Re: RFC: creating a security team

From: Loïc Minier <lool+gnome via ecp fr>
To: gnome-hackers gnome org
Subject: Re: RFC: creating a security team
Date: Wed, 21 Mar 2007 11:03:02 +0100

On Wed, Mar 21, 2007, Jeff Waugh wrote:
> I brought this issue up a few years ago and learned from it: I tend to think
> the current system (approach distros who go to vendorsec) is the better way
> to go for GNOME. We could certainly document it better. We already have
> private/security permissions in bugzilla (only appears to GNOME hackers).
> I'm not sure we can do this better than the people already doing it.

 Hmm I'm packaging GNOME for a distro, and 1) I was never approached by
 someone from GNOME to tell me about a new and/or hidden security bug
 2) I never heard of new GNOME security issues via our vendorsec
 connection, only a very small set of people in each distro have access
 to it.

 I certainly think it would help to have a central point of contact on
 the GNOME side of things to receive security alerts, provide patches,
 perhaps backports of these patches, or at least coordinate them.  All
 major groups I know have such a point of contact, just like GNOME has
 a press contact!  In fact, plenty of smaller projects have a security
 contact.

 @Jeff, you said you "learned from it", but you give mostly your current
 opinion on a current system.  It would be nice if you could share a
 list of problems you encoutered back then.  I can certainly imagine
 there are plenty of problems such as creating a team of competent AND
 responsive persons, but perhaps some of the problems you encountered in
 the past wouldn't be problems today anymore.

-- 
Loïc Minier

References:
- RFC: creating a security team
  - From: Vincent Untz
- Re: RFC: creating a security team
  - From: Jeff Waugh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]