Merging Core and Extras affecting security updates

Dennis Gilmore dennis at ausil.us
Tue Jan 16 20:51:13 UTC 2007 

On Tuesday 16 January 2007 08:19, Josh Bressers wrote:
> With the current plans to merge Fedora Core and Extras, we need to create a
> unified security team to handle the various security flaws that emerge
> within the distribution.  I've been thinking about this quite a bit, and I
> think the goal that needs to be kept in mind is "Keep Fedora users secure".
> That goal is fairly vague on purpose.  Here's how I'm thinking this can be
> done.
>
> Initially, we're going to ignore embargoed issues.  Every time a security
> conversation comes up, people start creating overly complex processes to
> handle them.  Once there is a concrete team and process, this can be
> investigated.  In the meantime, we'll just deal with issues once they're
> public.

This seems sane. :)

<snip>
> The biggest missing puzzle piece is the lack of tools.  I'm currently
> working on some tools to more easily track CVE ids via a clever bugzilla
> interface.  I have some notes on how I plan to do this elsewhere.  I can
> post them at a later date if anyone is interested.  The bigger tool I'm
> looking for is the package release tool.  It's likely that the security
> team will want to view the text of all security updates and edit it if
> needed.  I've mailed lmacken requesting this ability, he has informed me
> that the functionality is there. I'm of the impression that as long as the
> team has the right tools, we can operate very efficiently and handle the
> current inflow of issues.
What would be nice i Think is a tool that puts cve's with packages even before 
bugzilla tickets are filed.   this would need to tie into the package 
database under development  and the cve database.  So we could see what CVE's 
are out there for what packages that we have and bugzilla tickets filed  and 
would ignore CVE's for things we don't package.

I wonder if we should have monthly meetings.  at least while a framework is 
being developed.  

how exactly is security handled inside Red Hat. Can we use existing 
framework's tools?

I really hope we get some of Red Hat's security team involved in Fedora.  


-- 
 ,-._|\    Dennis Gilmore, RHCE
/Aussie\   Proud Australian
\_.--._/   | Aurora | Fedora |
      v    

More information about the Fedora-security-list mailing list