FST post in Fedora Magazine [DRAFT]
David Cafaro
dac at cafaro.net
Wed Sep 16 14:59:04 UTC 2015
On 09/16/2015 10:52 AM, Tomas Hoger wrote:
> On Wed, 16 Sep 2015 07:30:52 -0500 Major Hayden wrote:
>
>> On 09/16/2015 12:46 AM, pjp at fedoraproject.org wrote:
>>> That's right. We need to publicise 'security at fp.o' address for
>>> users to report issues to FST.
> Before doing that, it should be figured out how to handle those
> reports. Traditionally, only RH employees, RH SRT members pretty much,
> were on the list. Handling of embargoed stuff in Fedora has been
> avoided in general.
I believe that was and is how it is currently setup. There was some
discussion of eventually having trusted/proven non-redhat team members
on the email as well. But, I do not know if that was done. Sparks I
believe has a better idea on how this is now setup.
>> Updated with that address mentioned for critical bugs:
>>
>> https://gist.github.com/major/2dbb21b8f42dd882439d
> In addition to the concerns above, I think you should distinguish
> critical and embargoed / non-public. security-team at l.fp.o should still
> be preferred for any discussion of critical but already public issue.
>
The security-team list should be for all public issues. The security@
address is for embargoed or new bugs (that may end up being embargoed
depending on how the security@ list members handle it).
More information about the security-team
mailing list