I think it's in the best interest of everyone if I give updates of what's going on as things happen. One of my goals is to have a transparent security team. This can't happen unless I keep everyone who cares in the loop. So far the biggest things done regarding the team are infrastructural changes. security@xxxx and secalert@xxxx aliases have been created and now deliver mail to a private list. Right now the only member are Luke Macken and myself. I'm not sure how to best hand out membership to this list. Ideas are welcome. It's a matter of trust, and part of the challenge here is who to trust? I've also requested a Xen instance for various security tools to run on: http://fedoraproject.org/wiki/Infrastructure/RFR/wiki/Infrastructure/RFR/SecurityResponseTeam Things to do: Update the wiki pages. The current information is pretty slim. We'll try to grow these in an organic manner. It makes more sense to me if we let process evolve, and document it, rather than documenting, then trying to use a process. GPG key. I'm pondering how to handle this. There will be groups that want to send us encrypted mail. How can we do this in a secure manner (trust is a big issue here). Start the review of FC7. Task tracking. How can we do this best? We theoretically could use bugzilla, but it's really not ideal for this sort of thing. There is an OTRS instance running for the infrastructure group, but I'm afraid when I'm told it's not used much and could go away. If we have a Xen instance, we could run our own RT. I'm not sure if I like this idea though. ???? (Anything else to add) -- JB -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
