Fedora Security Response Team Update

[Josh Bressers]

I think it's in the best interest of everyone if I give updates of what's
going on as things happen.  One of my goals is to have a transparent
security team.  This can't happen unless I keep everyone who cares in the
loop.


So far the biggest things done regarding the team are infrastructural
changes.

security at fp.o and secalert at fp.o aliases have been created and now deliver
mail to a private list.  Right now the only member are Luke Macken and
myself.  I'm not sure how to best hand out membership to this list.  Ideas
are welcome.  It's a matter of trust, and part of the challenge here is who
to trust?

I've also requested a Xen instance for various security tools to run on:
http://fedoraproject.org/wiki/Infrastructure/RFR/wiki/Infrastructure/RFR/SecurityResponseTeam


Things to do:

Update the wiki pages.  The current information is pretty slim.  We'll try
to grow these in an organic manner.  It makes more sense to me if we let
process evolve, and document it, rather than documenting, then trying to
use a process.

GPG key.  I'm pondering how to handle this.  There will be groups that want
to send us encrypted mail.  How can we do this in a secure manner (trust is
a big issue here).

Start the review of FC7.

Task tracking.  How can we do this best?  We theoretically could use
bugzilla, but it's really not ideal for this sort of thing.  There is an
OTRS instance running for the infrastructure group, but I'm afraid when
I'm told it's not used much and could go away.  If we have a Xen instance,
we could run our own RT.  I'm not sure if I like this idea though.

???? (Anything else to add)


-- 
    JB