I was asked by someone from RH if he could basically join the "GNOME security team" as a generic security person. Meaning: not favouring or representing RH.
This means: - joining [email protected] separate list; it is possible to add other people - seeing all "security" marked bugs no clue if r-t members can do this atm; basically the bugs restricted to developers.. e.g. vte_developers group I think our current policy is something like: - File private bug, let maintainer deal with it. If we let non-r-t people on [email protected], we could have something like: - File private bug - Announce to other distribution - CVE numbers and stuff - documented policy => basically: have those security people deal with this stuff instead of r-t (we'd still receive copies) I think we should: - make a policy on what happens to those bugs - ensure at least one person from RH/SUSE/Canonical is on there. IMO 3 non-release-team people is enough. Once there are 3, those security people can add other security people as they see fit, within certain limits (like r-t membership). The actual permissions to add them would be handled elsewhere though (bugmaster@ for Bugzilla, sysadmin probably for [email protected]). => basically setup a "GNOME security group" - announce it publicly Log from IRC (including typo's): <huzaifas> hi olav, so i was pointed to you by jonathan blanford, i work for the RH security response team and work with several upstream security groups as well (like mozilla etc) <huzaifas> i was wondering what would be process to work with gnome on security aspects <huzaifas> aka get into the gnomes security group? <bkor> there is not really any security group <huzaifas> where does [email protected] go? <bkor> we have [email protected] and that goes to everyone subscribed to [email protected] <huzaifas> ah interesting <bkor> which includes current r-t members and previous ones (up to old members to unsubscribe) <huzaifas> what about security/private bug access? <bkor> then on bugzilla, I'm not sure if r-t members can see all the security bugs or not, maybe they can, maybe not <bkor> we do not get a lot of bugs, and usually it is reported elsewhere first <huzaifas> hmm ok :) <bkor> e.g. I think there is something like vendorsec or something.. in any case, nobody from the r-t van request CVE numbers or anything <bkor> I know we got like 3 bugs while I was away for a bit <huzaifas> there is linux-distros, which has replace vendor-sec <bkor> that is exception <bkor> ^exceptional <bkor> so, over past week: libgdata, e-d-s, banshee.. all by the same reporter, all also with [email protected] in cc <bkor> usually, [email protected] just receives spam and complaints about gnome 3 <huzaifas> i see, though the reporter did not send this linux-distros, why only s@ubuntu? <huzaifas> was he working for ubuntu? <bkor> ahh.. right, he was working for Ubuntu, so Canonical employee <huzaifas> that is the reason for joining the gnome security list :) <bkor> I have 0 idea what to do with security bugs btw <huzaifas> once they have been patched, open them up and mail oss-security so that other vendors know? <bkor> which is why I didn't like a [email protected].. because we basically leave it up to the maintainer <bkor> usually we file bugs publicly, in this case we didn't <huzaifas> before they are patched, let linux-distros know, so that vendors are aware <huzaifas> that is exactly my point, i want to join in as a security person and not a RH employee <bkor> previously, I think Matthias Clasen (on r-t) either fwd'ed stuff from redhat, or let you guys know and deal with it <bkor> I can ask the r-t dudes about this <huzaifas> you need someone to understand the security process, there are downstream distros which are affected by gnome issues :) <bkor> would be nice to at least have a policy on what to do.. the things you say.. well, makes sense, hope it is done :P <huzaifas> sure, let me know what they think, i can send a mail to someone in case you need to start a thread on this or whatever <bkor> yeah, and security@ is another list <bkor> I'll ask r-t, it will be publicly archived discussion of course <huzaifas> sure, so at this point, i leave it to you :) <bkor> and I don't want to appear to favour any distribution/company, people would only join because they're security people <huzaifas> yes that is what i said, i dont want to join as RH contact <huzaifas> i want to join as a security person <bkor> ok <bkor> I'll email r-t, I can cc you <huzaifas> cool, thanks for your time :) <bkor> then maybe once we decide that it should be possible, we just add people from really big distributions (so rh, suse, canonical), but as security people, not because they're from that company -- Regards, Olav _______________________________________________ [email protected] http://mail.gnome.org/mailman/listinfo/release-team Release-team lurker? Do NOT participate in discussions.
