On Mon, May 9, 2022 at 8:00 AM JT <jt(a)obs-sec.com> wrote:
All,
I'm sending this email to announce that I'm going to start up the weekly Security
Meetings in the IRC/Matrix channel. About two months ago I sent in an email to this
mailing list and haven't heard any response and there hasn't been any meetings
during that period. That's ok. It's an open source project and I know people get
busy and priorities change from time to time. I spoke with Matthew Miller and Ben Cotton
about stepping up and doing what I can to get the team going again or at the least give it
some sign of life until prior members or new members are able to dedicate time to it.
Here's my plan. Currently the wiki states that the security meetings are on Thursday
at 15 UTC in #fedora-meeting. To avoid conflicts with other meetings I'm going to
hold it at the same time, but within the #fedora-security channel until I can figure out a
better time that won't conflict with other meetings and will also be time convenient
for those in the US and Europe. I may end up changing the time to immediately follow the
PgM meetings on Wednesday since I'm around for those as well. But initially
it'll be the same time and date as its currently documented but in the security
channel: #fedora-security:matrix.org
My plan is to be a point of contact for the community and projects to report security
issues and who have security questions. I'll be getting with the infrastructure guys
to get zodbot to join the channel, but in the meantime I'll be taking notes anytime
something comes up and saving it. I will be creating a gitlab repo this week, where all
meeting logs and notes can be kept as well as being a place where people can create
tickets for issues for us to track. When I spoke with Ben he agreed that Gitlab would be
a better location than using the wiki since we need a place to store files and track
tickets.
Since Fedora mostly consumes upstream projects most of the active security work will be
upstream in the respective projects, but there's still work to be done at the Fedora
level. Of which I see four primary areas:
A) Monitoring things that are reported to the team.
B) Reporting and working upstream on any reports/issues that come in
C) Managing Community questions about security issues
D) Shepherding of long term project with security impacts
I do believe there should be another:
E) Ensuring upstream security fixes make it into Fedora packages in a
timely manner
Justin
> An example of the last of those would be the systemd service security hardening which
came up on the devel mailing list that I have previously spoken with Matthew about
shepherding.
>
> I'm happy to have assistance from anyone who has time or interest in pitching
in.
>
> JT
> _______________________________________________
> security mailing list -- security(a)lists.fedoraproject.org
> To unsubscribe send an email to security-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/security@lists.fedoraprojec...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure