First message in list with some questions ;)

Tue Jul 15 05:13:03 UTC 2014

Am I searching properly if I end up showing 47 Urgent bugs for Fedora?
 Note: I had to use the "Browse" (beta) function before a Priority option
showed up.  It wasn't there under the simple or advanced search tabs.

- Tim

On Thu, Jul 10, 2014 at 1:44 PM, Eric H. Christensen <
sparks at fedoraproject.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Wed, Jul 09, 2014 at 11:26:36PM +0200, Marc Deop Argemí wrote:
> > On Wednesday 09 July 2014 16:11:57 Eric H. Christensen wrote:
> > > On Wed, Jul 09, 2014 at 10:37:24PM +0400, Igor Gnatenko wrote:
> > > > Can you provide link where I can get this list of bugs?
> > >
> > > So, first, sorry for not immediately writing this message up when I
> > > subscribed you but I'm a little crowded with a lot of little things
> around
> > > and I have the attention span of...   wait, what was I saying?
> > >
> > > Oh right, bugs.  Yes, so I'll tell you where they are and let you run
> them
> > > down.  You won't be able to search for them in a certain component as
> they
> > > are filed against the packages themselves.  If you search using the
> > > keywords "SecurityTracking" you'll find them all.  You should also be
> able
> > > to use the priority to comb through by priority*.  You can easily
> search
> > > for a subset of the bugs and come up with what you're looking for like
> all
> > > the critical ones[0].  I'll go through and post links on the wiki to
> make
> > > it easier for everyone to find.
> >
> > In a few minutes search I could not find a way to come up with a search
> that gave
> > me such a  number of open security bugs in Fedora. Would you mind
> sharing the
> > specific parameters you used to get such a result?
>
> Product: Fedora
> Keywords: SecurityTracking
> Priority: urgent (this will get you the most critical security bugs)
>
> You can leave Priority blank and get all of the bugs but that will be a
> mess.
>
> > [OFFTOPIC]
> > Please please please, now that we are on a "security-team" list, do not
> use url
> > shorteners!!!! those things are only for limited characters environments
> like
> > Twitter or the like ;-)
> > [/OFFTOPIC]
>
> No, they aren't just for limited character environments.  I'd much prefer
> see the short url in an email than:
>
>
> https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2636275&priority=urgent&query_format=advanced
>
> That said, these links will be placed on a wiki page so they are easier to
> get to.  Bug URLs aren't as long and messy as the above and shouldn't need
> to be shortened.
>
> > > So I see two tasks that need to really get going... now.  First, we
> need to
> > > look at the critical bugs and make sure they are being addressed.
>  Second,
> > > we need to look at all the unprioritized bugs and get them prioritized
> so
> > > we know where they are in the mix.  The priorities come from the CVEs
> that
> > > they block but you'll have to dig it out of the whiteboard.
> >
> > How do we make sure the bugs are being addressed? so far I only could see
> > ourselves as a team of people "bugging" the package maintainers to patch
> their
> > packages if they are involved in a CVE.
> >
> > What can we *REALLY* do? (besides providing a patch for the code or the
> > package?)
> >
> > Maybe in the future we get some recognition from the fedora community
> and we
> > have some voice/power...
>
> And that's what this experiment is all about.  We really don't need to
> *bug* people about this stuff but rather do the work if they won't.
>
> If a security bug comes up and the packager doesn't seem involved then we
> need to go upstream and see if there is a fix.  If upstream has a fix then
> we need to make sure the packager knows that the fix is available and that
> it needs to get shipped.  If upstream isn't aware we need to open a ticket
> upstream and link it with our ticket.  Once we have a fix and the
> packager(s) seem unwilling to take action we need to go to FESCo and ask
> for them to take action.  I'm assuming it will be rare to have to go to
> such measures as to go to FESCo.
>
> > > So we don't bump heads while working on things lets just send what you
> are
> > > working on to the list so we'll all know who has what for now.  Lets
> > > concentrate on the urgent bugs and prioritizing.  So if anyone wants to
> > > start working on 905373 just roger up for it on the list and start
> working.
> >
> > I took the liberty of setting up an IRC Channel in irc.freenode.net:
> #fedora-
> > security-team
>
> Yeah, I thought about using #fedora-security but, like the security list,
> it seems to be more end-user questions/advice than actual work.  I'll join
> up now.
>
> - --Eric
>
> - --------------------------------------------------
> Eric "Sparks" Christensen
> Red Hat, Inc - Product Security
>
> sparks at redhat.com - sparks at fedoraproject.org
> 097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
> - --------------------------------------------------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQGcBAEBCgAGBQJTvtEQAAoJEB/kgVGp2CYvCEAL/RZpMQnKTvOoSwYk+gLjYo1c
> lCuVWWSm1slv8wzxzrOJPcnM73iwI2hKknua9KpG0WVIYJS92tv8d2RMvhTkBc+0
> cBbeXX3j69mhD+dft+4XvOwMEE+mHYFj9jiCYKL17GX/WFhc5Stx3Rbb4iwib7rx
> l8p5qeQGAeZPN9m7Kly3wLp5OJVueiyzLR2TC9aaSAWd0+eWE5kSpkQ1dkJzDV73
> JBmytwDaZKZ8MzPZIgcp7MWf863xi5FfACkd3XmYfe/LSaUL2awSAhqLg04k7Nyk
> cJ0vWMZ/bRgYTtpSukzkVHGYfeXTAecabv5+DBNtMjF/ShRrEBldjG2EFihOhJDc
> mfC6Z2TH2aSLX7/OG0xS3AE5oq2Ge8GPPg5dHPOT7dPoBp3ZMII56MbJDO4kP4hJ
> pwO1wo/5+iuehQma4goCcolmNRPCsXoMZmilsvi1dm0zmiDZSMBSp6Yhw0cvFA6F
> XBa6OopGUiPVTHIXoaciZIuu4c655tTP69tpcwhR+g==
> =BfQl
> -----END PGP SIGNATURE-----
> _______________________________________________
> security-team mailing list
> security-team at lists.fedoraproject.org
> https://lists.fedoraproject.org/mailman/listinfo/security-team
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/security-team/attachments/20140715/e3846f22/attachment.html>