[OpenIndiana-discuss] [oi-infra] Security Officer(s) (Was: dlc.oi.o, pkg.oi.o -> infra01)

[Alasdair Lumsden]

On 28 Sep 2010, at 20:54, Jesus Cea wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 28/09/10 12:42, Alasdair Lumsden wrote:
>> We do need security officers who are anal about tracking the security
>> mailing lists though. So far nobody has stepped forward for this task
>> yet.
> 
> What would be the requirements to fulfill that position?. My employer is
> a *small* security firm that, maybe, could provide resources.

Hi Jesus,

It wouldn't be extreme - security officers would just need to familiarise themselves with the software + versions that ship with OI and follow various security lists where vulnerabilities are disclosed. When one is disclosed that affects us, they would just need to notify the OpenIndiana person/team responsible for building that software so they know to fix it.

If a security officer had the time or motivation, then providing a patch to the affected software (either by writing it, or obtaining it - some security disclosures include a patch, or a patch could be obtained from another distribution such as Debian, FreeBSD or CentOS) would help the consolidation builder supply a fix faster.

I'd quite like to have a security "team" so we're not dependant upon one person; the team would need a team leader to organise things and that position is open.

If this is something you or anyone else is interested in getting involved with, just let me know :-)

Cheers,

Alasdair