Difference between revisions of "Security Response Team"

From ArchWiki
Jump to: navigation, search
m (properly marking for deletion)
(page superseded by Arch CVE Monitoring Team, redirect there)
Line 1: Line 1:
[[Category:Arch development]]
#REDIRECT [[Arch CVE Monitoring Team]]
{{Deletion|superseded by [[Arch CVE Monitoring Team]], see [[Talk:Security Response Team|talk page]]}}
{{Stub|For now, this page is an ashamed copy of [[Security_Task_Force]]. Trying to construct something according to https://mailman.archlinux.org/pipermail/arch-dev-public/2014-March/025952.html}}
{{Related articles start}}
{{Related|Security Task Force}}
{{Related articles end}}
This is a draft of the proposal to create a Arch Linux Security Team (ALST) centered around Arch Linux.
The security team should help the developers, not add more work to them. Participation in ALST should be voluntary and, with the exception of one or more TUs, left to the non-developers. Security Response Team should conform to the Arch Philosophy - following the STF '''recommendations''' should be optional for all users of Arch Linux.
ALST should embody the efforts of the "security-conscious" part of the Arch users population. Server owners, maintainers of workstations in production environments as well as concerned personal users would gain the benefit of relatively prompt security updates. ALST should help alleviate two important problems.
ALST Will Strive to Monitor all Packages within the following repositories:
* ''core''
* ''extra''
* ''community''
===Maintainer's reaction===
Arch Linux developers are volunteers with their own personal lives. They might not have time to promptly address updates of their packages. They might have not heard about a recent security update. ALST members would suggest the maintainers to update their packages once an important security flaw has been found.
Likewise the ALST is a volunteer maintained service. Volunteers are welcome to help out the ALST identify and notify packages with security vulnerabilities.
A big security exploit has been found for in a software packaged within Archlinux official repositories. An ALST member picks up this information from some mailing list he/she is following. If upstream released a new version to correct the issue, the ASRT member just flag tha paqke out-of-date, if upstream only released a patch, the ASRT memeber should fill a bug report
A good template of bug report might be:
Title : [<pkg-name>] security patch for <CVE-id>
Quick description of the issue or cope/paste from oss-sec, upstream bug reports.
upstream bug report [0]
patch [1]
[0] links to upstream bug report
[1] link to patch
The criticity of the bug report should be set to either Critical or High, depending on the severuty of the issue.
Some updates will be much more critical than others, however updates are always recommended in the case of any vulnerability.

Revision as of 17:33, 16 March 2014