New FE vulnerabilities

Hans de Goede j.w.r.degoede at hhs.nl
Wed Apr 5 20:24:48 UTC 2006 


Jesse Keating wrote:
> On Wednesday 05 April 2006 15:26, Josh Bressers wrote:
>> I'm hoping we can revive this thread.  There seems to be marginal interest
>> in a FE security team.  I imagine after LWE and FUDCon, there will be a
>> renewed interest, so this may be a fine time to move forward.
>>
>> Since the SIG already exists, I'll let them speak up.  If there is no
>> longer a SIG, that's fine too.  Is anybody working on any of these things?
> 
> I am very interested in this as well.  If nobody steps up, I'll do what it 
> takes, but largely we need to come up with a security process, and I think we 
> need guidance from Red Hat's security team.
> 
> Is there a SIG?
> 

There used to be, it consisted of me, Jason L Tibbitts III and Dennis 
Gilmore. Both me and Jason are currently (also) active in the Games SIG
I must say I like the Games SIG much better as there is a lot more 
getting done there. In the Security Sig it was just all talk, and I'm 
not a talker but a do-er. I also very much agree that what we need most 
is some kinda security process we need:
-a wiki/Extras/Security page that tells users what todo and expect when
  they find a security problem. My suggestion:
  -user should search in bugzilla (by CVE in summary if there is a CVE)
   Maybe we can create a special form for by CVE searching?
  -if its not in bugzilla user should submit it there.
  -this lists gets auto-cc-ed
  -the maintainer handles it, asking for help (on this list) as needed
  To make this work / get some real tracking:
  -if a maintainer finds a bug or pushes a new version with a bug fixed
   he/she should put this bug in bugzilla and close it immediatly.

-a place and an easy way to send FE security announcements last time
  I brought this up I landed in some xml mumbo jumbo jungle, what wrong
  with a plain email, with a simple plain text template as base for
  someone wishing todo an announcement to fill in.

Unfortunatly although many maintainers do a great job even on security 
some don't thus we need:
-some kinda rules (FESco action!) when someone can step on a maintainers
  toes by pushing a fix to CVS and building it because the maintainer is
  not responding to a security bugzilla entry in a timely fashion. I know
  that currently anyone can do this if they feel like it, but I for one
  would like to have a FESco declared policy for this where I can point a
  maintainer at when he gets pissed (iow I want to be able to hind behind
  FESco, yes!)




What am I willing todo to help? :
-lurk on this list
-check the new security bugs page of lwn against FE
  (I have being doing this for the last few weeks)
-help people with security problems in C(++) code
-audit C(++) code on request (see my scorched3d work f.e.)
-audit / check C(++) security patches

What am I not willing todo to help?
-get involved in policy making / procedure forming
-other unneeded bureaucracy (the above is needed!)
-talk talk talk, just point me to a broken piece of code please.


So in the light of what I like and what I don't like consider this one 
of my last posts in this thread, but don't mistake this with me being 
unwilling to help or being uninterested!


Regards,

Hans


p.s.

I still don't like the default reply-to setting of this list, but lets 
not go there.

More information about the security mailing list