> I do believe there should be another: > E) Ensuring upstream security fixes make it into Fedora packages in a timely manner
Agreed. That's a much bigger task and would take a fair amount if time/effort, but it's definitely one I think we should strive towards. On Tue, May 10, 2022 at 7:42 AM Justin Forbes <jmfor...@linuxtx.org> wrote: > On Mon, May 9, 2022 at 8:00 AM JT <j...@obs-sec.com> wrote: > > > > All, > > > > I'm sending this email to announce that I'm going to start up the weekly > Security Meetings in the IRC/Matrix channel. About two months ago I sent > in an email to this mailing list and haven't heard any response and there > hasn't been any meetings during that period. That's ok. It's an open > source project and I know people get busy and priorities change from time > to time. I spoke with Matthew Miller and Ben Cotton about stepping up and > doing what I can to get the team going again or at the least give it some > sign of life until prior members or new members are able to dedicate time > to it. > > > > Here's my plan. Currently the wiki states that the security meetings > are on Thursday at 15 UTC in #fedora-meeting. To avoid conflicts with > other meetings I'm going to hold it at the same time, but within the > #fedora-security channel until I can figure out a better time that won't > conflict with other meetings and will also be time convenient for those in > the US and Europe. I may end up changing the time to immediately follow > the PgM meetings on Wednesday since I'm around for those as well. But > initially it'll be the same time and date as its currently documented but > in the security channel: #fedora-security:matrix.org > > > > My plan is to be a point of contact for the community and projects to > report security issues and who have security questions. I'll be getting > with the infrastructure guys to get zodbot to join the channel, but in the > meantime I'll be taking notes anytime something comes up and saving it. I > will be creating a gitlab repo this week, where all meeting logs and notes > can be kept as well as being a place where people can create tickets for > issues for us to track. When I spoke with Ben he agreed that Gitlab would > be a better location than using the wiki since we need a place to store > files and track tickets. > > > > Since Fedora mostly consumes upstream projects most of the active > security work will be upstream in the respective projects, but there's > still work to be done at the Fedora level. Of which I see four primary > areas: > > A) Monitoring things that are reported to the team. > > B) Reporting and working upstream on any reports/issues that come in > > C) Managing Community questions about security issues > > D) Shepherding of long term project with security impacts > > > > I do believe there should be another: > E) Ensuring upstream security fixes make it into Fedora packages in a > timely manner > > Justin > > > An example of the last of those would be the systemd service security > hardening which came up on the devel mailing list that I have previously > spoken with Matthew about shepherding. > > > > I'm happy to have assistance from anyone who has time or interest in > pitching in. > > > > JT > > _______________________________________________ > > security mailing list -- security@lists.fedoraproject.org > > To unsubscribe send an email to security-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/security@lists.fedoraproject.org > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ security mailing list -- security@lists.fedoraproject.org To unsubscribe send an email to security-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/security@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
