Hi Joerg! On Wed, 15 Jan 2014 08:44:44 +0100 Joerg Stephan wrote: > i would like to contribute to the security response team. > If any help is needed or any ideas ongoing please point to an good > starting point. For a clarification, Fedora does not have security response team as may be known form other distributions. In Fedora, security updates are handled by package maintainers and following the same process as non-security updates. Besides fixing, there is also reporting work. This aims to ensure that package maintainers are made aware of all security issues reported for their packages. Majority of this reporting work is done by Red Hat Security Response Team. That is because we already follow various sources to find out about issues in components included in Red Hat products, and also because issues are reported via the same Bugzilla for Fedora and Red Hat products. What we do not really have capacity for is to closely follow all the tracking bugs that are filed for reported issues. In most cases, they are handled by package maintainers quickly and closed by Bodhi as updates enter stable. However, sometimes bugs remain open. There are many reasons for that - issues don't have any real fix available, issues got fixed, but bug was not referenced in update request and was left over, or maintainer did not get to apply available patch. Looking at those bugs and following up on them is one area where you can get involved. Offering help with applying fixes if needed, or doing a non-maintainer fix if package maintainer is non-responsive (proven_packager should be needed in most cases). Example BZ query to find these bugs: https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&keywords=SecurityTracking&keywords_type=allwords&product=Fedora Related to the above, some bugs filed get no attention at all and get close after some time by the "helpful" Bug Zapper process. Reviewing those and re-opening or changing their resolution (to e.g. ERRATA or CURRENT/NEXTRELEASE) can help make sure no important issue slips through the cracks. This query searches for CLOSED:WONTFIX bugs (not necessarily wontfixed by Bug Zapper): https://bugzilla.redhat.com/buglist.cgi?bug_status=CLOSED&keywords=SecurityTracking&keywords_type=allwords&product=Fedora&resolution=WONTFIX Note there is also a FAS group - security_respons - but it does not have any practical meaning atm. Many folks reporting or fixing issues are not in the group. I apologize for a delayed response! -- Tomas Hoger / Red Hat Security Response Team -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
