| 1 |
Rick a very good message (and well thought out). |
| 2 |
|
| 3 |
On 3/13/17 4:33 PM, Rich Freeman wrote: |
| 4 |
> On Mon, Mar 13, 2017 at 3:28 PM, Thomas Deutschmann <whissi@g.o> wrote: |
| 5 |
> |
| 6 |
> The two areas that I see as possibly pushing security towards being a |
| 7 |
> special project are: |
| 8 |
> 1. Masking or otherwise directly touching packages without waiting |
| 9 |
> for the maintainer if the timeline passes. |
| 10 |
|
| 11 |
Security team does not like doing this since we do not know the internal |
| 12 |
workings of packages. But sometimes it is very much needed, remember |
| 13 |
"heartblead?". The notification came to our points of contact (Alex |
| 14 |
(a3li) and Tobias (keytoaster)), a private security bug was filed with |
| 15 |
normal rating since the release was within our time-lines. Then in a few |
| 16 |
hours the security team decided to release it. Well I remember all hell |
| 17 |
breaking loose, and at that point direct involvement was involved. |
| 18 |
|
| 19 |
For that reason for something like this I think we need a GLEP for. Not |
| 20 |
to use every day, but lets call it "Emergency Power" that shall NOT be |
| 21 |
abused. |
| 22 |
|
| 23 |
> 2. Being able to represent Gentoo on special security mailing lists |
| 24 |
> that have tight distribution. (If somebody betrays this trust Gentoo |
| 25 |
> could find itself cut off from all such lists, so Gentoo should use |
| 26 |
> care here.) |
| 27 |
|
| 28 |
This is very important. Pre-Notification is on a case by case basis. |
| 29 |
While we can define point of contacts, it is also important as a |
| 30 |
reputation for Gentoo. |
| 31 |
|
| 32 |
Lets say we want to become a CNA, just like other distributions |
| 33 |
(Debian, Red Hat, SUSE, Ubuntu) we need a person that would be |
| 34 |
responsible for coordinating the information and the appropriate |
| 35 |
paperwork and coordinate with Council or Foundation as needed. This can |
| 36 |
not be a free for all. |
| 37 |
|
| 38 |
|
| 39 |
> I'll finally note that there is also a possible compromise. We might |
| 40 |
> make security somewhat special, but decide that its powers aren't that |
| 41 |
> important and so let it self-govern without forced Council |
| 42 |
> interaction. Even so we should probably create some avenue for appeal |
| 43 |
> so that the next time an argument comes up over whether long-term |
| 44 |
> masks vs overlays are the right solution people feel like they had |
| 45 |
> input into the decision. |
| 46 |
|
| 47 |
I think that it is not a power thing but more of a responsibility and |
| 48 |
accountability that is being defined. There is nothing about Governance |
| 49 |
by the council when I read the GLEP. The only thing is the confirmation |
| 50 |
by the Council since they are Privy to a lot more information then all |
| 51 |
the isolated Teams are, and can prevent problems ahead of time. |
| 52 |
|
| 53 |
The GLEP is a draft also and I have already proposed some changes to |
| 54 |
Kristian about some wording. |
| 55 |
|
| 56 |
The idea here is that it is not someone taking away power, but just |
| 57 |
continuing what we have been doing in Security for years and just |
| 58 |
formulating some of the processes by the GLEP. We have always had leads |
| 59 |
that received notifications, communicated on behalf of the team, settled |
| 60 |
problems, etc. |
| 61 |
|
| 62 |
We have always discussed and provided opinions on changes and no one was |
| 63 |
dictated something before discussion (Unless Security Policy specific). |
Archives