Re: I'm starting up the security meetings again
Hi JT, On Mon, May 09, 2022 at 09:00:00AM -0400, JT wrote: > All, > > I'm sending this email to announce that I'm going to start up the weekly > Security Meetings in the IRC/Matrix channel. About two months ago I sent > in an email to this mailing list and haven't heard any response and there > hasn't been any meetings during that period. That's ok. It's an open > source project and I know people get busy and priorities change from time > to time. I spoke with Matthew Miller and Ben Cotton about stepping up and > doing what I can to get the team going again or at the least give it some > sign of life until prior members or new members are able to dedicate time > to it. > That's good news! I've started doing some security reviews for EPEL, so this might be something I would like to get involved in, as time permits. > Here's my plan. Currently the wiki states that the security meetings are > on Thursday at 15 UTC in #fedora-meeting. To avoid conflicts with other > meetings I'm going to hold it at the same time, but within the > #fedora-security channel until I can figure out a better time that won't > conflict with other meetings and will also be time convenient for those in > the US and Europe. I may end up changing the time to immediately follow > the PgM meetings on Wednesday since I'm around for those as well. But > initially it'll be the same time and date as its currently documented but > in the security channel: #fedora-security:matrix.org Unfortunately that's 8 AM here in Pacific Time - and I need to help out with breakfast. I'll keep an eye on the meeting though, but might only be intermittently present. If the turnout is good, perhaps use WhenIsGood to find a new meeting time? Best regards, and thanks for doing this, -- Michel Alexandre Salim identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 signature.asc Description: PGP signature ___ security mailing list -- security@lists.fedoraproject.org To unsubscribe send an email to security-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/security@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: I'm starting up the security meetings again
> I do believe there should be another: > E) Ensuring upstream security fixes make it into Fedora packages in a timely manner Agreed. That's a much bigger task and would take a fair amount if time/effort, but it's definitely one I think we should strive towards. On Tue, May 10, 2022 at 7:42 AM Justin Forbes wrote: > On Mon, May 9, 2022 at 8:00 AM JT wrote: > > > > All, > > > > I'm sending this email to announce that I'm going to start up the weekly > Security Meetings in the IRC/Matrix channel. About two months ago I sent > in an email to this mailing list and haven't heard any response and there > hasn't been any meetings during that period. That's ok. It's an open > source project and I know people get busy and priorities change from time > to time. I spoke with Matthew Miller and Ben Cotton about stepping up and > doing what I can to get the team going again or at the least give it some > sign of life until prior members or new members are able to dedicate time > to it. > > > > Here's my plan. Currently the wiki states that the security meetings > are on Thursday at 15 UTC in #fedora-meeting. To avoid conflicts with > other meetings I'm going to hold it at the same time, but within the > #fedora-security channel until I can figure out a better time that won't > conflict with other meetings and will also be time convenient for those in > the US and Europe. I may end up changing the time to immediately follow > the PgM meetings on Wednesday since I'm around for those as well. But > initially it'll be the same time and date as its currently documented but > in the security channel: #fedora-security:matrix.org > > > > My plan is to be a point of contact for the community and projects to > report security issues and who have security questions. I'll be getting > with the infrastructure guys to get zodbot to join the channel, but in the > meantime I'll be taking notes anytime something comes up and saving it. I > will be creating a gitlab repo this week, where all meeting logs and notes > can be kept as well as being a place where people can create tickets for > issues for us to track. When I spoke with Ben he agreed that Gitlab would > be a better location than using the wiki since we need a place to store > files and track tickets. > > > > Since Fedora mostly consumes upstream projects most of the active > security work will be upstream in the respective projects, but there's > still work to be done at the Fedora level. Of which I see four primary > areas: > > A) Monitoring things that are reported to the team. > > B) Reporting and working upstream on any reports/issues that come in > > C) Managing Community questions about security issues > > D) Shepherding of long term project with security impacts > > > > I do believe there should be another: > E) Ensuring upstream security fixes make it into Fedora packages in a > timely manner > > Justin > > > An example of the last of those would be the systemd service security > hardening which came up on the devel mailing list that I have previously > spoken with Matthew about shepherding. > > > > I'm happy to have assistance from anyone who has time or interest in > pitching in. > > > > JT > > ___ > > security mailing list -- security@lists.fedoraproject.org > > To unsubscribe send an email to security-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/security@lists.fedoraproject.org > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ security mailing list -- security@lists.fedoraproject.org To unsubscribe send an email to security-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/security@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: I'm starting up the security meetings again
On Mon, May 9, 2022 at 8:00 AM JT wrote: > > All, > > I'm sending this email to announce that I'm going to start up the weekly > Security Meetings in the IRC/Matrix channel. About two months ago I sent in > an email to this mailing list and haven't heard any response and there hasn't > been any meetings during that period. That's ok. It's an open source > project and I know people get busy and priorities change from time to time. > I spoke with Matthew Miller and Ben Cotton about stepping up and doing what I > can to get the team going again or at the least give it some sign of life > until prior members or new members are able to dedicate time to it. > > Here's my plan. Currently the wiki states that the security meetings are on > Thursday at 15 UTC in #fedora-meeting. To avoid conflicts with other > meetings I'm going to hold it at the same time, but within the > #fedora-security channel until I can figure out a better time that won't > conflict with other meetings and will also be time convenient for those in > the US and Europe. I may end up changing the time to immediately follow the > PgM meetings on Wednesday since I'm around for those as well. But initially > it'll be the same time and date as its currently documented but in the > security channel: #fedora-security:matrix.org > > My plan is to be a point of contact for the community and projects to report > security issues and who have security questions. I'll be getting with the > infrastructure guys to get zodbot to join the channel, but in the meantime > I'll be taking notes anytime something comes up and saving it. I will be > creating a gitlab repo this week, where all meeting logs and notes can be > kept as well as being a place where people can create tickets for issues for > us to track. When I spoke with Ben he agreed that Gitlab would be a better > location than using the wiki since we need a place to store files and track > tickets. > > Since Fedora mostly consumes upstream projects most of the active security > work will be upstream in the respective projects, but there's still work to > be done at the Fedora level. Of which I see four primary areas: > A) Monitoring things that are reported to the team. > B) Reporting and working upstream on any reports/issues that come in > C) Managing Community questions about security issues > D) Shepherding of long term project with security impacts > I do believe there should be another: E) Ensuring upstream security fixes make it into Fedora packages in a timely manner Justin > An example of the last of those would be the systemd service security > hardening which came up on the devel mailing list that I have previously > spoken with Matthew about shepherding. > > I'm happy to have assistance from anyone who has time or interest in pitching > in. > > JT > ___ > security mailing list -- security@lists.fedoraproject.org > To unsubscribe send an email to security-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/security@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ security mailing list -- security@lists.fedoraproject.org To unsubscribe send an email to security-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/security@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: I'm starting up the security meetings again
Yea, there are a lot of possibilities for things the team can do, and I'm interested in everyone's ideas. But at least step #1 is getting the meetings going again and some basic organization of ideas, tasks, etc. That's what I'm going to be focusing on this next week or so. From there I'm up for any any all help and ideas from everyone. On Mon, May 9, 2022 at 9:08 AM Major Hayden wrote: > On Mon, May 9, 2022, at 08:00, JT wrote: > > Since Fedora mostly consumes upstream projects most of the active > > security work will be upstream in the respective projects, but there's > > still work to be done at the Fedora level. Of which I see four primary > > areas: > > A) Monitoring things that are reported to the team. > > B) Reporting and working upstream on any reports/issues that come in > > C) Managing Community questions about security issues > > D) Shepherding of long term project with security impacts > > I'm glad to help with all of these, especially C. There's also a good > opportunity for us to be proactive around security with blog posts (Fedora > Magazine, maybe?) and/or updates to Fedora documentation. > > -- > Major Hayden > ___ > security mailing list -- security@lists.fedoraproject.org > To unsubscribe send an email to security-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/security@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ security mailing list -- security@lists.fedoraproject.org To unsubscribe send an email to security-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/security@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: I'm starting up the security meetings again
On Mon, May 9, 2022, at 08:00, JT wrote: > Since Fedora mostly consumes upstream projects most of the active > security work will be upstream in the respective projects, but there's > still work to be done at the Fedora level. Of which I see four primary > areas: > A) Monitoring things that are reported to the team. > B) Reporting and working upstream on any reports/issues that come in > C) Managing Community questions about security issues > D) Shepherding of long term project with security impacts I'm glad to help with all of these, especially C. There's also a good opportunity for us to be proactive around security with blog posts (Fedora Magazine, maybe?) and/or updates to Fedora documentation. -- Major Hayden ___ security mailing list -- security@lists.fedoraproject.org To unsubscribe send an email to security-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/security@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
I'm starting up the security meetings again
All, I'm sending this email to announce that I'm going to start up the weekly Security Meetings in the IRC/Matrix channel. About two months ago I sent in an email to this mailing list and haven't heard any response and there hasn't been any meetings during that period. That's ok. It's an open source project and I know people get busy and priorities change from time to time. I spoke with Matthew Miller and Ben Cotton about stepping up and doing what I can to get the team going again or at the least give it some sign of life until prior members or new members are able to dedicate time to it. Here's my plan. Currently the wiki states that the security meetings are on Thursday at 15 UTC in #fedora-meeting. To avoid conflicts with other meetings I'm going to hold it at the same time, but within the #fedora-security channel until I can figure out a better time that won't conflict with other meetings and will also be time convenient for those in the US and Europe. I may end up changing the time to immediately follow the PgM meetings on Wednesday since I'm around for those as well. But initially it'll be the same time and date as its currently documented but in the security channel: #fedora-security:matrix.org My plan is to be a point of contact for the community and projects to report security issues and who have security questions. I'll be getting with the infrastructure guys to get zodbot to join the channel, but in the meantime I'll be taking notes anytime something comes up and saving it. I will be creating a gitlab repo this week, where all meeting logs and notes can be kept as well as being a place where people can create tickets for issues for us to track. When I spoke with Ben he agreed that Gitlab would be a better location than using the wiki since we need a place to store files and track tickets. Since Fedora mostly consumes upstream projects most of the active security work will be upstream in the respective projects, but there's still work to be done at the Fedora level. Of which I see four primary areas: A) Monitoring things that are reported to the team. B) Reporting and working upstream on any reports/issues that come in C) Managing Community questions about security issues D) Shepherding of long term project with security impacts An example of the last of those would be the systemd service security hardening which came up on the devel mailing list that I have previously spoken with Matthew about shepherding. I'm happy to have assistance from anyone who has time or interest in pitching in. JT ___ security mailing list -- security@lists.fedoraproject.org To unsubscribe send an email to security-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/security@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
