Brian Gupta wrote: > As a package maintainer, I always check the dev list, to make sure > there are no security packages coming out.
What OpenSolaris packages do you maintain ? > One thing that might be useful is to have a dedicated resource within > security to monitor general security alert info that points out very > critical high threat vulnerabilities. The security community would > have the authority to push the maintainer (me) to push out a code fix > faster than I might otherwise have done so. > I'm not sure how the governing logistics would work, but is the idea > sound, or redundant? We do need to do something here but I think the coordination needs to be with the distributions and the consolidations (ones like ON, X, JDS etc) hosted on opensolaris.org. For Solaris and Solaris Express we have a process internal to Sun. That process won't migrate externally as is but we know we need to do something as a community. I say that both as a founding leader of this OpenSolaris security community and as a member of the internal to Sun virtual team that does the security coordination, it is both a tools and process issue why what we do today wouldn't work for OpenSolaris. Some of how we do this coordination will IMO need input from the OpenSolaris OGB because we don't want to push the info out to everyone via the security community when responsible/managed disclosure for vulnerabilities in in play. We need to have good control and trust in these cases of who gets information. How does a distro do this, when is a distro sufficiently established that it can participate (consider that in theory one could setup a distro purely to get early notification if this isn't managed well). Thanks for kick starting the discussion, I've changed the title to reflect the topic. -- Darren J Moffat
