Re: Non-GNOME security people on security gnome org

From: Matthias Clasen <matthias clasen gmail com>
To: release-team gnome org, huzaifas redhat com
Subject: Re: Non-GNOME security people on security gnome org
Date: Fri, 16 Mar 2012 07:46:40 -0400

On Mon, Mar 12, 2012 at 5:15 AM, Olav Vitters <olav vitters nl> wrote:
> I was asked by someone from RH if he could basically join the "GNOME
> security team" as a generic security person. Meaning: not favouring or
> representing RH.
>
> This means:
> - joining security gnome org
>  separate list; it is possible to add other people
> - seeing all "security" marked bugs
>  no clue if r-t members can do this atm; basically the bugs restricted
>  to developers.. e.g. vte_developers group
>
>
> I think our current policy is something like:
> - File private bug, let maintainer deal with it.
>
> If we let non-r-t people on security gnome org, we could have something
> like:
> - File private bug
> - Announce to other distribution
> - CVE numbers and stuff
> - documented policy
> => basically: have those security people deal with this stuff instead of
> r-t (we'd still receive copies)
>
> I think we should:
> - make a policy on what happens to those bugs
> - ensure at least one person from RH/SUSE/Canonical is on there. IMO 3
>  non-release-team people is enough. Once there are 3, those security
>  people can add other security people as they see fit, within certain
>  limits (like r-t membership). The actual permissions to add them would
>  be handled elsewhere though (bugmaster@ for Bugzilla, sysadmin
>  probably for security gnome org).
>  => basically setup a "GNOME security group"
> - announce it publicly

I agree that we are lacking a bit of policy and clarity, mostly around
escalation. In this case, I had assumed that Marc would go through the
usual cross-distro security channels to make this thing known, which
is why I didn't directly talk to our security people (ie Huzaifas). I
basically agree with
Olav's proposal.

One thing I might add is that we should have a few questions to ask
whenever something comes in via security gnome org:

- Is this actually a security issue ?
- Do we need to escalate it ?
- If yes, who is doing it ?

Having some of security professionals reading security gnome org can
only help answering these.


Matthias

References:
- Non-GNOME security people on security gnome org
  - From: Olav Vitters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]