Re: DragonFly Security Officer and Security Team
Simon 'corecode' Schubert wrote:
> On 18.11.2004, at 18:35, Hiten Pandya wrote:
>
>> It is not just about picking committers with free time and better
>> understanding of code. The people elected should have more than
>> adequate knowledge of security concepts.
>>
>> To conclude, all I am saying is that such a team is not necessary
>> right now; but... when we do plan on creating such a team, I would
>> rather put people with proven track record in security related things
>> and just anyone. I do not mean to offend anyone's attempt at
>> contribution or giving their time.
>
>
> For sure, the people involved need to be experienced with security. But
> in my opinion the primary responsibility of a security officer is being
> responsible. The security officer is the one who is the sole contact
> person for third parties regarding security issues, and it is the
> responsibility of the security officer to be carful with this additional
> knowledge.
>
> This means both not disclosing exploit information when there is a
> advisory release schedule, but also taking responsibility and
> fixing/letting fix (no need to do this himself) code and send HEADS UP
> when a long delay is not acceptable, etc.
>
> I don't want to push somebody into something, but one obvious choice
> would be Matt... In principle it's just one entry on the web page
> stating: "Concerning security issues, please contact Matt Dillon <link>"
>
> cheers
> simon
>
I would rather, that if we are going to go ahead with this, it
be a team of contacts, and not just a direct link to Matt. I
have experience with security related issues, but most of all,
I can hold responsibility.
This is not a self-nomination mail, but more to say, let it be
a team of peoplet than just hogging it on Matt.
-Hiten
討論串 (同標題文章)
完整討論串 (本文為第 11 之 12 篇):