Fedora Extras Security Response Team

Josh Bressers bressers at redhat.com
Thu Apr 6 00:37:29 UTC 2006 

> > OK, it seems there is no longer an Extras security SIG.  I'm going to
> > contact the FESCO and get this ball moving properly.  I'll send a notice to
> > this list when there is something to post.
> Since When? last i knew the SIG was still alive.

OK, perhaps you could make it a bit more transparent then.

> http://fedoraproject.org/wiki/Extras/Schedule/SecurityPolicy
> 
> yes  we need to get things solidified  and i thought they pretty much there.  
> I have been watching bugtraq  and reporting bugs  as needed.   Simplest way 
> to go forward is a clear policy.

There are countless other places that need to be watched other than
bugtraq.  Here is a post from Mark Cox, a fellow Red Hat Security Response
Team member describing our information sources.
http://www.awe.com/mark/blog/security/200603211056.html

Only 14% of issues come from public mailing lists, and while I don't have
the exact number, most of those are not from bugtraq.

What will be needed is a way for the various team member to interact and to
note which issues are outstanding and which issues need attention.  You
can't always just blindly create a bug, there are times you have to triage
an issue to ensure it does or does not affect us.  In the event it doesn't
affect us, it should be noted that it doesn't and why.

I suggest a CVS module that can contain something a bit like these files:
http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/fc4?root=fedora&view=markup
http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/fc5?root=fedora&view=markup

I just looked at bugzilla, it seems there are three security bugs for
Extras.  They seem to be from random people.  There should also be some
consistency to the bug reports, such as ensuring each issue has a CVE id,
along with a proper severity.

> 
> of the things  that were unresolved email notices should be sent to 
> fedora-announce.  witha copy on a website  security.fedoraproject.org if need 
> be i can host it. 

The mail announcements can be done, I'm not too worried about that.

> 
> as far as maintainers dropping support  there is the wiki and fedora-extras 
> 
> for now i guess we could ask legacy  to include some of the SIG members in 
> with their embargoed email list. 

Dealing with embargoed issues adds a great deal of process.  I would
suggest getting the non embargoed process worked out, then adding the
ability to handle embargoed issues.

> 
> If the maintainer does not respond in three days  then the SIG will fix  the 
> issue and release builds.

Has the FESCO approved this idea yet?  Part of this process will be
assigning a priority to issues.  It is likely there will be more work than
time, so low issues will probably not get much lovin.

-- 
    JB

More information about the Fedora-security-list mailing list