Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Tobias Heinlein <keytoaster@g.o>
Subject: Re: Security team meeting - Summary
Date: Thu, 09 Sep 2010 22:35:16 +0200
Security Project Meeting 2010-09-01
===================================

Roll call
---------
  here:
    Alex Legler (a3li)
    Tony Vroon (chainsaw), padawan
    Stefan Behte (craig)
    Raphaƫl Marichez (falco), joined later on during the meeting
    Sune Kloppenborg Jeppesen (jaervosz)
    Tobias Heinlein (keytoaster)
    Pierre-Yves Rofes (py)
    Robert Buchholz (rbu)
    Robin H. Johnson (robbat2), infrastructure representative
    Tim Sammut (underling), padawan
    Matthias Geerdsen (vorlon)
  missing:
    Kurt Lieber (klieber)
    Ned Ludd (solar)


1. Project status
-----------------
The Gentoo Security team is functional, but running on low flame. There
is a huge backlog (a huge amount of open bugs and GLSAs that still need
to be sent) and due to a small amount of active members not all bugs are
filed/handled in a timely manner and bigger packages (Firefox, Java,
etc.) are not easy to draft GLSAs for for various reasons.

Some members feel that drafting GLSAs with the old GLSAMaker is a huge PITA.

Not all recruitment requests by both developers and non-developers have
been handled as well as we want them to, due to limited time and resources.


2. Lead election
----------------
It has been decided that the Gentoo security team's leads are there to
do administrative stuff (like distributing permissions e.g. on
Bugzilla), to ensure progress, to cast deciding votes, and to act as the
point of contact for encrypted mails.

Robert, Matthias, and Stefan have either opted out of being nominated or
not accepted their nomination due to time issues. Alex and Tobias have
been nominated.

The team has decided unanimously to continue having two leads, and that
those be Alex and Tobias.


3. Population of several mail aliases, bugzilla groups etc.
-----------------------------------------------------------
The following groups/aliases had to be cleaned and updated in order to
ensure that no outdated entries still exist.


3.1 CERT mails
It has been decided that all team members who attended the meeting will
receive the CERT mails. Matthias will put a list together and send it to
the security alias before informing CERT.


3.2 vendor-sec alias
Due to respect for the group, the team decided to have only a limited
number of people subscribed. As such, everyone has been removed from the
alias and only Alex, Tobias, and Stefan have been put on it. The team
agreed to further evaluate subscribing active members at the next meeting.


3.3 "securitymail" group on dev.gentoo.org
The team decided that only the new leads will be allowed to edit mail
aliases.


3.3 "security" mail alias and "security" group on Bugzilla
The team agreed that every "full" team member should be on/in these. The
leads will have the power to edit them.


4. Handling of the current GLSA and bug queues and how to avoid such
situations in the future
---------------------------------------------------------------------------------------------
The new GLSAMaker will ease the team's work in huge parts and its
development is currently of utmost importance. Alex and Tobias have
given a summary on the new GLSAMaker: It's in a near-usable state, the
goal is to have our information integrated better, it will replace the
old CVE tracker, it's way easier to draft minor issues, and permission
groups allow for non-team members and new recruits to help with drafting.

Alex and Tobias will see to getting a usable beta version of GLSAMaker2
deployed until Oct 1, 2010, while the rest of the team will try to get
some GLSAs out with the old one.

The team agreed to send "mini-GLSAs" for minor issues, that is a usual
GLSA with shorter description and impact texts, like we did a few months
ago.


5. Any other topic
------------------
In order to be more open to users, Matthias will draft an announcement
explaining our current situation.

Alex will arrange for a wiki to document todo lists and miscellaneous stuff.

The team will hold meetings more frequently, every 2 or 3 months has
been suggested. The next meeting will be around mid-October to vote on
this and also to check the progress of GLSAMaker2.

There is no further need for the position of the infrastructure liasion
and it has been removed. Robin suggested to bug either him or Ned.

Tobias will merge documentation files from devspaces into our project pages.

Attachment:
signature.asc (OpenPGP digital signature)
References:
Security team meeting - September 1 at 18:30 UTC (20:30 CEST)
-- Matthias Geerdsen
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Security team meeting - September 1 at 18:30 UTC (20:30 CEST)
Next by thread:
Kernel Security Update Target Delay?
Previous by date:
Re: Security team meeting - September 1 at 18:30 UTC (20:30 CEST)
Next by date:
Kernel Security Update Target Delay?


Updated May 10, 2012

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.