Home > Fedora Project, Fedora Security SIG, Fedora Security Team > Answering questions regarding the Fedora Security Team

Answering questions regarding the Fedora Security Team


Wow, I had no idea that people would care about the start of this project.  There seems to be a few questions out there that I’d like to address here to clarify what we are doing and why.

OMG!  Fedora is just getting a security team?  Does this mean Fedora has been insecure this entire time?!?

Umm, no, it doesn’t mean that Fedora has been insecure this entire time.  In all actuality Fedora is in pretty good shape overall.  There is always room for improvement and so we’re organizing a team to help facilitate that improvement.

What exactly is the security team responsible for?

We here to help packagers get the patches or new releases that fix vulnerabilities into the Fedora repositories faster.  Most of our packagers are very good at shipping fixes for bugs when upstream rolls a new version of their software.  Bug fixes can usually wait a few days, though, as most aren’t critical.  Security vulnerabilities are a bit different and fixes should be made available as soon as possible.  A little helping hand is never a bad thing and that’s what we’re here to do… help.

Can the security team audit package x?

No.  This may become a service a different team (also falling under the Security SIG) can provide but I/we haven’t gotten there yet.

I read where Fedora has 566 vulnerabilities!  How can you say that Fedora isn’t insecure?

Well, it’s actually 573 right this second.  That’s down from 577 last week.  566 was Monday’s number.  It’s important to not get caught up in the numbers cause they are, well, just numbers.  The numbers only deal specifically with the number of tickets open.  Many of the tickets are duplicates in that the same vulnerability might have several tickets opened for it if the finding is in only certain Fedora versions and EPEL versions.  Since the same packager is likely responsible for all versions and the same fix can be made we can likely close several bugs at a time with minimal work.

I should also point out that the majority of these bugs fall well below the “world is on fire” level of Critical and the “this isn’t good” level of Important.  This doesn’t mean we should just ignore these lower vulnerabilities but rather we should understand that they aren’t something that is likely to be exploited without many other bad things happening.  Should they be fixed?  Yes, but we should probably be more concerned with the Critical and Important vulnerabilities first.  If you’d like to know more about the process for coming up with the severity rating my friend Vincent wrote an excellent article that you should read.

“6. Close bug when vulnerability is shipped in Fedora repos.”

Yeah, that isn’t correct.  This is what happens when I try to multi-task.  Glad I don’t get paid to write….  err… never mind.  Luckily it’s a wiki and someone fixed it for me.  Whew!

(We try to not deliberately release a package with a vulnerability.  It seems people don’t appreciate vulnerabilities in the same way they like other features.  Who would have thought?)

I’d like to help!  How can I join up?

Go to the Security Team wiki page and look for the link to the mailing list and IRC channels, sign up, join up, and use the work flow to start digging in.  Questions?  Feel free to ask in the IRC channel or on the mailing list.  You can also contact me directly if can’t otherwise find the answer to your question.

Advertisements
  1. Leslie Satenstein
    2014-08-01 at 10:06 EDT

    A very interesting challenge. Members will have to be one step ahead of hackers who try to be one step ahead of security team analysts who…

    We need you

  2. Anonymous Coward
    2014-08-07 at 02:44 EDT

    s/Who’d a thought/Who’d have thought/ ?

    • 2014-08-07 at 09:13 EDT

      Thanks. I really shouldn’t write things after a certain hour.

  1. 2014-08-01 at 00:45 EDT

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s