New FE vulnerabilities

Jesse Keating jkeating at redhat.com
Wed Apr 5 20:49:01 UTC 2006 

On Wednesday 05 April 2006 16:24, Hans de Goede wrote:
> -a wiki/Extras/Security page that tells users what todo and expect when
>   they find a security problem. My suggestion:
>   -user should search in bugzilla (by CVE in summary if there is a CVE)
>    Maybe we can create a special form for by CVE searching?
>   -if its not in bugzilla user should submit it there.
>   -this lists gets auto-cc-ed
>   -the maintainer handles it, asking for help (on this list) as needed
>   To make this work / get some real tracking:
>   -if a maintainer finds a bug or pushes a new version with a bug fixed
>    he/she should put this bug in bugzilla and close it immediatly.

This seems very sane.  This is how we do Legacy as well.

> -a place and an easy way to send FE security announcements last time
>   I brought this up I landed in some xml mumbo jumbo jungle, what wrong
>   with a plain email, with a simple plain text template as base for
>   someone wishing todo an announcement to fill in.

Fedora-announce is a great place.  We need to make the Fedora Updates software 
available for Extras (and Legacy) to use.  I've talked to Luke Macken who 
wrote it and he is very for getting it cleaned up and modularized enough so 
that we can use it for external projects.  We should do this before we get 
into xml update metadata land.  This is a solveable problem.

> Unfortunatly although many maintainers do a great job even on security
> some don't thus we need:
> -some kinda rules (FESco action!) when someone can step on a maintainers
>   toes by pushing a fix to CVS and building it because the maintainer is
>   not responding to a security bugzilla entry in a timely fashion. I know
>   that currently anyone can do this if they feel like it, but I for one
>   would like to have a FESco declared policy for this where I can point a
>   maintainer at when he gets pissed (iow I want to be able to hind behind
>   FESco, yes!)

So one thing that this SIG can do is come up with and vette a security policy 
that FESCo will bless and make official.  Again, this is a solveable problem.  
Lets get on it.  I proposed a policy, lets start from there.

-- 
Jesse Keating
Release Engineer: Fedora
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/security/attachments/20060405/6410b24b/attachment.bin

More information about the security mailing list