diff options
Diffstat (limited to 'zarb-ml/mageia-dev/20110416/004006.html')
| -rw-r--r-- | zarb-ml/mageia-dev/20110416/004006.html | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/20110416/004006.html b/zarb-ml/mageia-dev/20110416/004006.html new file mode 100644 index 000000000..656ef5bb6 --- /dev/null +++ b/zarb-ml/mageia-dev/20110416/004006.html @@ -0,0 +1,159 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] Meeting for secteam start + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Meeting%20for%20secteam%20start&In-Reply-To=%3Cd93a1a6689e1d4fa886c81c6a8b64073%40www.ephaone.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + + <LINK REL="Next" HREF="004007.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] Meeting for secteam start</H1> + <B>Michael Scherer</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Meeting%20for%20secteam%20start&In-Reply-To=%3Cd93a1a6689e1d4fa886c81c6a8b64073%40www.ephaone.org%3E" + TITLE="[Mageia-dev] Meeting for secteam start">misc at zarb.org + </A><BR> + <I>Sat Apr 16 10:10:36 CEST 2011</I> + <P><UL> + + <LI>Next message: <A HREF="004007.html">[Mageia-dev] Meeting for secteam start +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#4006">[ date ]</a> + <a href="thread.html#4006">[ thread ]</a> + <a href="subject.html#4006">[ subject ]</a> + <a href="author.html#4006">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE> On Fri, 15 Apr 2011 08:35:40 -0400, Stew Benedict wrote: +><i> Sorry if I break the thread, just signed back up to the list. +</I>><i> Just to kick things off for secteam, I thought I'd list the process +</I>><i> as I +</I>><i> remember it from when I worked with Vincent for a couple of years. +</I>><i> Not to say Mageia needs to follow any of this, and as we're a +</I>><i> volunteer +</I>><i> organization, I suspect things will be structured a bit differently +</I>><i> from +</I>><i> a staffing POV than "2 guys mostly dedicated to updates" +</I> + I would personnaly think we should have something as open as possible : + - people could learn from looking on how thing goes ( quite important + to make sure new + blood can come in ) + - not all updates requires secrecy, and I think that most doesn't ( ie, + use + public POC, public patches, or are simply not security related ) + - this would put less pressure on sysadmins to be sure security is not + breached + + So try to be open by default, except if we cannot for some specific + case ( embargo, non public + POC ). This would requires : + - acl on task tracker ( likely bugzilla ) + - some policy about declassification ( ie open issues after publication + if the POC can be published, + or restrict access ) + +><i> Old Process: +</I>><i> +</I>><i> * monitor vendor-sec, discuss vulns, patches, negotiate release +</I>><i> schedule, +</I>><i> also watch other distro updates, for things we may have missed +</I> + We could ask to maintainers to help on that regard, + or, like proposed for mageia-app-db and package testing, have a list of + people + dedicated on gathering such informations. For example, someone say "I + take + care of watching security for libreoffice and will warn secteam if + something need to be done". + +><i> * check our srpm database (Vincent later reworked this) for all the +</I>><i> places the affected source code +</I>><i> may be buried (many packages embed copies of other source) +</I> + I would propose to have a policy of using system wide library and do + not + allow bundled copy ( but this would be likely annoying for some case ). + + And also, if you need some specific support on Sophie, do not hesitate + to ask. + + +><i> * apply/adapt patches for all supported releases/architectures (may +</I>><i> have +</I>><i> been published on vendor-sec, +</I>><i> or from another distro package, or extracted from upstream) +</I>><i> +</I>><i> ** when we we supporting several releases, with Enterprise stuff +</I>><i> being quite old, reworking the patches at times was difficult +</I>><i> ** policy changed over time and these days many things bump up to +</I>><i> a +</I>><i> new release, rather than patching +</I> + Depend on the effort, and the software. While I think minimal change is + good, + not everybody agree so we should discuss to find a common ground or a + policy. + +><i> * build in chroot to preserve the original build env (moved to iurt +</I>><i> around the time I left) +</I>><i> +</I>><i> ** if we had trouble building the package, contact the maintainer +</I>><i> for +</I>><i> help +</I> + This mean that we need to make sure packages are easy to rebuild. But + iurt + helped a lot on that regard. + +><i> * acquire or write a POC (proof of concept) to test that the vuln is +</I>><i> corrected, if not, re-patch/re-test +</I>><i> +</I>><i> * test the app for basic functionality, that we haven't introduced +</I>><i> regressions +</I>><i> +</I>><i> ** bugfix updates went to QA for testing, this was a big +</I>><i> blocker/delay at times +</I>><i> +</I>><i> * upload packages to main mirror, wait a few hours and release the +</I>><i> announcement (we had several scripts +</I>><i> that facilitated getting packages in the right place, signing +</I>><i> them, +</I>><i> uploading, etc.) +</I> + This would be doable with youri, so we need to do some kind of wrapper + around this to + take in account the advisory. Something that would be needed too is a + database + of such advisory ( and so we can start to give id of such advisory such + as MGA-2011-001, etc ). +-- + Michael Scherer +</PRE> + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + + <LI>Next message: <A HREF="004007.html">[Mageia-dev] Meeting for secteam start +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#4006">[ date ]</a> + <a href="thread.html#4006">[ thread ]</a> + <a href="subject.html#4006">[ subject ]</a> + <a href="author.html#4006">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |