Getting FE security (team/sig) moving / on the road

Josh Bressers bressers at redhat.com
Mon Mar 6 14:33:43 UTC 2006 

> 
> So we need to get:
> http://fedoraproject.org/wiki/Extras/Schedule/SecurityPolicy
> in tip-top shape before thursday. So what suggestions have come up sofar:

You should cancel this deadline.  If you stick to it you're going to end up
with a lot of poor decisions because they will be rushed.  If you do have
something ready by Thursday, good.  If not, it's not such a big deal then.

> 
> Also I think the times should be shorter then suggested by Josh, we're 
> talking about ping times here, not time till fix. Maybe we need another 
> word here. The biggest problem sofar is people who have been dead quiet 
> in bugzilla. So if I say the security team takes over if their is no 
> response within a week, I mean no response _at all_ if the maintainer 
> says yip that looks like a problem I'll look into it, then he has 
> responded and the response timer gets reset. so in this case as long as 
> a maintainer makes an entry about his progress every week all is ok and 
> the FE security team does not step in. The team could ofcourse offer 
> help suggest fixes, but we won't step in and push a fix, that is left to 
> the maintainer.

Pick an arbitrary time for now, whatever you think will work.  I have
little doubt one month after you start, they will change :)

> -I would like to suggest to send announcement to the list (and in the 
> same format) where FC security announcements get send, Josh is this 
> possible, can we get direct access, or maybe through you/  the whole 
> RH-security team?

I don't have control over the fedora announce list.  You'll want to ask
notting as he owns that list.

> -The FE security team needs a way to get involved in bugs / fixes where 
> all the info is under embargo. Again Josh, can you/  the whole 
> RH-security team play a role here? We ofcourse only need to be in the 
> loop if a package within FE has a hole.

The Red Hat Security Response Team isn't authorized to forward such
information outside of Red Hat.  If you have a concrete plan for dealing
with embargoed issues, it may be possible for extras to gain membership
into the various organizations that distribute such information .  I admit
though, this is going to be difficult given the very public and transparent
nature of Extras.

I would suggest you begin by dealing with public issues and once a process
is refined, revisit this issue.

> -I've used the word FE security team instead of SIG above because I 
> think to the outside team sounds a lot better (professional) then SIG, 
> and this well help in being taking serious by the outside world (for 
> embargos for example) this has 2 disadvantages however:
> *maintainers could get the idea that the team is responsible for the 
> security fixes, which its not they (the maintainers) are
> *confusion with the redhat security team
> So I'm not sure which name is better team or sig.

Don't worry about your name, just have a short, clear mission statement.

-- 
    JB

More information about the security mailing list