Fedora 7 and the Security Response Team

Kevin Fenzi kevin at tummy.com
Mon Jun 11 15:52:07 UTC 2007 

On Mon, 11 Jun 2007 11:42:05 -0400
Josh Bressers <bressers at redhat.com> wrote:

...snip...

> I don't blame you Ville, your effort has been noticed and is
> appreciated. Thanks for the work you've done.

Yeah, I have been lurking in this list for a while and I really
appreciate your efforts Ville. 

> Here is what's going to happen later today. (I was on holiday last
> week and there was a shitstorm of security issues over the past few
> months).  I've been putting this off for too long now.
> 
> I'm going to merge the fc6 and fe6 files.  There are a number of CVE
> ids that are missing from this file.  I have a rather extensive
> private list that I'll merge into this list.  The result is going to
> be an fc7 file that will need a lot of work.
>
> 
> How you can help.

I've been wanting to help, but not sure of practices and procedures
used. 

Perhaps we could clarify a few things for me: 

- Only security bugs with CVE's are tracked? What if we spot something
that has no CVE?

- Should the filed bug have a CC to the list? I guess you mentioned
this above. I think it's probibly a good idea so folks can see the
progress of fixes. 

- Is there any key for the format of the audit cvs files? 

- Is there any acl on the audit files? Who is allowed to update those?

> Any help will be appreciated and accepted.  Once the FC7 file exists,
> we will need to go through the CVE ids and identify which flaws need
> to be addressed.  Some of the ids will be low hanging fruit that will
> only take a few minutes to verify.  Other will take a long time and
> it's possible you will have to go through source.
> I'm not sure how to section off this file, anyone with any ideas?

Well, if it will be listed in cvs, can't we just have folks go and
update as they process? 

> For the F8 timeline I hope to see bugzilla used extensively for
> tracking CVE ids.  There is now a security response queue which was
> created for this exact purpose.  For F7 though, I'd rather see an
> ugly system than none at all.  We shall worry about the future once
> we have a present.

Quite. 

> Sorry and thanks.

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-security-list/attachments/20070611/762e5aa3/attachment.sig>

More information about the Fedora-security-list mailing list