1 |
Hello everyone, |
2 |
|
3 |
Some of the emails posted on this list show that we did not communicate |
4 |
enough on what we do on the Security Team and that the current online |
5 |
resources are not enough known. Here is a small report that should show |
6 |
you who we are, what we do and what help we need. |
7 |
|
8 |
The Gentoo Linux Security project is tasked with timely resolution of |
9 |
security issues in software provided through the Portage tree. That's |
10 |
our main task, reaction to known issues and confidential ones, pushing |
11 |
Gentoo package maintainers and arch teams to provide fixed stable |
12 |
ebuilds and issuing GLSAs. We also do preventive actions through our |
13 |
Audit subproject. We do not handle Gentoo Infrastructure security, other |
14 |
than giving expert advice when we're asked. You will find the Security |
15 |
project at the following page (linked through "Projects" on the Gentoo |
16 |
Main Page) : |
17 |
|
18 |
http://www.gentoo.org/proj/en/security/ |
19 |
|
20 |
The main information point for Gentoo Security is the Gentoo Security |
21 |
page. You will find recent GLSAs, instructions on how to submit security |
22 |
problems and all online pointers on this main page : |
23 |
|
24 |
http://security.gentoo.org/ |
25 |
|
26 |
We follow a precise policy when handling these vulnerabilities. You may |
27 |
remember this was posted for discussion on this list a few months ago. |
28 |
The current version of this policy is available at the following URL : |
29 |
|
30 |
http://www.gentoo.org/security/en/vulnerability-policy.xml |
31 |
|
32 |
Our process is completely open, except when handling non-public |
33 |
vulnerabilities that are sent to us on condition that we do not publish |
34 |
them before a specific date. You can observe and join us on the |
35 |
#gentoo-security Freenode IRC channel, where all Security members hang out. |
36 |
|
37 |
We've heard a lot of "help them rather than shout at them" speaks |
38 |
recently, and you might wonder what you can do to help us. We mostly |
39 |
need GLSA Coordinators, to scout for new security bugs, draft and review |
40 |
GLSAs, handle security bugs and publish GLSAs. This job needs a small |
41 |
but constant commitment, as you will be assigned security bugs that need |
42 |
updating at least once per day. You start as a scout, submitting new |
43 |
vulnerability bugs in Bugzilla and helping solving security issues, to |
44 |
finally be appointed as a Gentoo Security developer and send GLSAs under |
45 |
your own name. You can learn about the security recruitment process at |
46 |
the Security Padawans page : |
47 |
|
48 |
http://www.gentoo.org/security/en/padawans.xml |
49 |
|
50 |
If you are interested to join, please read the GLSA Coordinators Guide |
51 |
to see what the job really is about, drop us an email with your name and |
52 |
background, and start to submit new vulnerabilities and help on |
53 |
existing bugs (search for bugs owned by security@g.o). |
54 |
|
55 |
Thanks for your attention, |
56 |
|
57 |
-- |
58 |
Thierry Carrez |
59 |
Operational Manager, Gentoo Linux Security Team |