Hello Folks,
I am writing this email from Flock Fedora conference in Dresden,
Germany. For those who do not know me, i work for the Red Hat Product
Security Team and have been a fedora contributor for the last 8 odd years.
To keep this short, i intend to reboot the Fedora Security Team. I know
its been a while since there was some active work here. Also i dont
intend to keep this limited to just pinging maintainers to patch their
packages.
I have proposed the following initiatives/projects during my talk at
Flock this year.
1. Scan packages for security on package entry!
Package reviewers already use the Fedora-PackageReview package. Red Hat
Security Team is internally working on a fork of this to include basic
security scanning like searching for CVEs in NIST database, checking if
any unsafe calls are used etc. We will contribute this code back to
upstream, once its ready. I propose we use this to ensure new packages
dont security flaws.
2. Package Exit policy:
Details here: https://pagure.io/fesco/issue/1935 and discussion on
fedora-devel list. I spoke to some FESCO members during flock this year
and it seems like they think positively about this.
We also discussed sharing stats about maintainers who dont patch
security issues (some sort of public shaming).
3. Scan commits for existing packages to ensure no malicious code is
being introduced:
Have not quite figured this out yet, but it seems this is doable.
4. Fedora Security dashboard:
The intention here is to create a web dashboard, showing current status
of security bugs per distros, sorted according to security impact, and
other useful data. Just to show everyone where we are.
If you can think of anything else, other than the above, do let me know,
i am open to ideas :)
Lastly if any one is not interested in continuing their contribution to
security team, do let me know. If i dont get an email from you stating
that you are still interested in the next two weeks, i will remove your
name from: https://fedoraproject.org/wiki/Security_Team_Roster
The intention is to get a clear picture of who all can help with the
above tasks.
--
Huzaifa Sidhpurwala / Red Hat Product Security Team