Fedora Security Response Team

Wed May 10 13:11:08 UTC 2006

Josh Bressers wrote:
> The current plan is to create files called fe4 and fe5 to sit next to the
> fc4 and fc5 files in this location.  The format of fc[45] is currently
> working, so I believe it's the correct way to go initially.

So is there a problem with creating and/or adding fc{3,2,1} rhl{7,9} files
here as well to track CVE issues with you all for Fedora Legacy issues?

If it's not a problem, I am wondering if any of you have any thoughts or
suggestions on how to go about generating such lists?

> 
> Those of you interested in being a part of the security response team will
> need to send me your fedora account system username.  I can then add access
> and provide further instructions.

Probably would be a good idea to add me as well, if you don't mind, Josh,
since Fedora Legacy *is* security and critical updates to older distros.
That's all I and other Fedora Legacy workers do.  My fedora account system
username is uh, "questor", <deisenst at gtw.net>.  Thanks.

> 
> <snip>
>
> At this point, there should be three primary focal points for the security
> response team.
> 
> 1) Tracking new issues
> 2) Tracking old issues
> 3) Documentation
> 
> #1 and #3 are entertaining tasks.  #2 is going to be painful and horrible.
> I'm not sure how far back we should go in CVE space.  I guess as far back
> as we can with people willing to do the work.  These tasks do require a
> manifest, which we don't technically have yet, but should soon.

Um ... since we've never started a list for Fedora Legacy for all the CVE's
that ever existed (or at least since the Fedora Legacy project has existed),
is the creation and maintenance of these going to be torturous and cumbersome?

Legacy tends to work on issues by sets of related CVE #s, opening one Legacy
Bugzilla ticket per .src.rpm package (or related packages) to handle all the
distros that a given (set of) CVE's address for that (those) package(s).  We
also use package codes in the "Status Whiteboard" to indicate which distros
for a given package are affected by those CVE's.  We therefore tend to
ignore the actual version tag at the top of a Bugzilla report (often setting
it to the legacy-specific value "unspecified") unless a vulnerability only
affects one of the 5 distros we maintain.

Due to this way of working with bugs, and to reduce duplication, my
temptation is to suggest that, if legacy may also maintain CVE status
file(s) there in CVS, for legacy's use, we just use one file (maybe name it
'legacy'?) with all the CVE entries, and mark each individual CVE line for
which particular distros that CVE affects (or at least seems to affect).
Doing this in lieu of maintaining 5 separate files with 5 separate
copies of all the CVE numbers would seem to be a big labor-saver.  What do
you think, Jesse?  Or anyone else?

Putting together a fairly complete list of all the CVE's and all the
packages that are vulnerable or fixed by all of these CVE's ... ugh, it
indeed sounds like a horrible task!  Are there any plans or thoughts to have
something like "security days" whereby a bunch of us folks can get together
and do the work while yakking it up on an IRC channel, making the process at
least potentially a *little* more fun, and making it possible for us to get
to know one another better?

> Does this all sound sane to everyone else?

Everything sounds sane to me, Josh.  Thanks for taking the ball and running
with it in getting this stuff going.  :-)

	Warm regards,
	David Eisenstein