Non-GNOME security people on security gnome org



I was asked by someone from RH if he could basically join the "GNOME
security team" as a generic security person. Meaning: not favouring or
representing RH.

This means:
- joining security gnome org
  separate list; it is possible to add other people
- seeing all "security" marked bugs
  no clue if r-t members can do this atm; basically the bugs restricted
  to developers.. e.g. vte_developers group


I think our current policy is something like:
- File private bug, let maintainer deal with it.

If we let non-r-t people on security gnome org, we could have something
like:
- File private bug
- Announce to other distribution
- CVE numbers and stuff
- documented policy
=> basically: have those security people deal with this stuff instead of
r-t (we'd still receive copies)

I think we should:
- make a policy on what happens to those bugs
- ensure at least one person from RH/SUSE/Canonical is on there. IMO 3
  non-release-team people is enough. Once there are 3, those security
  people can add other security people as they see fit, within certain
  limits (like r-t membership). The actual permissions to add them would
  be handled elsewhere though (bugmaster@ for Bugzilla, sysadmin
  probably for security gnome org).
  => basically setup a "GNOME security group"
- announce it publicly


Log from IRC (including typo's):
<huzaifas> hi olav, so i was pointed to you by jonathan blanford, i work
for the RH security response team and work with several upstream
security groups as well (like mozilla etc)
<huzaifas> i was wondering what would be process to work with gnome on
security aspects
<huzaifas> aka get into the gnomes security group?
<bkor> there is not really any security group
<huzaifas> where does security gnome org go?
<bkor> we have security gnome org and that goes to everyone subscribed
to release-team gnome org
<huzaifas> ah interesting
<bkor> which includes current r-t members and previous ones (up to old
members to unsubscribe)
<huzaifas> what about security/private bug access?
<bkor> then on bugzilla, I'm not sure if r-t members can see all the
security bugs or not, maybe they can, maybe not
<bkor> we do not get a lot of bugs, and usually it is reported elsewhere
first
<huzaifas> hmm ok :)
<bkor> e.g. I think there is something like vendorsec or something.. in
any case, nobody from the r-t van request CVE numbers or anything
<bkor> I know we got like 3 bugs while I was away for a bit
<huzaifas> there is linux-distros, which has replace vendor-sec
<bkor> that is exception
<bkor> ^exceptional
<bkor> so, over past week: libgdata, e-d-s, banshee.. all by the same
reporter, all also with security ubuntu com in cc
<bkor> usually, security gnome org just receives spam and complaints
about gnome 3
<huzaifas> i see, though the reporter did not send this linux-distros,
why only s@ubuntu?
<huzaifas> was he working for ubuntu?
<bkor> ahh.. right, he was working for Ubuntu, so Canonical employee
<huzaifas> that is the reason for joining the gnome security list :)
<bkor> I have 0 idea what to do with security bugs btw
<huzaifas> once they have been patched, open them up and mail
oss-security so that other vendors know?
<bkor> which is why I didn't like a security gnome org.. because we
basically leave it up to the maintainer
<bkor> usually we file bugs publicly, in this case we didn't
<huzaifas> before they are patched, let linux-distros know, so that
vendors are aware
<huzaifas> that is exactly my point, i want to join in as a security
person and not a RH employee
<bkor> previously, I think Matthias Clasen (on r-t) either fwd'ed stuff
from redhat, or let you guys know and deal with it
<bkor> I can ask the r-t dudes about this
<huzaifas> you need someone to understand the security process, there
are downstream distros which are affected by gnome issues :)
<bkor> would be nice to at least have a policy on what to do.. the
things you say.. well, makes sense, hope it is done :P
<huzaifas> sure, let me know what they think, i can send a mail to
someone in case you need to start a thread on this or whatever
<bkor> yeah, and security@ is another list
<bkor> I'll ask r-t, it will be publicly archived discussion of course
<huzaifas> sure, so at this point, i leave it to you :)
<bkor> and I don't want to appear to favour any distribution/company,
people would only join because they're security people
<huzaifas> yes that is what i said, i dont want to join as  RH contact
<huzaifas> i want to join as a security person 
<bkor> ok
<bkor> I'll email r-t, I can cc you
<huzaifas> cool, thanks for your time :)
<bkor> then maybe once we decide that it should be possible, we just add
people from really big distributions (so rh, suse, canonical), but as
security people, not because they're from that company

-- 
Regards,
Olav


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]