developing a SOP for critical updates (the Fedora Bat Signal)

Matthew Miller mattdm at fedoraproject.org
Fri Oct 23 17:35:08 UTC 2015 

On Wed, Oct 21, 2015 at 03:45:23PM -0400, Eric Christensen wrote:
> > FESCo has asked me to bring this back up, and this seems like the right
> > place for it. See https://fedorahosted.org/fesco/ticket/1278, and the
> > very basic outline of a SOP from Paul Frields at
> > https://fedoraproject.org/wiki/User:Pfrields/Critical_security_update_SOP.
> We've been talking about this [informally] for the past few weeks and I think 
> what Paul has written up makes a lot of sense.  There are a few pieces that 
> need to be moved around the board or approved by someone above my paygrade 
> (you?).

Sure — probably Council, and I can help with that.


> >     coordination (it helps when one person has the "incident lead"
> >        baton; can be passed around as needed)
> 
> Traditionally this has been Red Hat Product Security.  I say this
> because they are the ones that are handling incoming and are notified
> of a security threat. The problem with letting Product Security
> handle coordination is that they don't really care about Fedora
> (well, don't care isn't really the correct words to use but Fedora
> really doesn't have the proper tooling for doing what Red Hat does
> with staging security fixes).

Yeah, I think, traditionally, RH product security has had their own
coordiation, and Fedora tries to follow along as best we can.
Hopefully, having a Fedora-focused coordination role will actually make
that easier for the RH side too, because it'll be clear from _that_
side who to coordinate with and how.


> >     communications (drafting and sending community messages; email,
> >        web, social media)
> Does Fedora have a PIO?

I don't know because I don't know what that means. :)


> This is why I, and others, have argued for a separate channel in
> which to send out high-priority security fixes. We shouldn't have to
> run around finding the correct person to do a special push. We should
> be able to dump them into the security channel and make it available
> sooner.

+1. That's https://fedorahosted.org/rel-eng/ticket/5886.


-- 
Matthew Miller
<mattdm at fedoraproject.org>
Fedora Project Leader

More information about the security-team mailing list