Fedora Security Response Team

Josh Bressers bressers at redhat.com
Tue May 2 14:35:58 UTC 2006 

> 
> I need to fix up some CVS space for things like tools and tracking text
> files.  This repository is here:
> http://cvs.fedora.redhat.com/viewcvs/fedora-security/?root=fedora

I now have the ability to control who has commit access to this space, so
we're in good shape here now.  If you want to check this repository out
anonymously you can do so as such:

cvs -d :pserver:anonymous at cvs.fedora.redhat.com:/cvs/fedora \
co fedora-security

The current plan is to create files called fe4 and fe5 to sit next to the
fc4 and fc5 files in this location.  The format of fc[45] is currently
working, so I believe it's the correct way to go initially.

Those of you interested in being a part of the security response team will
need to send me your fedora account system username.  I can then add access
and provide further instructions.

> 
> We will need a package manifest.  Basically a file that tells us which
> packages and versions we're currently shipping in extras.  A tool to
> generate this will also be needed since we'll want to update this file on a
> regular basis.  Given how fast Extras changes I think this will be the
> easiest way to check if we currently ship package <foo>.

There have been a few scripts that have been brought to my attention for
this, unless someone else gets to it first, I'm going to create a "tools"
directory in CVS and add such a script.

> 
> Process needs to be documented on the fedoraproject wiki.  Since we don't
> currently have a process, this is the only thing done :)
> The most important part of this will be making it easy to specify what we
> expect of ourselves.  I hope to have some time this weekend to clean up the
> security wiki pages a bit.

Sadly I didn't get to this over the weekend.  I'll do what I can this week.


At this point, there should be three primary focal points for the security
response team.

1) Tracking new issues
2) Tracking old issues
3) Documentation

#1 and #3 are entertaining tasks.  #2 is going to be painful and horrible.
I'm not sure how far back we should go in CVE space.  I guess as far back
as we can with people willing to do the work.  These tasks do require a
manifest, which we don't technically have yet, but should soon.


Does this all sound sane to everyone else?

Thanks.

-- 
    JB

More information about the Fedora-security-list mailing list