Gentoo Archives: gentoo-security

From: Tobias Heinlein <keytoaster@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Security team meeting - Summary
Date: Thu, 09 Sep 2010 21:05:23
In Reply to: [gentoo-security] Security team meeting - September 1 at 18:30 UTC (20:30 CEST) by Matthias Geerdsen
Security Project Meeting 2010-09-01

Roll call
    Alex Legler (a3li)
    Tony Vroon (chainsaw), padawan
    Stefan Behte (craig)
    Raphaƫl Marichez (falco), joined later on during the meeting
    Sune Kloppenborg Jeppesen (jaervosz)
    Tobias Heinlein (keytoaster)
    Pierre-Yves Rofes (py)
    Robert Buchholz (rbu)
    Robin H. Johnson (robbat2), infrastructure representative
    Tim Sammut (underling), padawan
    Matthias Geerdsen (vorlon)
    Kurt Lieber (klieber)
    Ned Ludd (solar)

1. Project status
The Gentoo Security team is functional, but running on low flame. There
is a huge backlog (a huge amount of open bugs and GLSAs that still need
to be sent) and due to a small amount of active members not all bugs are
filed/handled in a timely manner and bigger packages (Firefox, Java,
etc.) are not easy to draft GLSAs for for various reasons.

Some members feel that drafting GLSAs with the old GLSAMaker is a huge PITA.

Not all recruitment requests by both developers and non-developers have
been handled as well as we want them to, due to limited time and resources.

2. Lead election
It has been decided that the Gentoo security team's leads are there to
do administrative stuff (like distributing permissions e.g. on
Bugzilla), to ensure progress, to cast deciding votes, and to act as the
point of contact for encrypted mails.

Robert, Matthias, and Stefan have either opted out of being nominated or
not accepted their nomination due to time issues. Alex and Tobias have
been nominated.

The team has decided unanimously to continue having two leads, and that
those be Alex and Tobias.

3. Population of several mail aliases, bugzilla groups etc.
The following groups/aliases had to be cleaned and updated in order to
ensure that no outdated entries still exist.

3.1 CERT mails
It has been decided that all team members who attended the meeting will
receive the CERT mails. Matthias will put a list together and send it to
the security alias before informing CERT.

3.2 vendor-sec alias
Due to respect for the group, the team decided to have only a limited
number of people subscribed. As such, everyone has been removed from the
alias and only Alex, Tobias, and Stefan have been put on it. The team
agreed to further evaluate subscribing active members at the next meeting.

3.3 "securitymail" group on
The team decided that only the new leads will be allowed to edit mail

3.3 "security" mail alias and "security" group on Bugzilla
The team agreed that every "full" team member should be on/in these. The
leads will have the power to edit them.

4. Handling of the current GLSA and bug queues and how to avoid such
situations in the future
The new GLSAMaker will ease the team's work in huge parts and its
development is currently of utmost importance. Alex and Tobias have
given a summary on the new GLSAMaker: It's in a near-usable state, the
goal is to have our information integrated better, it will replace the
old CVE tracker, it's way easier to draft minor issues, and permission
groups allow for non-team members and new recruits to help with drafting.

Alex and Tobias will see to getting a usable beta version of GLSAMaker2
deployed until Oct 1, 2010, while the rest of the team will try to get
some GLSAs out with the old one.

The team agreed to send "mini-GLSAs" for minor issues, that is a usual
GLSA with shorter description and impact texts, like we did a few months

5. Any other topic
In order to be more open to users, Matthias will draft an announcement
explaining our current situation.

Alex will arrange for a wiki to document todo lists and miscellaneous stuff.

The team will hold meetings more frequently, every 2 or 3 months has
been suggested. The next meeting will be around mid-October to vote on
this and also to check the progress of GLSAMaker2.

There is no further need for the position of the infrastructure liasion
and it has been removed. Robin suggested to bug either him or Ned.

Tobias will merge documentation files from devspaces into our project pages.


File name MIME type
signature.asc application/pgp-signature