Re: security team?

["jesseblehman@xxxxxxxxx" <jesseblehman@xxxxxxxxx>]

This is just what I've thought of - I'm open to suggestions.

Basically, I think that the security team should monitor security update 
lists and otherwise just stay aware of the latest patches.  When a new 
version of a program in the repos with security fixes is released, a Task 
would be created in the Security section.  The assignee for that task 
would need to get an updated receipt ready and test it.  If the new 
receipt works, it would be posted as a file for the task, which would be 
moved to 50% complete.  This would let anyone who desperately needs the 
fix get a new receipt and cook it immediately.  Meanwhile, the maintainer 
of the outdated package would be contacted and informed of the issue and 
solution.  They could either use the new receipt or rewrite their own, 
then get the package updated.

As I see it, the main jobs for a security team are to:
a) make sure that issues aren't simply overlooked and get the word out
b) start the process of fixing these vulnerabilities
c) have the infrastructure in place so that a more severe flaw could be 
addressed without excessive panic or pandemonium

I've added the first task to the new Security section on Labs.  We'll see 
how things go :)

Suggestions for improvement are welcome.

jesse

On Wed, 8 Apr 2009, Russell Dickenson wrote:

> On Wed, Apr 8, 2009 at 12:54 AM, jesseblehman@xxxxxxxxx
> <jesseblehman@xxxxxxxxx> wrote:
> > Thank you very much.  I'm very sick today, but as soon as I can concentrate
> > I'll get things started.  I'd love to get this going :)
> >
> > Jesse
> >
> > On Wed, 8 Apr 2009, Christophe Lincoln wrote:
> >
> > > > Hello all!
> > >
> > > Hi,
> > >
> > > > I really enjoy using SliTaz.  The combination of excellent packaging
> > > > tools and an elegant design makes it the perfect distro for me to
> > > > tweak and mess around with.  However, I have an idea that might
> > > > improve the distro.  I think that it would be awesome to have a
> > > > security page on SliTaz Labs and a security response team to maintain
> > > > it.  When one of the packages in the SliTaz repos released a security
> > > > update, a team member would add an issue to the Labs page and start to
> > > > work on packaging the patched version.  The patched package could be
> > > > put online in a seperate space until the package maintainer had time
> > > > to look at and approve it.
> > >
> > > A realy, realy good initiative! We tried to do our best for 1.0 and the
> > > 450 packages, but now with ~1400, we need a security maintainer and
> > > team.
> > >
> > > > I would be happy to start this and start getting things patched.  This
> > > > seems like a really good way to keep SliTaz safe from preventable
> > > > security issues.
> > > >
> > > > What are your thoughts?
> > >
> > > If you ok, I will create a new project on the Labs (sub-project of
> > > distro), with default settings. You just have to create an account on
> > > the Labs to be able configure and manage the security project.
> > >
> > > > Jesse Lehman
> > >
> > > Welcome in the project,
> > > - Christophe
>
>
> I think this is a great idea and would definitely improve SliTaz.
> Perhaps as a start you could describe how the process might work, from
> how you're notified of packages needing security fixes, through to an
> updated version of that package being available?  Perhaps the process
> could be modeled on the approach already taken by other distributions?
>
> It would be useful to somehow get a list of installed packages for
> which security issues have been identified.
>
>
> Regards,
>
> Russell Dickenson
> Australia
>
> ---
> SliTaz GNU/Linux Mailing list - http://www.slitaz.org/