this list when there is something to post.
Since When? last i knew the SIG was
still alive.
http://fedoraproject.org/wiki/Extras/Schedule/SecurityPolicy
yes we need to get things solidified and i thought they pretty much there.
I have been watching bugtraq and reporting bugs as needed. Simplest way
to go forward is a clear policy.
of the things that were unresolved email notices should be sent to
fedora-announce. witha copy on a website security.fedoraproject.org if need
be i can host it.
as far as maintainers dropping support there is the wiki and fedora-extras
for now i guess we could ask legacy to include some of the SIG members in
with their embargoed email list.
If the maintainer does not respond in three days then the SIG will fix the
issue and release builds.
--
Regards
Dennis Gilmore, RHCE
Proud Australian
4:53 p.m.
On Wednesday 05 April 2006 17:37, Dennis Gilmore wrote:
of the things that were unresolved email notices should be sent to
fedora-announce. witha copy on a website security.fedoraproject.org if
need be i can host it.
Does Fedora currently post their updates and advisories to a webpage anywhere?
Before we worry about that, lets at least get to the level that Fedora Core
is at, then go beyond. Little steps can lead to a long way.
as far as maintainers dropping support there is the wiki and
fedora-extras
for now i guess we could ask legacy to include some of the SIG members in
with their embargoed email list.
We don't really have much of a SIG, and what did you mean by 'embargoed email
list' ?
If the maintainer does not respond in three days then the SIG will
fix
the issue and release builds.
Sounds fair. I'll review the posted page hopefully sometime this week, a bit
busy w/ LWCE and FUDCon, but I should have time either this week, this
weekend, or next week.
--
Jesse Keating
Release Engineer: Fedora
5:14 p.m.
On Wednesday 05 April 2006 16:53, Jesse Keating wrote:
On Wednesday 05 April 2006 17:37, Dennis Gilmore wrote:
> of the things that were unresolved email notices should be sent to
> fedora-announce. witha copy on a website security.fedoraproject.org if
> need be i can host it.
Does Fedora currently post their updates and advisories to a webpage
anywhere? Before we worry about that, lets at least get to the level that
Fedora Core is at, then go beyond. Little steps can lead to a long way.
Fair
enough. I think core just uses fedora-announce so thats a start.
what is needed so that SIG members can post to fedora-announce?
> as far as maintainers dropping support there is the wiki and
> fedora-extras
>
> for now i guess we could ask legacy to include some of the SIG members
> in with their embargoed email list.
We don't really have much of a SIG, and what did you mean by 'embargoed
email list' ?
Non public security reports. however it is that you get them.
I should be
more involved with legacy as i use it for a few systems.
> If the maintainer does not respond in three days then the SIG
will fix
> the issue and release builds.
Sounds fair. I'll review the posted page hopefully sometime this week, a
bit busy w/ LWCE and FUDCon, but I should have time either this week, this
weekend, or next week.
thats fair. I will be quiet for the next 3 weeks after
Sunday. I will have
limited net access during that time.
--
Regards
Dennis Gilmore, RHCE
Proud Australian
5:25 p.m.
On Wednesday 05 April 2006 18:14, Dennis Gilmore wrote:
> Does Fedora currently post their updates and advisories to a
webpage
> anywhere? Before we worry about that, lets at least get to the level that
> Fedora Core is at, then go beyond. Little steps can lead to a long way.
Fair enough. I think core just uses fedora-announce so thats a start.
what is needed so that SIG members can post to fedora-announce?
I just approve the posts. I have the list password. However I don't
currently get notices when something needs to be approved, I know when as I
pull the trigger on the Fedora updates and various other Fedora announces.
So basically I either get those notices, or we get the announcements CC'd to
the security-list as a trigger for me to go approve them. I'll double check
policy w/ the Fedora board, but I'm pretty sure they're cool with this.
> > as far as maintainers dropping support there is the wiki
and
> > fedora-extras
> >
> > for now i guess we could ask legacy to include some of the SIG members
> > in with their embargoed email list.
>
> We don't really have much of a SIG, and what did you mean by 'embargoed
> email list' ?
Non public security reports. however it is that you get them. I should
be more involved with legacy as i use it for a few systems.
Ah ok. I applied for and got accepted into Vendor-Sec, the vendor security
notification email list. We could nominate one person or so to be on there
for Extras. I serve as a filter for Legacy, when there are things related to
Legacy packages I forward them on to our Legacy builder team. Before we
start doing pre-notifications, we need to define a private bugzilla group so
that we can file bugs in private and not have public view. Unfortunately we
don't have the ability to do embargo CVS branches within Extras ATM,
something we should bring up to FESCo to rectify so that we can generate
packages and such prior to embargo date. This is a big hairy thing, we
should concentrate on how we handle publicized issues first, then move into
pre-notification. Again, small steps.
--
Jesse Keating
Release Engineer: Fedora
8:26 a.m.
On Wed, 5 Apr 2006, Jesse Keating wrote:
Ah ok. I applied for and got accepted into Vendor-Sec, the vendor
security notification email list. We could nominate one person or so to
be on there for Extras. I serve as a filter for Legacy, when there are
things related to Legacy packages I forward them on to our Legacy
builder team. Before we start doing pre-notifications, we need to
define a private bugzilla group so that we can file bugs in private and
not have public view. Unfortunately we don't have the ability to do
embargo CVS branches within Extras ATM, something we should bring up to
FESCo to rectify so that we can generate packages and such prior to
embargo date. This is a big hairy thing, we should concentrate on how
we handle publicized issues first, then move into pre-notification.
Again, small steps.
As a starting point, is just using the "Fedora Project Contributers" good
enough?
later,
chris
9:19 a.m.
On Thursday 06 April 2006 09:26, Chris Ricker wrote:
As a starting point, is just using the "Fedora Project
Contributers" good
enough?
I think that's far too large of an audience. They'd much rather a much
smaller response team, the SIG say 5~10 people. We can cc the maintainer in
question. It is extremely imperative that we don't accidentally disclose the
issue prior to the embargo date. That is a quick way to get bounced from
Vendor-sec.
--
Jesse Keating
Release Engineer: Fedora
7:37 p.m.
> OK, it seems there is no longer an Extras security SIG. I'm
going to
> contact the FESCO and get this ball moving properly. I'll send a notice to
> this list when there is something to post.
Since When? last i knew the SIG was still alive.
OK, perhaps you could make it a bit more transparent then.
http://fedoraproject.org/wiki/Extras/Schedule/SecurityPolicy
yes we need to get things solidified and i thought they pretty much there.
I have been watching bugtraq and reporting bugs as needed. Simplest way
to go forward is a clear policy.
There are countless other places that need to be watched other than
bugtraq. Here is a post from Mark Cox, a fellow Red Hat Security Response
Team member describing our information sources.
http://www.awe.com/mark/blog/security/200603211056.html
Only 14% of issues come from public mailing lists, and while I don't have
the exact number, most of those are not from bugtraq.
What will be needed is a way for the various team member to interact and to
note which issues are outstanding and which issues need attention. You
can't always just blindly create a bug, there are times you have to triage
an issue to ensure it does or does not affect us. In the event it doesn't
affect us, it should be noted that it doesn't and why.
I suggest a CVS module that can contain something a bit like these files:
http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/fc4?root=fedor...
http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/fc5?root=fedor...
I just looked at bugzilla, it seems there are three security bugs for
Extras. They seem to be from random people. There should also be some
consistency to the bug reports, such as ensuring each issue has a CVE id,
along with a proper severity.
of the things that were unresolved email notices should be sent to
fedora-announce. witha copy on a website security.fedoraproject.org if need
be i can host it.
The mail announcements can be done, I'm not too worried about that.
as far as maintainers dropping support there is the wiki and fedora-extras
for now i guess we could ask legacy to include some of the SIG members in
with their embargoed email list.
Dealing with embargoed issues adds a great deal of process. I would
suggest getting the non embargoed process worked out, then adding the
ability to handle embargoed issues.
If the maintainer does not respond in three days then the SIG will fix the
issue and release builds.
Has the FESCO approved this idea yet? Part of this process will be
assigning a priority to issues. It is likely there will be more work than
time, so low issues will probably not get much lovin.
--
JB
6594
days inactive
6595
days old
security@lists.fedoraproject.org
7 comments
4 participants
participants (4)
-
Chris Ricker -
Dennis Gilmore -
Jesse Keating -
Josh Bressers