koon at gentoo
Nov 16, 2004, 3:50 AM
Post #1 of 3
(595 views)
Permalink
|
|
Gentoo Linux Security Team, pointers and help needed
|
|
Hello everyone,
Some of the emails posted on this list show that we did not communicate
enough on what we do on the Security Team and that the current online
resources are not enough known. Here is a small report that should show
you who we are, what we do and what help we need.
The Gentoo Linux Security project is tasked with timely resolution of
security issues in software provided through the Portage tree. That's
our main task, reaction to known issues and confidential ones, pushing
Gentoo package maintainers and arch teams to provide fixed stable
ebuilds and issuing GLSAs. We also do preventive actions through our
Audit subproject. We do not handle Gentoo Infrastructure security, other
than giving expert advice when we're asked. You will find the Security
project at the following page (linked through "Projects" on the Gentoo
Main Page) :
http://www.gentoo.org/proj/en/security/
The main information point for Gentoo Security is the Gentoo Security
page. You will find recent GLSAs, instructions on how to submit security
problems and all online pointers on this main page :
http://security.gentoo.org/
We follow a precise policy when handling these vulnerabilities. You may
remember this was posted for discussion on this list a few months ago.
The current version of this policy is available at the following URL :
http://www.gentoo.org/security/en/vulnerability-policy.xml
Our process is completely open, except when handling non-public
vulnerabilities that are sent to us on condition that we do not publish
them before a specific date. You can observe and join us on the
#gentoo-security Freenode IRC channel, where all Security members hang out.
We've heard a lot of "help them rather than shout at them" speaks
recently, and you might wonder what you can do to help us. We mostly
need GLSA Coordinators, to scout for new security bugs, draft and review
GLSAs, handle security bugs and publish GLSAs. This job needs a small
but constant commitment, as you will be assigned security bugs that need
updating at least once per day. You start as a scout, submitting new
vulnerability bugs in Bugzilla and helping solving security issues, to
finally be appointed as a Gentoo Security developer and send GLSAs under
your own name. You can learn about the security recruitment process at
the Security Padawans page :
http://www.gentoo.org/security/en/padawans.xml
If you are interested to join, please read the GLSA Coordinators Guide
to see what the job really is about, drop us an email with your name and
background, and start to submit new vulnerabilities and help on
existing bugs (search for bugs owned by security [at] gentoo).
Thanks for your attention,
--
Thierry Carrez
Operational Manager, Gentoo Linux Security Team
|
signature.asc
