No edit summary |
mNo edit summary |
||
| Line 24: | Line 24: | ||
Each tracking bug we work on should have a person who owns it for several reasons. It would certainly be inefficient if the work was done twice, and collisions and misunderstandings might occur if two people tried to coordinate fix with upstream and packagers independently. For these reasons, we should indicate the fact we are working on the tracking bug by filling the Whiteboard of the bug with bugzilla login of the owner: | Each tracking bug we work on should have a person who owns it for several reasons. It would certainly be inefficient if the work was done twice, and collisions and misunderstandings might occur if two people tried to coordinate fix with upstream and packagers independently. For these reasons, we should indicate the fact we are working on the tracking bug by filling the Whiteboard of the bug with bugzilla login of the owner: | ||
Whiteboard: fst_owner=<owner> | Whiteboard: fst_owner=<owner> | ||
As <owner> bugzilla login should be used, as it simplifies further management: e.g. it will be easier to CC the owner on other possibly related bugs. For the list of bugzilla logins of Fedora Security Team see <FIX:link to roster>. | As <owner> bugzilla login should be used, as it simplifies further management: e.g. it will be easier to CC the owner on other possibly related bugs. For the list of bugzilla logins of Fedora Security Team see <FIX:link to roster>. | ||
[[Category:Security]] | [[Category:Security]] | ||
Revision as of 20:23, 23 July 2014
The Fedora Security Team's mission is to help get security fixes into Fedora's repositories as soon as possible to help protect the end users.
| IRC Channel | #fedora-security-team[?] #fedora-security[?] |
|---|---|
| Mailing List | security-team - Security Team mailing list security - General security mailing list (good for questions) |
| Meetings | Schedule and Agenda |
| Current issues | Critical Vulnerabilities Important Vulnerabilities Moderate Vulnerabilities Low Vulnerabilities Unknown Vulnerabilities |
How
Red Hat Product Security opens bugs in response to CVEs that get reported by MITRE. A CVE bug is opened along with any tracker bugs that are opened against the individual packages. The tracking bug notifies the package owner of the vulnerability. Generally speaking, the package owner should follow up with upstream to obtain a patch or the fixed source to push out to the repositories.
The problem is that many package owners either don't have time or they don't understand the need of the tracking bug. That's where the Security Team comes in to help. We work with upstream to obtain the fixes and then provide them to the packagers via the tracking bug. We also work with packagers to help them get these fixes into the repositories.
Taking ownership of tracking bugs
Each tracking bug we work on should have a person who owns it for several reasons. It would certainly be inefficient if the work was done twice, and collisions and misunderstandings might occur if two people tried to coordinate fix with upstream and packagers independently. For these reasons, we should indicate the fact we are working on the tracking bug by filling the Whiteboard of the bug with bugzilla login of the owner:
Whiteboard: fst_owner=<owner>
As <owner> bugzilla login should be used, as it simplifies further management: e.g. it will be easier to CC the owner on other possibly related bugs. For the list of bugzilla logins of Fedora Security Team see <FIX:link to roster>.