No edit summary |
|||
| (4 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
{{old}} | |||
[[File:Fedora_Security_Team.png|200px|right|Fedora Security Team logo]] | [[File:Fedora_Security_Team.png|200px|right|Fedora Security Team logo]] | ||
| Line 9: | Line 11: | ||
* '''IRC''': | * '''IRC''': | ||
** {{fpchat|#fedora-security | ** {{fpchat|#fedora-security}} - Security Team IRC channel | ||
* '''Mailing lists''': | * '''Mailing lists''': | ||
** {{fplist|security | ** {{fplist|security}} - Security Team mailing list | ||
* '''Weekly meetings''': | * '''Weekly meetings''': | ||
** Every Thursday at | ** Every Thursday at 15:00 UTC. -> [[Security_Team_meetings|Schedule and Agenda]] | ||
=== Security Response === | === Security Response === | ||
| Line 24: | Line 26: | ||
== What we do == | == What we do == | ||
Fedora Security Team (FST) has several missions that try to overlap to make Fedora a more secure operating environment. The following tasks are related to the Fedora security team. | |||
=== Vulnerability Patching Assistance === | |||
The main goal of this task is to make sure that known vulnerabilities are patched and shipped in a timely manner. By assisting package maintainers with patches it is hoped that vulnerability fixes can make to user systems before they become victim of an attack. | |||
=== Security Response === | |||
Security Response is responding to new vulnerabilities in a timely manner. Fedora currently relies on the services of [https://access.redhat.com/security/overview Red Hat Product Security] to process, work with upstream, and work with packagers to address security vulnerabilities. | |||
=== Secure Coding === | |||
Keeping vulnerabilities from being written in the first place should be the goal of any good security team and this team is no different. We strive to create documentation that explains how to avoid common pitfalls in software development and attempt to [https://fedorahosted.org/fedora-security-team/newticket answer any questions] that come our way. | |||
=== Code Auditing === | |||
Another service we'd like to offer in the future, code auditing will hopefully find vulnerabilities in code before a [http://www.techrepublic.com/blog/it-security/hacker-vs-cracker/ cracker] can take advantage. | |||
<!-- | |||
Fedora Security Team aims to ensure that users are protected from vulnerabilities that exist in Fedora packages. Vulnerabilities are reported to Fedora package maintainers via [https://bugzilla.redhat.com/ Bugzilla] by Red Hat Product Security. These bugs are marked with '''keywords: SecurityTracking''' attribute in Bugzilla, for ex. => [https://bugzilla.redhat.com/show_bug.cgi?id=905374 CVE-2013-0333 rubygem-activesupport: json to yaml parsing]. The '''SecurityTracking''' keyword indicates that the bug could have security implications which need to be investigated. | Fedora Security Team aims to ensure that users are protected from vulnerabilities that exist in Fedora packages. Vulnerabilities are reported to Fedora package maintainers via [https://bugzilla.redhat.com/ Bugzilla] by Red Hat Product Security. These bugs are marked with '''keywords: SecurityTracking''' attribute in Bugzilla, for ex. => [https://bugzilla.redhat.com/show_bug.cgi?id=905374 CVE-2013-0333 rubygem-activesupport: json to yaml parsing]. The '''SecurityTracking''' keyword indicates that the bug could have security implications which need to be investigated. | ||
We help package maintainers follow up with upstream developers to obtain a patch or a new release which fixes the issue. Once such patch or a new release is available, the package maintainer then builds a new version of the package and submits an update to the Fedora or EPEL repositories via [https://admin.fedoraproject.org/updates/ Bodhi]. | We help package maintainers follow up with upstream developers to obtain a patch or a new release which fixes the issue. Once such patch or a new release is available, the package maintainer then builds a new version of the package and submits an update to the Fedora or EPEL repositories via [https://admin.fedoraproject.org/updates/ Bodhi]. | ||
=== [https://cve.mitre.org/ CVEs] === | === [https://cve.mitre.org/ CVEs] === | ||
| Line 36: | Line 54: | ||
--> | --> | ||
== How to get involved == | == How to get involved == | ||
=== Joining the team === | === Joining the team === | ||
Joining the Fedora Security Team is an easy, three-step process: | Joining the Fedora Security Team is an easy, three-step process: | ||
# subscribe to the {{fplist|security | # subscribe to the {{fplist|security}} mailing list, | ||
# join us on the {{fpchat|#fedora-security | # join us on the {{fpchat|#fedora-security}} IRC channel, | ||
# take a look at the [[Security Team Tasks]], and | # take a look at the [[Security Team Tasks]], and | ||
# read the [[Security_Team_Work_Flow|work flow]]. | # read the [[Security_Team_Work_Flow|work flow]]. | ||
Revision as of 00:18, 12 April 2024
This page has been marked as "old", and likely contains content that is irrelevant or incorrect. If you can, please update this page. This page will be deleted if action is not taken.
Mission
Fedora Security Special Interest Group (SIG)
Fedora's Security SIG is no separated SIG but it is integrated into the community, and associates and connects contributors and other SIGs that impact security, but also aims to embed security perspectives into other teams and SIGs.
The Security SIG offers a point of exchange and to connect with. It allows users and contributors to have a place where they can go to when it comes to making aware of or discussing security matters, it brings different perspectives in the security discussions together, it embeds security-perspectives into the community and facilitates feedback loops into all areas of Fedora with consolidated security-relevant knowledge.
With the Security SIG as core element, it replaces the former Security Team along with other SIGs and Teams. The Security SIG complements but does not yet replace the Red Hat Product Security.
Contact
The Security SIG has currently two dedicated places to connect and to exchange:
- Matrix channel: #security:fedoraproject.org (Direct Link to Fedora Chat)
- Discourse tag: #security-sig (category Project Discussion in Discourse)
Additionally, experience has shown that the Devel Mailing List has evolved to a major point of exchange and coordination in security matters (e.g., the major point of coordination of the "early hours" of the XZUtils case has become the Devel Mailing List).
Feel free to join the Matrix channel or open a topic with the #security-sig tag in Discourse if there is anything with regards to security you want to discuss, but also consider the Devel Mailing List. The Security SIG is overlapping and intertwined with the Devel Mailing List (so are its contributions).
Some other SIGs with a security emphasis have subordinated themselves within Discourse to the security-tag and have become themselves sub-tags of #security-sig in order to associate themselves with the #security-sig (and thus to connect their debates). So far, these are:
- the #confined-users tag of #security-sig
- the #incident-response tag of #security-sig -> at the moment, the #incident-response SIG/team is to be set up. The tag is monitored by a few Discourse moderators but nothing dedicated yet.
Keep in mind that the communication channels of the Security SIG are public and thus all information shared in these channels is public too. Because the Security SIG is not yet intended to replace the Red Hat Product Security, you might also consider to contact them if your case involves information that should not yet become public (which usually applies if the information can be exploited practically & immediately to conduct attacks against Fedora or other users). Yet, even in such cases, you are encouraged to early let the Security SIG know that you have contacted the Red Hat Product Security because of a given case, without providing information about the case itself.
Getting involved
All users, contributors and SIGs/teams are encouraged to create ties to the Security SIG to introduce a security perspective in their activities and vice versa. Feel free to join the Matrix channel, open a Discourse topic with the respective tag, or if you create a Discourse topic for your own organization, feel free to additionally add a respective tag that is associated with the Security SIG if you would like to get a security perspective about the very matter.
It is also always useful to follow the Devel Mailing List (and contribute if applicable).
If you want to add further sub-tags within the #security-sig in Discourse, feel free to open a topic about it in the Site Help & Feedback category and let the moderators know about your suggestion.
Contact
If you need help or assistance with any issue, please feel free to contact the FST members at
- IRC:
- #fedora-security[?] - Security Team IRC channel
- Mailing lists:
- security - Security Team mailing list
- Weekly meetings:
- Every Thursday at 15:00 UTC. -> Schedule and Agenda
Security Response
To report a vulnerability in software please follow the procedure outlined on the Security Bugs page.
To report a security concern within the Fedora Project please email security at fedoraproject dot org.
What we do
Fedora Security Team (FST) has several missions that try to overlap to make Fedora a more secure operating environment. The following tasks are related to the Fedora security team.
Vulnerability Patching Assistance
The main goal of this task is to make sure that known vulnerabilities are patched and shipped in a timely manner. By assisting package maintainers with patches it is hoped that vulnerability fixes can make to user systems before they become victim of an attack.
Security Response
Security Response is responding to new vulnerabilities in a timely manner. Fedora currently relies on the services of Red Hat Product Security to process, work with upstream, and work with packagers to address security vulnerabilities.
Secure Coding
Keeping vulnerabilities from being written in the first place should be the goal of any good security team and this team is no different. We strive to create documentation that explains how to avoid common pitfalls in software development and attempt to answer any questions that come our way.
Code Auditing
Another service we'd like to offer in the future, code auditing will hopefully find vulnerabilities in code before a cracker can take advantage.
How to get involved
Joining the team
Joining the Fedora Security Team is an easy, three-step process:
- subscribe to the security mailing list,
- join us on the #fedora-security[?] IRC channel,
- take a look at the Security Team Tasks, and
- read the work flow.
Once you feel comfortable just jump in and start helping. If you have questions please ask on IRC or on the mailing list.
Also, please take a look at the proposed Security Team Apprenticeship program as this may help answer additional questions.
This category currently contains no pages or media.