[OpenIndiana-discuss] [oi-infra] Security Officer(s) (Was: dlc.oi.o, pkg.oi.o -> infra01)
alasdairrr at gmail.com
Tue Sep 28 22:49:03 UTC 2010
On 28 Sep 2010, at 20:54, Jesus Cea wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 28/09/10 12:42, Alasdair Lumsden wrote:
>> We do need security officers who are anal about tracking the security
>> mailing lists though. So far nobody has stepped forward for this task
> What would be the requirements to fulfill that position?. My employer is
> a *small* security firm that, maybe, could provide resources.
It wouldn't be extreme - security officers would just need to familiarise themselves with the software + versions that ship with OI and follow various security lists where vulnerabilities are disclosed. When one is disclosed that affects us, they would just need to notify the OpenIndiana person/team responsible for building that software so they know to fix it.
If a security officer had the time or motivation, then providing a patch to the affected software (either by writing it, or obtaining it - some security disclosures include a patch, or a patch could be obtained from another distribution such as Debian, FreeBSD or CentOS) would help the consolidation builder supply a fix faster.
I'd quite like to have a security "team" so we're not dependant upon one person; the team would need a team leader to organise things and that position is open.
If this is something you or anyone else is interested in getting involved with, just let me know :-)
More information about the OpenIndiana-discuss