I do believe there should be another:
E) Ensuring upstream security fixes make it into Fedora packages in a
timely
manner
Agreed. That's a much bigger task and would take a fair amount if
time/effort, but it's definitely one I think we should strive towards.
On Tue, May 10, 2022 at 7:42 AM Justin Forbes <jmforbes(a)linuxtx.org> wrote:
> On Mon, May 9, 2022 at 8:00 AM JT <jt(a)obs-sec.com> wrote:
> >
> > All,
> >
> > I'm sending this email to announce that I'm going to start up the
weekly
> Security Meetings in the IRC/Matrix channel. About two months ago I sent
> in an email to this mailing list and haven't heard any response and there
> hasn't been any meetings during that period. That's ok. It's an open
> source project and I know people get busy and priorities change from time
> to time. I spoke with Matthew Miller and Ben Cotton about stepping up and
> doing what I can to get the team going again or at the least give it some
> sign of life until prior members or new members are able to dedicate time
> to it.
> >
> > Here's my plan. Currently the wiki states that the security meetings
> are on Thursday at 15 UTC in #fedora-meeting. To avoid conflicts with
> other meetings I'm going to hold it at the same time, but within the
> #fedora-security channel until I can figure out a better time that won't
> conflict with other meetings and will also be time convenient for those in
> the US and Europe. I may end up changing the time to immediately follow
> the PgM meetings on Wednesday since I'm around for those as well. But
> initially it'll be the same time and date as its currently documented but
> in the security channel: #fedora-security:matrix.org
> >
> > My plan is to be a point of contact for the community and projects to
> report security issues and who have security questions. I'll be getting
> with the infrastructure guys to get zodbot to join the channel, but in the
> meantime I'll be taking notes anytime something comes up and saving it. I
> will be creating a gitlab repo this week, where all meeting logs and notes
> can be kept as well as being a place where people can create tickets for
> issues for us to track. When I spoke with Ben he agreed that Gitlab would
> be a better location than using the wiki since we need a place to store
> files and track tickets.
> >
> > Since Fedora mostly consumes upstream projects most of the active
> security work will be upstream in the respective projects, but there's
> still work to be done at the Fedora level. Of which I see four primary
> areas:
> > A) Monitoring things that are reported to the team.
> > B) Reporting and working upstream on any reports/issues that come in
> > C) Managing Community questions about security issues
> > D) Shepherding of long term project with security impacts
> >
>
I do believe there should be another:
E) Ensuring upstream security fixes make it into Fedora packages in a
> timely
manner
>
> Justin
>
> > An example of the last of those would be the systemd service security
> hardening which came up on the devel mailing list that I have previously
> spoken with Matthew about shepherding.
> >
> > I'm happy to have assistance from anyone who has time or interest in
> pitching in.
> >
> > JT
> > _______________________________________________
> > security mailing list -- security(a)lists.fedoraproject.org
> > To unsubscribe send an email to security-leave(a)lists.fedoraproject.org
> > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedoraproject.org/archives/list/security@lists.fedoraprojec...
> > Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
>