First message in list with some questions ;)
Marc Deop ArgemÃ
marc at marcdeop.com
Wed Jul 9 21:26:36 UTC 2014
On Wednesday 09 July 2014 16:11:57 Eric H. Christensen wrote:
> On Wed, Jul 09, 2014 at 10:37:24PM +0400, Igor Gnatenko wrote:
> > first thank you for creating maillist. That's really useful.
> > Let me some qoute Eric and ask some questions.
> >
> > > As of 2014-06-10 there were 539 open security bugs in Fedora. With a
> > > little work we should be able to get this number down by figuring out
> > > if the vulnerability is still open, if a patch/release is available to
> > > fix it, or need to work upstream. We'll likely need to come up with a
> > > way to categorize these things in BZ to make it easier to do a search.
> Ahh, yes, my introduction to the mess that awaits us. :)
First of all: hello everybody!!! I am really glad that someone is taking the initiative
into getting some security in our distros and systems :-)
>
> > Can you provide link where I can get this list of bugs?
>
> So, first, sorry for not immediately writing this message up when I
> subscribed you but I'm a little crowded with a lot of little things around
> and I have the attention span of... wait, what was I saying?
>
> Oh right, bugs. Yes, so I'll tell you where they are and let you run them
> down. You won't be able to search for them in a certain component as they
> are filed against the packages themselves. If you search using the
> keywords "SecurityTracking" you'll find them all. You should also be able
> to use the priority to comb through by priority*. You can easily search
> for a subset of the bugs and come up with what you're looking for like all
> the critical ones[0]. I'll go through and post links on the wiki to make
> it easier for everyone to find.
In a few minutes search I could not find a way to come up with a search that gave
me such a number of open security bugs in Fedora. Would you mind sharing the
specific parameters you used to get such a result?
[OFFTOPIC]
Please please please, now that we are on a "security-team" list, do not use url
shorteners!!!! those things are only for limited characters environments like
Twitter or the like ;-)
[/OFFTOPIC]
>
> So I see two tasks that need to really get going... now. First, we need to
> look at the critical bugs and make sure they are being addressed. Second,
> we need to look at all the unprioritized bugs and get them prioritized so
> we know where they are in the mix. The priorities come from the CVEs that
> they block but you'll have to dig it out of the whiteboard.
How do we make sure the bugs are being addressed? so far I only could see
ourselves as a team of people "bugging" the package maintainers to patch their
packages if they are involved in a CVE.
What can we *REALLY* do? (besides providing a patch for the code or the
package?)
Maybe in the future we get some recognition from the fedora community and we
have some voice/power...
>
> So we don't bump heads while working on things lets just send what you are
> working on to the list so we'll all know who has what for now. Lets
> concentrate on the urgent bugs and prioritizing. So if anyone wants to
> start working on 905373 just roger up for it on the list and start working.
I took the liberty of setting up an IRC Channel in irc.freenode.net: #fedora-
security-team
Feel free to drop by and we can discuss things real time! :-)
>
> Thanks for everyone stepping up to help!
Thanks you for taking the time to organize everything!
>
> [0] http://red.ht/1lUHeBF
>
>
> * This is not always the case. There was a bug in the tools that
> automatically generate these bugs that failed to set the priority so we'll
> need to look at those. It's really two bugs but it gets complicated.
> People know about it and are working on a fix.
>
> -- Eric
>
> --------------------------------------------------
> Eric "Sparks" Christensen
> Fedora Project
>
> sparks at fedoraproject.org - sparks at redhat.com
> 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
> --------------------------------------------------
> _______________________________________________
> security-team mailing list
> security-team at lists.fedoraproject.org
> https://lists.fedoraproject.org/mailman/listinfo/security-team
--
Marc Deop[1]
*System Engineer*
--------
[1] mailto:marc at marcdeop.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/security-team/attachments/20140709/a5b3611e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/security-team/attachments/20140709/a5b3611e/attachment-0001.sig>
More information about the security-team
mailing list