Talk:Arch Security Team
The plan followed in the page is not very clear to me, I would rather start with a section like mission / objectives before the how to contribute. What do you think? -- Kewl (talk) 10:00, 12 March 2018 (UTC)
- I think it's a good idea, mind sharing an outline here that we can comment/brainstorm on? Sangy (talk) 17:57, 12 March 2018 (UTC)
- I enriched a bit the layout of the Procedure section without really touching the content today. For further changes I will share it here before to brainstorm about it as suggested. -- Kewl (talk) 11:30, 13 March 2018 (UTC)
- Please see below for drafting, this is an early draft I just split Mission vs Contribute so far -- Kewl (talk) 20:47, 16 March 2018 (UTC)
The mission of the Arch Security Team is to contribute to the improvement of the security of Arch Linux.
The most important duty of the team is to find and track issues assigned a Common Vulnerabilities and Exposure (CVE). A CVE is public, it is identified by a unique ID of the form CVE-YYYY-number.
They publish ASAs (Arch Linux Security Advisory) which is an Arch-specific warning disseminated to Arch users. ASAs are scheduled in the tracker for peer-review, and need two acknowledgments from team members before being published.
The Arch Linux security tracker is a platform used by the Arch Security Team to track packages, add CVEs and generate advisory text.
- An Arch Linux Vulnerability Group (AVG) is a group of CVEs related to a set of packages within the same pkgbase.
- Packages qualified for an advisory must be part of the core, extra, community or multilib repository.
To get involved in the identification of the vulnerabilities, it is recommended to:
- Follow the #archlinux-security IRC channel. It is the main communication medium for reporting and discussing CVEs, packages affected and first fixed package version.
- In order to be warned early about new issues, one can monitor the recommended #Mailing lists for new CVEs, along with other sources if required.
- We encourage volunteers to look over the advisories for mistakes, questions, or comments and report in the IRC channel.
- Contributing code to the project is a great way to contribute to the team.
- Derivative distributions that rely on Arch Linux package repositories are encouraged to contribute. This helps the security of all the users.