Fedora Security Response Team

Wed May 10 14:00:21 UTC 2006

> 
> So is there a problem with creating and/or adding fc{3,2,1} rhl{7,9} files
> here as well to track CVE issues with you all for Fedora Legacy issues?
> 
> If it's not a problem, I am wondering if any of you have any thoughts or
> suggestions on how to go about generating such lists?

If you have the information captured in bugzilla you may be able to extract
it from there.  The descriptions MITRE provides for issues is prose, so
there isn't really a nice way to get what you need from there.

I have no complaints about tracking the Fedora Legacy distributions in CVS.
I think keeping things close together is wise.  If we are tracking this
many distributions though, perhaps one file for each is not the right way
to go.  Perhaps some thought and discussion is warranted.

> 
> Probably would be a good idea to add me as well, if you don't mind, Josh,
> since Fedora Legacy *is* security and critical updates to older distros.
> That's all I and other Fedora Legacy workers do.  My fedora account system
> username is uh, "questor", <deisenst at gtw.net>.  Thanks.

Done.

> 
> > 
> > <snip>
> >
> > At this point, there should be three primary focal points for the security
> > response team.
> > 
> > 1) Tracking new issues
> > 2) Tracking old issues
> > 3) Documentation
> > 
> > #1 and #3 are entertaining tasks.  #2 is going to be painful and horrible.
> > I'm not sure how far back we should go in CVE space.  I guess as far back
> > as we can with people willing to do the work.  These tasks do require a
> > manifest, which we don't technically have yet, but should soon.
> 
> Um ... since we've never started a list for Fedora Legacy for all the CVE's
> that ever existed (or at least since the Fedora Legacy project has existed),
> is the creation and maintenance of these going to be torturous and cumbersome?

The creation is painful as there are literally tens of thousands of CVE ids
per year.  Once you're caught up things aren't as bad since the ids are
just a constant trickle of information.

> 
> Putting together a fairly complete list of all the CVE's and all the
> packages that are vulnerable or fixed by all of these CVE's ... ugh, it
> indeed sounds like a horrible task!  Are there any plans or thoughts to have
> something like "security days" whereby a bunch of us folks can get together
> and do the work while yakking it up on an IRC channel, making the process at
> least potentially a *little* more fun, and making it possible for us to get
> to know one another better?

This isn't a half bad idea (what do others think?).  At the very least perhaps an IRC channel is in
order.  I see #fedora-security already exists on Freenode, no doubt just
for this purpose :)

-- 
    JB