First message in list with some questions ;)

Marc Deop Argemí marc at marcdeop.com
Wed Jul 9 21:26:36 UTC 2014 

On Wednesday 09 July 2014 16:11:57 Eric H. Christensen wrote:
> On Wed, Jul 09, 2014 at 10:37:24PM +0400, Igor Gnatenko wrote:
> > first thank you for creating maillist. That's really useful.
> > Let me some qoute Eric and ask some questions.
> > 
> > > As of 2014-06-10 there were 539 open security bugs in Fedora.  With a
> > > little work we should be able to get this number down by figuring out
> > > if the vulnerability is still open, if a patch/release is available to
> > > fix it, or need to work upstream.  We'll likely need to come up with a
> > > way to categorize these things in BZ to make it easier to do a search.
> Ahh, yes, my introduction to the mess that awaits us.  :)

First of all: hello everybody!!! I am really glad that someone is taking the initiative 
into getting some security in our distros and systems :-)

> 
> > Can you provide link where I can get this list of bugs?
> 
> So, first, sorry for not immediately writing this message up when I
> subscribed you but I'm a little crowded with a lot of little things around
> and I have the attention span of...   wait, what was I saying?
> 
> Oh right, bugs.  Yes, so I'll tell you where they are and let you run them
> down.  You won't be able to search for them in a certain component as they
> are filed against the packages themselves.  If you search using the
> keywords "SecurityTracking" you'll find them all.  You should also be able
> to use the priority to comb through by priority*.  You can easily search
> for a subset of the bugs and come up with what you're looking for like all
> the critical ones[0].  I'll go through and post links on the wiki to make
> it easier for everyone to find.

In a few minutes search I could not find a way to come up with a search that gave 
me such a  number of open security bugs in Fedora. Would you mind sharing the 
specific parameters you used to get such a result?

[OFFTOPIC]
Please please please, now that we are on a "security-team" list, do not use url 
shorteners!!!! those things are only for limited characters environments like 
Twitter or the like ;-)
[/OFFTOPIC]

> 
> So I see two tasks that need to really get going... now.  First, we need to
> look at the critical bugs and make sure they are being addressed.  Second,
> we need to look at all the unprioritized bugs and get them prioritized so
> we know where they are in the mix.  The priorities come from the CVEs that
> they block but you'll have to dig it out of the whiteboard.

How do we make sure the bugs are being addressed? so far I only could see 
ourselves as a team of people "bugging" the package maintainers to patch their 
packages if they are involved in a CVE. 

What can we *REALLY* do? (besides providing a patch for the code or the 
package?)

Maybe in the future we get some recognition from the fedora community and we 
have some voice/power...

> 
> So we don't bump heads while working on things lets just send what you are
> working on to the list so we'll all know who has what for now.  Lets
> concentrate on the urgent bugs and prioritizing.  So if anyone wants to
> start working on 905373 just roger up for it on the list and start working.

I took the liberty of setting up an IRC Channel in irc.freenode.net: #fedora-
security-team

Feel free to drop by and we can discuss things real time! :-)

> 
> Thanks for everyone stepping up to help!

Thanks you for taking the time to organize everything!

> 
> [0] http://red.ht/1lUHeBF
> 
> 
> * This is not always the case.  There was a bug in the tools that
> automatically generate these bugs that failed to set the priority so we'll
> need to look at those.  It's really two bugs but it gets complicated. 
> People know about it and are working on a fix.
> 
> -- Eric
> 
> --------------------------------------------------
> Eric "Sparks" Christensen
> Fedora Project
> 
> sparks at fedoraproject.org - sparks at redhat.com
> 097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
> --------------------------------------------------
> _______________________________________________
> security-team mailing list
> security-team at lists.fedoraproject.org
> https://lists.fedoraproject.org/mailman/listinfo/security-team


-- 
Marc Deop[1] 
*System Engineer*

--------
[1] mailto:marc at marcdeop.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/security-team/attachments/20140709/a5b3611e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/security-team/attachments/20140709/a5b3611e/attachment-0001.sig>

More information about the security-team mailing list