Hi Tomas,
thanks for the reply :-)
So best think i could do is learn how to maintain packages and working on security related bug reports to triage them?
Okay, if everybody is fine with this i will try to step into it.
Cheers
--
Joerg Stephan
https://fedoraproject.org/wiki/User:Johe
Joerg Stephan
https://fedoraproject.org/wiki/User:Johe
Tomas Hoger <thoger@xxxxxxxxxx> schrieb am 14:37 Donnerstag, 23.Januar 2014:
Hi Joerg!
On Wed, 15 Jan 2014 08:44:44 +0100 Joerg Stephan wrote:
> i would like to contribute to the security response team.
> If any help is needed or any ideas ongoing please point to an good
> starting point.
For a clarification, Fedora does not have security response team as may
be known form other distributions. In Fedora, security updates are
handled by package maintainers and following the same process as
non-security updates.
Besides fixing, there is also reporting work. This aims to ensure that
package maintainers are made aware of all security issues reported for
their packages. Majority of this reporting work is done by Red Hat
Security Response Team. That is because we already follow various
sources to find out about issues in components included in Red Hat
products, and also because issues are reported via the same Bugzilla
for Fedora and Red Hat products.
What we do not really have capacity for is to closely follow all the
tracking bugs that are filed for reported issues. In most cases, they
are handled by package maintainers quickly and closed by Bodhi as
updates enter stable. However, sometimes bugs remain open. There are
many reasons for that - issues don't have any real fix available,
issues got fixed, but bug was not referenced in update request and was
left over, or maintainer did not get to apply available patch. Looking
at those bugs and following up on them is one area where you can get
involved. Offering help with applying fixes if needed, or doing a
non-maintainer fix if package maintainer is non-responsive
(proven_packager should be needed in most cases). Example BZ query to
find these bugs:
https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&keywords=SecurityTracking&keywords_type=allwords&product=Fedora
Related to the above, some bugs filed get no attention at all and get
close after some time by the "helpful" Bug Zapper process. Reviewing
those and re-opening or changing their resolution (to e.g. ERRATA or
CURRENT/NEXTRELEASE) can help make sure no important issue slips
through the cracks. This query searches for CLOSED:WONTFIX bugs (not
necessarily wontfixed by Bug Zapper):
https://bugzilla.redhat.com/buglist.cgi?bug_status=CLOSED&keywords=SecurityTracking&keywords_type=allwords&product=Fedora&resolution=WONTFIX
Note there is also a FAS group - security_respons - but it does not
have any practical meaning atm. Many folks reporting or fixing issues
are not in the group.
I apologize for a delayed response!
--
Tomas Hoger / Red Hat Security Response Team
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security