Re: Introduction

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Joerg!

On Wed, 15 Jan 2014 08:44:44 +0100 Joerg Stephan wrote:

> i would like to contribute to the security response team.
> If any help is needed or any ideas ongoing please point to an good
> starting point.

For a clarification, Fedora does not have security response team as may
be known form other distributions.  In Fedora, security updates are
handled by package maintainers and following the same process as
non-security updates.

Besides fixing, there is also reporting work.  This aims to ensure that
package maintainers are made aware of all security issues reported for
their packages.  Majority of this reporting work is done by Red Hat
Security Response Team.  That is because we already follow various
sources to find out about issues in components included in Red Hat
products, and also because issues are reported via the same Bugzilla
for Fedora and Red Hat products.

What we do not really have capacity for is to closely follow all the
tracking bugs that are filed for reported issues.  In most cases, they
are handled by package maintainers quickly and closed by Bodhi as
updates enter stable.  However, sometimes bugs remain open.  There are
many reasons for that - issues don't have any real fix available,
issues got fixed, but bug was not referenced in update request and was
left over, or maintainer did not get to apply available patch.  Looking
at those bugs and following up on them is one area where you can get
involved.  Offering help with applying fixes if needed, or doing a
non-maintainer fix if package maintainer is non-responsive
(proven_packager should be needed in most cases).  Example BZ query to
find these bugs:

https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&keywords=SecurityTracking&keywords_type=allwords&product=Fedora

Related to the above, some bugs filed get no attention at all and get
close after some time by the "helpful" Bug Zapper process.  Reviewing
those and re-opening or changing their resolution (to e.g. ERRATA or
CURRENT/NEXTRELEASE) can help make sure no important issue slips
through the cracks.  This query searches for CLOSED:WONTFIX bugs (not
necessarily wontfixed by Bug Zapper):

https://bugzilla.redhat.com/buglist.cgi?bug_status=CLOSED&keywords=SecurityTracking&keywords_type=allwords&product=Fedora&resolution=WONTFIX

Note there is also a FAS group - security_respons - but it does not
have any practical meaning atm.  Many folks reporting or fixing issues
are not in the group.

I apologize for a delayed response!

-- 
Tomas Hoger / Red Hat Security Response Team
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux