Hi Tomas,
thanks for the reply :-)
So best think i could do is learn how to maintain packages and working on
security related bug reports to triage them?
Okay, if everybody is fine with this i will try to step into it.
Cheers
--
Joerg Stephan
https://fedoraproject.org/wiki/User:Johe
Tomas Hoger <[email protected]> schrieb am 14:37 Donnerstag, 23.Januar 2014:
Hi Joerg!
>
>
>On Wed, 15 Jan 2014 08:44:44 +0100 Joerg Stephan wrote:
>
>> i would like to contribute to the security response team.
>> If any help is needed or any ideas ongoing please point to an good
>> starting point.
>
>For a clarification, Fedora does not have security response team as may
>be known form other distributions. In Fedora, security updates are
>handled by package maintainers and following the same process as
>non-security updates.
>
>Besides fixing, there is also reporting work. This aims to ensure that
>package maintainers are made aware of all security issues reported for
>their packages. Majority of this reporting work is done by Red Hat
>Security Response Team. That is because we already follow various
>sources to find out about issues in components included in Red Hat
>products, and also because issues are reported via the same Bugzilla
>for Fedora and Red Hat products.
>
>What we do not really have capacity for is to closely follow all the
>tracking bugs that are filed for reported issues. In most cases, they
>are handled by package maintainers quickly and closed by Bodhi as
>updates enter stable. However, sometimes bugs remain open. There are
>many reasons for that - issues don't have any real fix available,
>issues got fixed, but bug was not referenced in update request and was
>left over, or maintainer did not get to apply available patch. Looking
>at those bugs and following up on them is one area where you can get
>involved. Offering help with applying fixes if needed, or doing a
>non-maintainer fix if package maintainer is non-responsive
>(proven_packager should be needed in most cases). Example BZ query to
>find these bugs:
>
>https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&keywords=SecurityTracking&keywords_type=allwords&product=Fedora
>
>Related to the above, some bugs filed get no attention at all and get
>close after some time by the "helpful" Bug Zapper process. Reviewing
>those and re-opening or changing their resolution (to e.g. ERRATA or
>CURRENT/NEXTRELEASE) can help make sure no important issue slips
>through the cracks. This query searches for CLOSED:WONTFIX bugs (not
>necessarily wontfixed by Bug Zapper):
>
>https://bugzilla.redhat.com/buglist.cgi?bug_status=CLOSED&keywords=SecurityTracking&keywords_type=allwords&product=Fedora&resolution=WONTFIX
>
>Note there is also a FAS group - security_respons - but it does not
>have any practical meaning atm. Many folks reporting or fixing issues
>are not in the group.
>
>I apologize for a delayed response!
>
>--
>Tomas Hoger / Red Hat Security Response Team
>
>
>
>
--
security mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/security
