1 |
rbu 09/04/14 00:59:16 |
2 |
|
3 |
Modified: padawans.xml |
4 |
Log: |
5 |
Add references to oss-security list and wiki, CVE ids and the SVN, plus add mabi. |
6 |
|
7 |
Revision Changes Path |
8 |
1.70 xml/htdocs/security/en/padawans.xml |
9 |
|
10 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/padawans.xml?rev=1.70&view=markup |
11 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/padawans.xml?rev=1.70&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/padawans.xml?r1=1.69&r2=1.70 |
13 |
|
14 |
Index: padawans.xml |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/padawans.xml,v |
17 |
retrieving revision 1.69 |
18 |
retrieving revision 1.70 |
19 |
diff -u -r1.69 -r1.70 |
20 |
--- padawans.xml 10 Mar 2009 10:52:51 -0000 1.69 |
21 |
+++ padawans.xml 14 Apr 2009 00:59:16 -0000 1.70 |
22 |
@@ -11,6 +11,9 @@ |
23 |
<author title="Author"> |
24 |
<mail link="falco@g.o">Raphael Marichez</mail> |
25 |
</author> |
26 |
+<author title="Author"> |
27 |
+ <mail link="rbu@g.o">Robert Buchholz</mail> |
28 |
+</author> |
29 |
|
30 |
<abstract> |
31 |
This document contains procedures applying to the security team |
32 |
@@ -21,8 +24,8 @@ |
33 |
<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
34 |
<license/> |
35 |
|
36 |
-<version>0.3.7</version> |
37 |
-<date>2008-10-03</date> |
38 |
+<version>0.3.8</version> |
39 |
+<date>2009-04-14</date> |
40 |
|
41 |
<chapter> |
42 |
<title>Security recruits</title> |
43 |
@@ -33,7 +36,7 @@ |
44 |
<p> |
45 |
The recruitment process for security developers is somewhat different from |
46 |
the mainstream recruitment process. Knowledge of Gentoo specifics is not |
47 |
-as important as it is for other developers, since they won't have commit |
48 |
+as important as it is for other developers, since they don't need to have commit |
49 |
rights to the Portage tree. On the other hand, they must have a good |
50 |
security background, good knowledge of written English and must progressively |
51 |
be given more responsibility.</p> |
52 |
@@ -74,18 +77,24 @@ |
53 |
<ti>Apprentice</ti> |
54 |
<ti>rbu</ti> |
55 |
</tr> |
56 |
-<tr> |
57 |
+<!-- inactive, rbu 2009-04-14<tr> |
58 |
<ti>Emanuele Gentili</ti> |
59 |
<ti>emgent</ti> |
60 |
<ti>Scout</ti> |
61 |
<ti>none yet</ti> |
62 |
-</tr> |
63 |
+</tr>--> |
64 |
<tr> |
65 |
<ti>Lars Hartmann</ti> |
66 |
<ti>psychoschlumpf</ti> |
67 |
<ti>Apprentice</ti> |
68 |
<ti>none yet</ti> |
69 |
</tr> |
70 |
+<tr> |
71 |
+<ti>Matti Bickel</ti> |
72 |
+<ti>mabi</ti> |
73 |
+<ti>Apprentice</ti> |
74 |
+<ti>none yet</ti> |
75 |
+</tr> |
76 |
<!-- inactive (vorlon 2008-07-04) |
77 |
<tr> |
78 |
<ti>Jule Slootbeek</ti> |
79 |
@@ -136,7 +145,7 @@ |
80 |
First step in joining the team is to be a scout. You will have to |
81 |
follow major security lists and websites (your choice) and submit bugs |
82 |
for things that are not yet in the |
83 |
-<uri link="http://tinyurl.com/3nyg7">current Security bugs</uri>. |
84 |
+<uri link="https://bugs.gentoo.org/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&product=Gentoo+Security&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&keywords_type=allwords&keywords=&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=Reuse+same+sort+as+last+time&field0-0-0=noop&type0-0-0=noop&value0-0-0=">current Security bugs</uri>. |
85 |
Search for duplicates in resolved bugs before submitting! We will assign |
86 |
a senior developer as 'Mentor' to you. He will show you around and answer |
87 |
all your questions (but don't hesitate to contact any other senior |
88 |
@@ -151,19 +160,35 @@ |
89 |
Unfortunately, this only works for bugs you filed. You will be allowed to edit and move |
90 |
other bugs around when you are developer on probation.</p> |
91 |
<p>Finding security bugs can be very difficult and boring, but try to go through the |
92 |
-slave labor. You can also try to find other tasks that interest you, for example trying |
93 |
+slave labor. There are several ways to make your life easier. Some primary channels have |
94 |
+a rather high signal-to-noise ratio like Full Disclosure, but there are also |
95 |
+other <uri link="http://oss-security.openwall.org/wiki/mailing-lists">mailing |
96 |
+lists</uri> like oss-security that are more focussed for distribution vendors. |
97 |
+You might also be interested in secondary channels, for instance, <uri |
98 |
+link="https://secunia.com/advisories/">Secunia Advisories</uri> can be |
99 |
+subscribed to via a mailing list, or <uri |
100 |
+link="http://www.securityfocus.com/bid">BugTraq BIDs</uri> and <uri |
101 |
+link="http://cve.mitre.org/">CVE identifiers</uri> can be followed via |
102 |
+RSS feeds. You can find tools to easily handle newly assigned CVE identifiers, and |
103 |
+perform other routine tasks in the <uri |
104 |
+link="http://overlays.gentoo.org/proj/security/timeline">Security SVN</uri>. |
105 |
+Please consult the README provided there.</p> |
106 |
+<p>Furthermore, you can also try to find other tasks that interest you, for example trying |
107 |
to get in touch with developers that are late with ebuilding and/or stabling or verify |
108 |
a vulnerability where it's not sure whether or not Gentoo is affected. You could also try |
109 |
to ask your mentor for a task.</p> |
110 |
- |
111 |
<ul> |
112 |
<li>You will need: A |
113 |
-<uri link="http://bugs.gentoo.org/createaccount.cgi">Gentoo bugzilla |
114 |
+<uri link="https://bugs.gentoo.org/createaccount.cgi">Gentoo bugzilla |
115 |
account</uri></li> |
116 |
<li>We will provide you: Nothing</li> |
117 |
<li>Estimated time until promotion: between 2 weeks and a month, but depends on your |
118 |
personal effort and skills.</li> |
119 |
</ul> |
120 |
+<note> |
121 |
+Do you know how to look up a bug by CVE identifier in the Bug trackers of the |
122 |
+other distributions? If not, try to find it out or ask your mentor. |
123 |
+</note> |
124 |
|
125 |
</body> |
126 |
</section> |
127 |
@@ -190,6 +215,10 @@ |
128 |
<li>Estimated time until promotion: until we are confident that you are able to |
129 |
draft quality advisories. That should take roughly a month if you are good.</li> |
130 |
</ul> |
131 |
+<note> |
132 |
+Have you read more than one page on the <uri |
133 |
+link="http://oss-security.openwall.org/wiki/">oss-security wiki</uri> yet? |
134 |
+</note> |
135 |
|
136 |
</body> |
137 |
</section> |