DragonFly BSD
DragonFly kernel List (threaded) for 2004-11
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: DragonFly Security Officer and Security Team

From: Hiten Pandya <hmp@xxxxxxxxxxxxx>
Date: Thu, 18 Nov 2004 18:24:07 +0000

Simon 'corecode' Schubert wrote:
On 18.11.2004, at 18:35, Hiten Pandya wrote:

It is not just about picking committers with free time and better understanding of code. The people elected should have more than adequate knowledge of security concepts.

To conclude, all I am saying is that such a team is not necessary right now; but... when we do plan on creating such a team, I would rather put people with proven track record in security related things and just anyone. I do not mean to offend anyone's attempt at contribution or giving their time.

For sure, the people involved need to be experienced with security. But in my opinion the primary responsibility of a security officer is being responsible. The security officer is the one who is the sole contact person for third parties regarding security issues, and it is the responsibility of the security officer to be carful with this additional knowledge.

This means both not disclosing exploit information when there is a advisory release schedule, but also taking responsibility and fixing/letting fix (no need to do this himself) code and send HEADS UP when a long delay is not acceptable, etc.

I don't want to push somebody into something, but one obvious choice would be Matt... In principle it's just one entry on the web page stating: "Concerning security issues, please contact Matt Dillon <link>"


I would rather, that if we are going to go ahead with this, it be a team of contacts, and not just a direct link to Matt. I have experience with security related issues, but most of all, I can hold responsibility.

	This is not a self-nomination mail, but more to say, let it be
	a team of peoplet than just hogging it on Matt.


[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]