看板 DFBSD_kernel 關於我們 聯絡資訊
發信人Hiten Pandya <hmp@backplane.com>,
看板DFBSD_kernel
標 題Re: DragonFly Security Officer and Security Team
發信站(null) (Fri Nov 19 01:56:42 2004)
轉信站ptt!crater_reader.dragonflybsd.org!crater.dragonflybsd.org!127.0.0.1.M
It is not just about picking committers with free time and better understanding of code. The people elected should have more than adequate knowledge of security concepts. To conclude, all I am saying is that such a team is not necessary right now; but... when we do plan on creating such a team, I would rather put people with proven track record in security related things and just anyone. I do not mean to offend anyone's attempt at contribution or giving their time. Kind regards, Hiten Pandya Devon H. O'Dell wrote: > Hello all, > > ``Who can act as a security officer and participate in a security team > for our project?'' > > This is a question that I've discussed before with the members of > #DragonFlyBSD when I joined the project. At the time, it seemed to be > considered a bit of an unnecessary position. I think as our project > grows, we will need to formalize this matter a bit. There are good, > specific reasons to organize a team and a head for this matter; it makes > inter-project communication regarding security vulnerabilities easier > and safer. > > Unfortunately, obscurity is critical when a vulnerability is discovered. > As it stands, it is difficult to find anybody to contact privately when > such a matter is revealed. It may or may not be obvious to some who the > head developers of the project are and it may or may not be obvious > whether or not they have time to deal with the issue. > > I think formalization of this issue is in order. I certainly have time > to work in a team and I can probably even allocate enough to act as an > officer, but I'm not a committer and have contributed relatively little > to the project code-wise (the lockf(2) patch being virtually everything, > disregarding installer work and giving my 2 cents on every subject > that's discussed on IRC), so I'm not sure that I am the most qualified > person for either of these positions. > > I'm certainly up for serving as either (officer / team member) and > failing either would certainly work to coordinate the gathering of a > team which is qualified for such a position. > > I hope we can get something worked out with this. > > Kind regards, > > Devon H. O'Dell