| 1 |
Hello everyone, |
| 2 |
|
| 3 |
Some of the emails posted on this list show that we did not communicate |
| 4 |
enough on what we do on the Security Team and that the current online |
| 5 |
resources are not enough known. Here is a small report that should show |
| 6 |
you who we are, what we do and what help we need. |
| 7 |
|
| 8 |
The Gentoo Linux Security project is tasked with timely resolution of |
| 9 |
security issues in software provided through the Portage tree. That's |
| 10 |
our main task, reaction to known issues and confidential ones, pushing |
| 11 |
Gentoo package maintainers and arch teams to provide fixed stable |
| 12 |
ebuilds and issuing GLSAs. We also do preventive actions through our |
| 13 |
Audit subproject. We do not handle Gentoo Infrastructure security, other |
| 14 |
than giving expert advice when we're asked. You will find the Security |
| 15 |
project at the following page (linked through "Projects" on the Gentoo |
| 16 |
Main Page) : |
| 17 |
|
| 18 |
http://www.gentoo.org/proj/en/security/ |
| 19 |
|
| 20 |
The main information point for Gentoo Security is the Gentoo Security |
| 21 |
page. You will find recent GLSAs, instructions on how to submit security |
| 22 |
problems and all online pointers on this main page : |
| 23 |
|
| 24 |
http://security.gentoo.org/ |
| 25 |
|
| 26 |
We follow a precise policy when handling these vulnerabilities. You may |
| 27 |
remember this was posted for discussion on this list a few months ago. |
| 28 |
The current version of this policy is available at the following URL : |
| 29 |
|
| 30 |
http://www.gentoo.org/security/en/vulnerability-policy.xml |
| 31 |
|
| 32 |
Our process is completely open, except when handling non-public |
| 33 |
vulnerabilities that are sent to us on condition that we do not publish |
| 34 |
them before a specific date. You can observe and join us on the |
| 35 |
#gentoo-security Freenode IRC channel, where all Security members hang out. |
| 36 |
|
| 37 |
We've heard a lot of "help them rather than shout at them" speaks |
| 38 |
recently, and you might wonder what you can do to help us. We mostly |
| 39 |
need GLSA Coordinators, to scout for new security bugs, draft and review |
| 40 |
GLSAs, handle security bugs and publish GLSAs. This job needs a small |
| 41 |
but constant commitment, as you will be assigned security bugs that need |
| 42 |
updating at least once per day. You start as a scout, submitting new |
| 43 |
vulnerability bugs in Bugzilla and helping solving security issues, to |
| 44 |
finally be appointed as a Gentoo Security developer and send GLSAs under |
| 45 |
your own name. You can learn about the security recruitment process at |
| 46 |
the Security Padawans page : |
| 47 |
|
| 48 |
http://www.gentoo.org/security/en/padawans.xml |
| 49 |
|
| 50 |
If you are interested to join, please read the GLSA Coordinators Guide |
| 51 |
to see what the job really is about, drop us an email with your name and |
| 52 |
background, and start to submit new vulnerabilities and help on |
| 53 |
existing bugs (search for bugs owned by security@g.o). |
| 54 |
|
| 55 |
Thanks for your attention, |
| 56 |
|
| 57 |
-- |
| 58 |
Thierry Carrez |
| 59 |
Operational Manager, Gentoo Linux Security Team |
Archives