FAQ
Hi,


As SIG's come up and move forward - we are going to need to have a
better established, documented and process driven security response
team. While we can, in a pinch, reach into and request some resources
from the RedHat SRT, they are in no way bound to help or even be
involved in the overall CentOS Ecosystem - and we should really setup
our own group to handle these requests.


In the past conversations we had thought of setting up a group of maybe
3 to 5 people, who can triage and communicate with the respective groups
of people responsible for the code or infra in question.


This would not only include centos resources, but also be the contact
point for upstream security notices from projects associated with us. In
this case, they would be the people managing security at centos.org - with
that email address being the primary contact for projects in the SIG's
upstream as well.


We would also then setup a private security mailing list.


thoughts ? comments ? feedback ?




--
Karanbir Singh, Project Lead, The CentOS Project
+44-207-0999389 | http://www.centos.org/ | twitter.com/CentOS
GnuPG Key : http://www.karan.org/publickey.asc

Search Discussions

  • Sam Kottler at May 20, 2014 at 4:30 pm

    On 5/20/14, 9:15 PM, Karanbir Singh wrote:
    Hi,

    As SIG's come up and move forward - we are going to need to have a
    better established, documented and process driven security response
    team. While we can, in a pinch, reach into and request some resources
    from the RedHat SRT, they are in no way bound to help or even be
    involved in the overall CentOS Ecosystem - and we should really setup
    our own group to handle these requests.

    In the past conversations we had thought of setting up a group of maybe
    3 to 5 people, who can triage and communicate with the respective groups
    of people responsible for the code or infra in question.

    I can help with this. I'm a member of the ruby-core security team and
    have done lots of security work with Puppet and other projects so I've
    got some existing experience with the process.

    This would not only include centos resources, but also be the contact
    point for upstream security notices from projects associated with us. In
    this case, they would be the people managing security at centos.org - with
    that email address being the primary contact for projects in the SIG's
    upstream as well.

    We would also then setup a private security mailing list.

    thoughts ? comments ? feedback ?
  • Trevor Hemsley at May 21, 2014 at 2:27 pm

    On 20/05/14 16:15, Karanbir Singh wrote:
    Hi,

    As SIG's come up and move forward - we are going to need to have a
    better established, documented and process driven security response
    team. While we can, in a pinch, reach into and request some resources
    from the RedHat SRT, they are in no way bound to help or even be
    involved in the overall CentOS Ecosystem - and we should really setup
    our own group to handle these requests.

    In the past conversations we had thought of setting up a group of maybe
    3 to 5 people, who can triage and communicate with the respective groups
    of people responsible for the code or infra in question.

    This would not only include centos resources, but also be the contact
    point for upstream security notices from projects associated with us. In
    this case, they would be the people managing security at centos.org - with
    that email address being the primary contact for projects in the SIG's
    upstream as well.

    We would also then setup a private security mailing list.

    thoughts ? comments ? feedback ?

    I'm interested and willing to be a part of this.


    T
  • Jeff Sheltren at May 21, 2014 at 2:31 pm
    On Tue, May 20, 2014 at 8:15 AM, Karanbir Singh wrote:


    thoughts ? comments ? feedback ?
    +1 on everything you outlined.


    -Jeff
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.centos.org/pipermail/centos-devel/attachments/20140521/ced3cba5/attachment.html
  • John R. Dennison at May 24, 2014 at 8:01 am

    On Tue, May 20, 2014 at 04:15:09PM +0100, Karanbir Singh wrote:
    In the past conversations we had thought of setting up a group of maybe
    3 to 5 people, who can triage and communicate with the respective groups
    of people responsible for the code or infra in question.

    Karanbir,


    As per our discussion on IRC yesterday I would like to toss my name into
    the ring to assist with this in any way that I can. I've been doing
    this for a little while now (33 years is a short time, right?) and feel
    that I can contribute to this endeavor.










            John
    --
    It is not life and wealth and power that enslave men, but the cleaving to
    life and wealth and power.


    -- Buddha (c. 563-483 BCE)
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: application/pgp-signature
    Size: 198 bytes
    Desc: not available
    Url : http://lists.centos.org/pipermail/centos-devel/attachments/20140524/edf6d841/attachment.bin

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos-devel @
categoriescentos
postedMay 20, '14 at 3:15p
activeMay 24, '14 at 8:01a
posts5
users5
websitecentos.org
irc#centos

People

Translate

site design / logo © 2022 Grokbase