Hi,
As SIG's come up and move forward - we are going to need to have a better established, documented and process driven security response team. While we can, in a pinch, reach into and request some resources from the RedHat SRT, they are in no way bound to help or even be involved in the overall CentOS Ecosystem - and we should really setup our own group to handle these requests.
In the past conversations we had thought of setting up a group of maybe 3 to 5 people, who can triage and communicate with the respective groups of people responsible for the code or infra in question.
This would not only include centos resources, but also be the contact point for upstream security notices from projects associated with us. In this case, they would be the people managing security@centos.org - with that email address being the primary contact for projects in the SIG's upstream as well.
We would also then setup a private security mailing list.
thoughts ? comments ? feedback ?
On 5/20/14, 9:15 PM, Karanbir Singh wrote:
Hi,
As SIG's come up and move forward - we are going to need to have a better established, documented and process driven security response team. While we can, in a pinch, reach into and request some resources from the RedHat SRT, they are in no way bound to help or even be involved in the overall CentOS Ecosystem - and we should really setup our own group to handle these requests.
In the past conversations we had thought of setting up a group of maybe 3 to 5 people, who can triage and communicate with the respective groups of people responsible for the code or infra in question.
I can help with this. I'm a member of the ruby-core security team and have done lots of security work with Puppet and other projects so I've got some existing experience with the process.
This would not only include centos resources, but also be the contact point for upstream security notices from projects associated with us. In this case, they would be the people managing security@centos.org - with that email address being the primary contact for projects in the SIG's upstream as well.
We would also then setup a private security mailing list.
thoughts ? comments ? feedback ?
On 20/05/14 16:15, Karanbir Singh wrote:
Hi,
As SIG's come up and move forward - we are going to need to have a better established, documented and process driven security response team. While we can, in a pinch, reach into and request some resources from the RedHat SRT, they are in no way bound to help or even be involved in the overall CentOS Ecosystem - and we should really setup our own group to handle these requests.
In the past conversations we had thought of setting up a group of maybe 3 to 5 people, who can triage and communicate with the respective groups of people responsible for the code or infra in question.
This would not only include centos resources, but also be the contact point for upstream security notices from projects associated with us. In this case, they would be the people managing security@centos.org - with that email address being the primary contact for projects in the SIG's upstream as well.
We would also then setup a private security mailing list.
thoughts ? comments ? feedback ?
I'm interested and willing to be a part of this.
T
On Tue, May 20, 2014 at 8:15 AM, Karanbir Singh kbsingh@centos.org wrote:
thoughts ? comments ? feedback ?
+1 on everything you outlined.
-Jeff
On Tue, May 20, 2014 at 04:15:09PM +0100, Karanbir Singh wrote:
In the past conversations we had thought of setting up a group of maybe 3 to 5 people, who can triage and communicate with the respective groups of people responsible for the code or infra in question.
Karanbir,
As per our discussion on IRC yesterday I would like to toss my name into the ring to assist with this in any way that I can. I've been doing this for a little while now (33 years is a short time, right?) and feel that I can contribute to this endeavor.
John
-
Jeff Sheltren -
John R. Dennison -
Karanbir Singh -
Sam Kottler -
Trevor Hemsley