All,

I'm sending this email to announce that I'm going to start up the weekly Security Meetings in the IRC/Matrix channel.  About two months ago I sent in an email to this mailing list and haven't heard any response and there hasn't been any meetings during that period.  That's ok.  It's an open source project and I know people get busy and priorities change from time to time.  I spoke with Matthew Miller and Ben Cotton about stepping up and doing what I can to get the team going again or at the least give it some sign of life until prior members or new members are able to dedicate time to it.

Here's my plan.  Currently the wiki states that the security meetings are on Thursday at 15 UTC in #fedora-meeting.  To avoid conflicts with other meetings I'm going to hold it at the same time, but within the #fedora-security channel until I can figure out a better time that won't conflict with other meetings and will also be time convenient for those in the US and Europe.  I may end up changing the time to immediately follow the PgM meetings on Wednesday since I'm around for those as well.   But initially it'll be the same time and date as its currently documented but in the security channel: #fedora-security:matrix.org

My plan is to be a point of contact for the community and projects to report security issues and who have security questions.  I'll be getting with the infrastructure guys to get zodbot to join the channel, but in the meantime I'll be taking notes anytime something comes up and saving it. I will be creating a gitlab repo this week, where all meeting logs and notes can be kept as well as being a place where people can create tickets for issues for us to track.  When I spoke with Ben he agreed that Gitlab would be a better location than using the wiki since we need a place to store files and track tickets.

Since Fedora mostly consumes upstream projects most of the active security work will be upstream in the respective projects, but there's still work to be done at the Fedora level.  Of which I see four primary areas:
A) Monitoring things that are reported to the team.
B) Reporting and working upstream on any reports/issues that come in
C) Managing Community questions about security issues
D) Shepherding of long term project with security impacts 

An example of the last of those would be the systemd service security hardening which came up on the devel mailing list that I have previously spoken with Matthew about shepherding.   

I'm happy to have assistance from anyone who has time or interest in pitching in.  

JT