DragonFly Security Officer and Security Team

Simon 'corecode' Schubert corecode at fs.ei.tum.de
Thu Nov 18 10:01:59 PST 2004


On 18.11.2004, at 18:35, Hiten Pandya wrote:
It is not just about picking committers with free time and better 
understanding of code.  The people elected should have more than 
adequate knowledge of security concepts.

To conclude, all I am saying is that such a team is not necessary 
right now; but... when we do plan on creating such a team, I would 
rather put people with proven track record in security related things 
and just anyone.  I do not mean to offend anyone's attempt at 
contribution or giving their time.
For sure, the people involved need to be experienced with security. But 
in my opinion the primary responsibility of a security officer is being 
responsible. The security officer is the one who is the sole contact 
person for third parties regarding security issues, and it is the 
responsibility of the security officer to be carful with this 
additional knowledge.

This means both not disclosing exploit information when there is a 
advisory release schedule, but also taking responsibility and 
fixing/letting fix (no need to do this himself) code and send HEADS UP 
when a long delay is not acceptable, etc.

I don't want to push somebody into something, but one obvious choice 
would be Matt... In principle it's just one entry on the web page 
stating: "Concerning security issues, please contact Matt Dillon 
<link>"

cheers
  simon
--
/"\
\ /
 \     ASCII Ribbon Campaign
/ \  Against HTML Mail and News
Attachment:
PGP.sig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00007.pgp
Type: application/octet-stream
Size: 186 bytes
Desc: "Description: This is a digitally signed message part"
URL: <http://lists.dragonflybsd.org/pipermail/kernel/attachments/20041118/2c3c0c78/attachment-0020.obj>


More information about the Kernel mailing list