developing a SOP for critical updates (the Fedora Bat Signal)
Matthew Miller
mattdm at fedoraproject.org
Fri Oct 23 17:35:08 UTC 2015
On Wed, Oct 21, 2015 at 03:45:23PM -0400, Eric Christensen wrote:
> > FESCo has asked me to bring this back up, and this seems like the right
> > place for it. See https://fedorahosted.org/fesco/ticket/1278, and the
> > very basic outline of a SOP from Paul Frields at
> > https://fedoraproject.org/wiki/User:Pfrields/Critical_security_update_SOP.
> We've been talking about this [informally] for the past few weeks and I think
> what Paul has written up makes a lot of sense. There are a few pieces that
> need to be moved around the board or approved by someone above my paygrade
> (you?).
Sure — probably Council, and I can help with that.
> > coordination (it helps when one person has the "incident lead"
> > baton; can be passed around as needed)
>
> Traditionally this has been Red Hat Product Security. I say this
> because they are the ones that are handling incoming and are notified
> of a security threat. The problem with letting Product Security
> handle coordination is that they don't really care about Fedora
> (well, don't care isn't really the correct words to use but Fedora
> really doesn't have the proper tooling for doing what Red Hat does
> with staging security fixes).
Yeah, I think, traditionally, RH product security has had their own
coordiation, and Fedora tries to follow along as best we can.
Hopefully, having a Fedora-focused coordination role will actually make
that easier for the RH side too, because it'll be clear from _that_
side who to coordinate with and how.
> > communications (drafting and sending community messages; email,
> > web, social media)
> Does Fedora have a PIO?
I don't know because I don't know what that means. :)
> This is why I, and others, have argued for a separate channel in
> which to send out high-priority security fixes. We shouldn't have to
> run around finding the correct person to do a special push. We should
> be able to dump them into the security channel and make it available
> sooner.
+1. That's https://fedorahosted.org/rel-eng/ticket/5886.
--
Matthew Miller
<mattdm at fedoraproject.org>
Fedora Project Leader
More information about the security-team
mailing list