1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] Meeting for secteam start
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Meeting%20for%20secteam%20start&In-Reply-To=%3Cd93a1a6689e1d4fa886c81c6a8b64073%40www.ephaone.org%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Next" HREF="004007.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] Meeting for secteam start</H1>
<B>Michael Scherer</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Meeting%20for%20secteam%20start&In-Reply-To=%3Cd93a1a6689e1d4fa886c81c6a8b64073%40www.ephaone.org%3E"
TITLE="[Mageia-dev] Meeting for secteam start">misc at zarb.org
</A><BR>
<I>Sat Apr 16 10:10:36 CEST 2011</I>
<P><UL>
<LI>Next message: <A HREF="004007.html">[Mageia-dev] Meeting for secteam start
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#4006">[ date ]</a>
<a href="thread.html#4006">[ thread ]</a>
<a href="subject.html#4006">[ subject ]</a>
<a href="author.html#4006">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE> On Fri, 15 Apr 2011 08:35:40 -0400, Stew Benedict wrote:
><i> Sorry if I break the thread, just signed back up to the list.
</I>><i> Just to kick things off for secteam, I thought I'd list the process
</I>><i> as I
</I>><i> remember it from when I worked with Vincent for a couple of years.
</I>><i> Not to say Mageia needs to follow any of this, and as we're a
</I>><i> volunteer
</I>><i> organization, I suspect things will be structured a bit differently
</I>><i> from
</I>><i> a staffing POV than "2 guys mostly dedicated to updates"
</I>
I would personnaly think we should have something as open as possible :
- people could learn from looking on how thing goes ( quite important
to make sure new
blood can come in )
- not all updates requires secrecy, and I think that most doesn't ( ie,
use
public POC, public patches, or are simply not security related )
- this would put less pressure on sysadmins to be sure security is not
breached
So try to be open by default, except if we cannot for some specific
case ( embargo, non public
POC ). This would requires :
- acl on task tracker ( likely bugzilla )
- some policy about declassification ( ie open issues after publication
if the POC can be published,
or restrict access )
><i> Old Process:
</I>><i>
</I>><i> * monitor vendor-sec, discuss vulns, patches, negotiate release
</I>><i> schedule,
</I>><i> also watch other distro updates, for things we may have missed
</I>
We could ask to maintainers to help on that regard,
or, like proposed for mageia-app-db and package testing, have a list of
people
dedicated on gathering such informations. For example, someone say "I
take
care of watching security for libreoffice and will warn secteam if
something need to be done".
><i> * check our srpm database (Vincent later reworked this) for all the
</I>><i> places the affected source code
</I>><i> may be buried (many packages embed copies of other source)
</I>
I would propose to have a policy of using system wide library and do
not
allow bundled copy ( but this would be likely annoying for some case ).
And also, if you need some specific support on Sophie, do not hesitate
to ask.
><i> * apply/adapt patches for all supported releases/architectures (may
</I>><i> have
</I>><i> been published on vendor-sec,
</I>><i> or from another distro package, or extracted from upstream)
</I>><i>
</I>><i> ** when we we supporting several releases, with Enterprise stuff
</I>><i> being quite old, reworking the patches at times was difficult
</I>><i> ** policy changed over time and these days many things bump up to
</I>><i> a
</I>><i> new release, rather than patching
</I>
Depend on the effort, and the software. While I think minimal change is
good,
not everybody agree so we should discuss to find a common ground or a
policy.
><i> * build in chroot to preserve the original build env (moved to iurt
</I>><i> around the time I left)
</I>><i>
</I>><i> ** if we had trouble building the package, contact the maintainer
</I>><i> for
</I>><i> help
</I>
This mean that we need to make sure packages are easy to rebuild. But
iurt
helped a lot on that regard.
><i> * acquire or write a POC (proof of concept) to test that the vuln is
</I>><i> corrected, if not, re-patch/re-test
</I>><i>
</I>><i> * test the app for basic functionality, that we haven't introduced
</I>><i> regressions
</I>><i>
</I>><i> ** bugfix updates went to QA for testing, this was a big
</I>><i> blocker/delay at times
</I>><i>
</I>><i> * upload packages to main mirror, wait a few hours and release the
</I>><i> announcement (we had several scripts
</I>><i> that facilitated getting packages in the right place, signing
</I>><i> them,
</I>><i> uploading, etc.)
</I>
This would be doable with youri, so we need to do some kind of wrapper
around this to
take in account the advisory. Something that would be needed too is a
database
of such advisory ( and so we can start to give id of such advisory such
as MGA-2011-001, etc ).
--
Michael Scherer
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Next message: <A HREF="004007.html">[Mageia-dev] Meeting for secteam start
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#4006">[ date ]</a>
<a href="thread.html#4006">[ thread ]</a>
<a href="subject.html#4006">[ subject ]</a>
<a href="author.html#4006">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
