Fedora Security Response Team Update

Kevin Fenzi kevin at tummy.com
Wed Apr 4 16:22:40 UTC 2007 

On Wed, 04 Apr 2007 11:47:40 -0400
Josh Bressers <bressers at redhat.com> wrote:

> I think it's in the best interest of everyone if I give updates of
> what's going on as things happen.  One of my goals is to have a
> transparent security team.  This can't happen unless I keep everyone
> who cares in the loop.

Excellent. I for one appreciate the updates to the list here... 
> 
> 
> So far the biggest things done regarding the team are infrastructural
> changes.
> 
> security at fp.o and secalert at fp.o aliases have been created and now
> deliver mail to a private list.  Right now the only member are Luke
> Macken and myself.  I'm not sure how to best hand out membership to
> this list.  Ideas are welcome.  It's a matter of trust, and part of
> the challenge here is who to trust?

Well, what are those aliases to be used for? 
Folks mailing in vulnerabilties? 
Coordination with other vendors?

> I've also requested a Xen instance for various security tools to run
> on:
> http://fedoraproject.org/wiki/Infrastructure/RFR/wiki/Infrastructure/RFR/SecurityResponseTeam

Sounds good.

> Things to do:
> 
> Update the wiki pages.  The current information is pretty slim.
> We'll try to grow these in an organic manner.  It makes more sense to
> me if we let process evolve, and document it, rather than
> documenting, then trying to use a process.

Agreed. 

> GPG key.  I'm pondering how to handle this.  There will be groups
> that want to send us encrypted mail.  How can we do this in a secure
> manner (trust is a big issue here).

I think it might be good to have a small group (possibly those on the
alias above?) that has the passphrase. They can always foward to this
list anything that would need more general discussion. 

> Start the review of FC7.

Fun fun. ;) 

> Task tracking.  How can we do this best?  We theoretically could use
> bugzilla, but it's really not ideal for this sort of thing.  There is
> an OTRS instance running for the infrastructure group, but I'm afraid
> when I'm told it's not used much and could go away.  If we have a Xen
> instance, we could run our own RT.  I'm not sure if I like this idea
> though.

I think bugzilla is way too heavy. OTRS is also too much in the way. 
How about a wiki page? People can indicate there what chunks they want
to check?

> ???? (Anything else to add)

Someone should see about getting at least some folks in the security
team the needed CVS access to be able to fix security issues if the
owner of a package is unavailable. Likewise privs in the build and
updates system to be able to build and push these. Thats all down the
road I'm sure, but something to keep in mind. 

I'm sure there will be more things coming up...

kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-security-list/attachments/20070404/d3551789/attachment.sig>

More information about the Fedora-security-list mailing list