Dear Arch community, I thought I'd post a follow up on some of the things said in the last thread I created on this list. I'm using upper case for headings just to make things easier to read and not to shout! Please post or cc all follow ups to the Arch General list, and read this message carefully before replying. 1. DISCUSSION ABOUT SECURITY ON ARCH-GENERAL AND THE GOOGLE GROUP It's been mentioned that because my proposition for an arch-security list was rejected, I'm trying to circumvent that by posting stuff about setting up a security team to arch-general. That's not my intention. I am proposing a compromise. Internal communications on security issues will be kept to the Google Group. An irregular 'newsletter' will be posted to arch-general when major things are done to keep Arch users who are not on the Google Group informed. Also when security alerts do eventually start getting issued they *will* be posted to arch-general. I believe that all Arch users should benefit from the work that will be getting done. Doing it this way will keep email traffic on security issues on arch-general to a minimum. 2. THE RELEVANCE AND USEFULNESS OF AN ARCH SECURITY TEAM. There's been some murmurings that this undertaking is pointless. Happily this has mostly come from users and not developers. In fact it has the direct or indirect support of at least two Arch developers, Pierre Schmitz and Hugo Doria: http://www.osnews.com/story/22692/Arch_Linux_Team/page6/ This is just as much an experiment as anything else. It remains to be seen if setting up an Arch Security team is worthwhile. Evidence based on other distros seems to point to the fact that it is. If you are not convinced that's fine, but please provide constructive criticism and not mindless trolling like suggesting naming a security team after a Mexican food dish or the British English slang word for buttocks. If you don't want any part of this, other than the odd email on arch-general you won't be hindered or pestered in any way. 3. WE NEED YOUR HELP There is no Arch security team as of now. Hopefully there soon will be. If you want to help it would be helpful if you have the following skills or experience: -Ability to modify PKGBUILDs, rebuild and test packages. -Know how to patch and compile software -Are willing to subscribe to several security related mailing lists -Know basic usage of GPG in email -Are willing to hang out in the arch-security IRC channel -Are willing to file bugs in the Arch bug tracker You don't need to be security guru, just willing to help out, learn and with a desire to make our favourite Linux distro even better than it already is. If you want to help out please subscribe to the Google Group and submit a message with the subject "I want to join the team", without quotes. http://groups.google.com/group/arch-security If you don't have or don't want to create a Google account, please send me a personal email and I'll add you to the member list. 4. SCOPE OF THE SECURITY TEAM It is my intention that at this point, the security team will only deal with finding and fixing security related issues. This will entail providing interim pkgbuilds, reporting issues on the bug tracker and sending out alert notices via email. All communications to the 'outside world' (emails, wiki articles etc) from the team will state that (for now) the team's work is completely unofficial and unsupported by the Arch Developers. This is to avoid sullying the reputation of the Arch developers. 5. LONG TERM GOALS Most Arch stuff starts out as external projects than then merge with the main distro. If our work turns out to be useful, and I hope it will be, I would like us to become an official Arch Team. We could then having something like Debian does, with two mailing lists, one for security discussion and a read only list where announcements are posted. The details of this remain to be determined as this initiative is only just starting out. 6. FINAL WORDS I hope this message has made things a bit clearer for everyone. I won't start on the actual process/policy documents till after this weekend coming as I have some things to attend to before that. Of course feel free to suggest things on the Google Group, I'd like to make things as open and transparent over there as possible. If you have any questions, don't hesitate to post on the Google Group or email me personally. Thanks, Ananda Samaddar