Merging Core and Extras affecting security updates

Josh Bressers bressers at redhat.com
Tue Jan 16 21:50:25 UTC 2007 

> <snip>
> > The biggest missing puzzle piece is the lack of tools.  I'm currently
> > working on some tools to more easily track CVE ids via a clever bugzilla
> > interface.  I have some notes on how I plan to do this elsewhere.  I can
> > post them at a later date if anyone is interested.  The bigger tool I'm
> > looking for is the package release tool.  It's likely that the security
> > team will want to view the text of all security updates and edit it if
> > needed.  I've mailed lmacken requesting this ability, he has informed me
> > that the functionality is there. I'm of the impression that as long as the
> > team has the right tools, we can operate very efficiently and handle the
> > current inflow of issues.
> 
> What would be nice i Think is a tool that puts cve's with packages even before 
> bugzilla tickets are filed.   this would need to tie into the package 
> database under development  and the cve database.  So we could see what CVE's 
> are out there for what packages that we have and bugzilla tickets filed  and 
> would ignore CVE's for things we don't package.

I would love to see something like this, but sadly there isn't a nice
automated way to match a CVE id to a given package.  I'd gladly hear ideas
on how to do this.

> 
> I wonder if we should have monthly meetings.  at least while a framework is 
> being developed.  
> 
> how exactly is security handled inside Red Hat. Can we use existing 
> framework's tools?

I'm rather anti meeting as they usually just end up creating an overly
complex and mostly unusable process.  I'd much rather see us make things up
as we go along to see what works and what doesn't, and keep the things that
work.

As for security inside Red Hat, it's a rather manual effort.  We track
things via a CVS repository, which doesn't really scale very well.  Our
biggest advantage is the rather loose process we follow.  The team is nimble
since it's not encumbered by an overly complex process.  We can easily find
the people we need for any given tasks, which makes our lives much easier
during crunch time.

The fabled tools I speak of will also probably be used inside Red Hat as
well given the overlap that will exist.  My challenge now it to find some
time to start working on them :)

-- 
    JB

More information about the Fedora-security-list mailing list