On Mon, Mar 12, 2012 at 5:15 AM, Olav Vitters <[email protected]> wrote: > I was asked by someone from RH if he could basically join the "GNOME > security team" as a generic security person. Meaning: not favouring or > representing RH. > > This means: > - joining [email protected] > separate list; it is possible to add other people > - seeing all "security" marked bugs > no clue if r-t members can do this atm; basically the bugs restricted > to developers.. e.g. vte_developers group > > > I think our current policy is something like: > - File private bug, let maintainer deal with it. > > If we let non-r-t people on [email protected], we could have something > like: > - File private bug > - Announce to other distribution > - CVE numbers and stuff > - documented policy > => basically: have those security people deal with this stuff instead of > r-t (we'd still receive copies) > > I think we should: > - make a policy on what happens to those bugs > - ensure at least one person from RH/SUSE/Canonical is on there. IMO 3 > non-release-team people is enough. Once there are 3, those security > people can add other security people as they see fit, within certain > limits (like r-t membership). The actual permissions to add them would > be handled elsewhere though (bugmaster@ for Bugzilla, sysadmin > probably for [email protected]). > => basically setup a "GNOME security group" > - announce it publicly
I agree that we are lacking a bit of policy and clarity, mostly around escalation. In this case, I had assumed that Marc would go through the usual cross-distro security channels to make this thing known, which is why I didn't directly talk to our security people (ie Huzaifas). I basically agree with Olav's proposal. One thing I might add is that we should have a few questions to ask whenever something comes in via [email protected]: - Is this actually a security issue ? - Do we need to escalate it ? - If yes, who is doing it ? Having some of security professionals reading [email protected] can only help answering these. Matthias _______________________________________________ [email protected] http://mail.gnome.org/mailman/listinfo/release-team Release-team lurker? Do NOT participate in discussions.
