Anything like security-announces on Fedora?

[Kurt Seifried]

On 27/10/14 10:03 AM, Matthew Miller wrote:
> On Mon, Oct 27, 2014 at 11:57:16AM -0400, Eric H. Christensen wrote:
>> This seems to already be happening[0] on the package-announce
>> list[1]. Security updates are being sent with [SECURITY] so I wonder
>> if this is being done with topics.
> 
> Oh cool -- it is. There are topics for every fedora release, plus
> Security and "Newpackages". After subscribing, edit options here:
> <https://admin.fedoraproject.org/mailman/options/package-announce>
> 
> But we do still need to figure out a way to encourage people to write
> better descriptions.

That is a tough one to always get right because you need an intersection
of package expertise and security expertise. E.g. I can write security
descriptions until the cows come home, especially for things I
understand, but you stick me in front of a reasonable complex kernel
issue I'm gonna poke someone else for help so I don't mess it up.

The flipside of this is there's like a top 10 or 20 vulns that account
for the bulk of issues (e.g. buffer overflow, XSS) and are relatively
easy to understand, confirm and describe. So if you're not shooting for
100% you can easily get to 80-90%, but then you run the risk of really
bad things slipping out unnoticed or unmentioned ("Check for fishy
environment" being a classic example, without a CVE I bet this would
slip past most people =).

One catch, AFAIK we have no training material for this (and I've never
seen anything good publicly available), so if we want people to do the
right thing, they'll need to be taught how.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/security/attachments/20141027/b6765edc/attachment-0001.sig>