> > So we need to get: > http://fedoraproject.org/wiki/Extras/Schedule/SecurityPolicy > in tip-top shape before thursday. So what suggestions have come up sofar: You should cancel this deadline. If you stick to it you're going to end up with a lot of poor decisions because they will be rushed. If you do have something ready by Thursday, good. If not, it's not such a big deal then. > > Also I think the times should be shorter then suggested by Josh, we're > talking about ping times here, not time till fix. Maybe we need another > word here. The biggest problem sofar is people who have been dead quiet > in bugzilla. So if I say the security team takes over if their is no > response within a week, I mean no response _at all_ if the maintainer > says yip that looks like a problem I'll look into it, then he has > responded and the response timer gets reset. so in this case as long as > a maintainer makes an entry about his progress every week all is ok and > the FE security team does not step in. The team could ofcourse offer > help suggest fixes, but we won't step in and push a fix, that is left to > the maintainer. Pick an arbitrary time for now, whatever you think will work. I have little doubt one month after you start, they will change :) > -I would like to suggest to send announcement to the list (and in the > same format) where FC security announcements get send, Josh is this > possible, can we get direct access, or maybe through you/ the whole > RH-security team? I don't have control over the fedora announce list. You'll want to ask notting as he owns that list. > -The FE security team needs a way to get involved in bugs / fixes where > all the info is under embargo. Again Josh, can you/ the whole > RH-security team play a role here? We ofcourse only need to be in the > loop if a package within FE has a hole. The Red Hat Security Response Team isn't authorized to forward such information outside of Red Hat. If you have a concrete plan for dealing with embargoed issues, it may be possible for extras to gain membership into the various organizations that distribute such information . I admit though, this is going to be difficult given the very public and transparent nature of Extras. I would suggest you begin by dealing with public issues and once a process is refined, revisit this issue. > -I've used the word FE security team instead of SIG above because I > think to the outside team sounds a lot better (professional) then SIG, > and this well help in being taking serious by the outside world (for > embargos for example) this has 2 disadvantages however: > *maintainers could get the idea that the team is responsible for the > security fixes, which its not they (the maintainers) are > *confusion with the redhat security team > So I'm not sure which name is better team or sig. Don't worry about your name, just have a short, clear mission statement. -- JB
