Getting FE security (team/sig) moving / on the road
Josh Bressers
bressers at redhat.com
Mon Mar 6 14:33:43 UTC 2006
>
> So we need to get:
> http://fedoraproject.org/wiki/Extras/Schedule/SecurityPolicy
> in tip-top shape before thursday. So what suggestions have come up sofar:
You should cancel this deadline. If you stick to it you're going to end up
with a lot of poor decisions because they will be rushed. If you do have
something ready by Thursday, good. If not, it's not such a big deal then.
>
> Also I think the times should be shorter then suggested by Josh, we're
> talking about ping times here, not time till fix. Maybe we need another
> word here. The biggest problem sofar is people who have been dead quiet
> in bugzilla. So if I say the security team takes over if their is no
> response within a week, I mean no response _at all_ if the maintainer
> says yip that looks like a problem I'll look into it, then he has
> responded and the response timer gets reset. so in this case as long as
> a maintainer makes an entry about his progress every week all is ok and
> the FE security team does not step in. The team could ofcourse offer
> help suggest fixes, but we won't step in and push a fix, that is left to
> the maintainer.
Pick an arbitrary time for now, whatever you think will work. I have
little doubt one month after you start, they will change :)
> -I would like to suggest to send announcement to the list (and in the
> same format) where FC security announcements get send, Josh is this
> possible, can we get direct access, or maybe through you/ the whole
> RH-security team?
I don't have control over the fedora announce list. You'll want to ask
notting as he owns that list.
> -The FE security team needs a way to get involved in bugs / fixes where
> all the info is under embargo. Again Josh, can you/ the whole
> RH-security team play a role here? We ofcourse only need to be in the
> loop if a package within FE has a hole.
The Red Hat Security Response Team isn't authorized to forward such
information outside of Red Hat. If you have a concrete plan for dealing
with embargoed issues, it may be possible for extras to gain membership
into the various organizations that distribute such information . I admit
though, this is going to be difficult given the very public and transparent
nature of Extras.
I would suggest you begin by dealing with public issues and once a process
is refined, revisit this issue.
> -I've used the word FE security team instead of SIG above because I
> think to the outside team sounds a lot better (professional) then SIG,
> and this well help in being taking serious by the outside world (for
> embargos for example) this has 2 disadvantages however:
> *maintainers could get the idea that the team is responsible for the
> security fixes, which its not they (the maintainers) are
> *confusion with the redhat security team
> So I'm not sure which name is better team or sig.
Don't worry about your name, just have a short, clear mission statement.
--
JB
More information about the security
mailing list