[arch-general] Important notice on the Arch Security Team to the whole Arch Linux community.

[Ananda Samaddar]

Dear Arch community,

I thought I'd post a follow up on some of the things said in the last
thread I created on this list.  I'm using upper case for headings just
to make things easier to read and not to shout!  Please post or cc all
follow ups to the Arch General list, and read this message carefully
before replying.

1.  DISCUSSION ABOUT SECURITY ON ARCH-GENERAL AND THE GOOGLE GROUP

It's been mentioned that because my proposition for an arch-security
list was rejected, I'm trying to circumvent that by posting stuff about
setting up a security team to arch-general.  That's not my intention.

I am proposing a compromise.  Internal communications on security
issues will be kept to the Google Group.  An irregular 'newsletter'
will be posted to arch-general when major things are done to keep Arch
users who are not on the Google Group informed.  Also when security
alerts do eventually start getting issued they *will* be posted to
arch-general.  I believe that all Arch users should benefit from the
work that will be getting done.  Doing it this way  will keep email
traffic on security issues on arch-general to a minimum.

2.  THE RELEVANCE AND USEFULNESS OF AN ARCH SECURITY TEAM.

There's been some murmurings that this undertaking is pointless.
Happily this has mostly come from users and not developers. In fact it
has the direct or indirect support of at least two Arch developers,
Pierre Schmitz and Hugo Doria:

http://www.osnews.com/story/22692/Arch_Linux_Team/page6/

This is just as much an experiment as anything else.  It remains to be
seen if setting up an Arch Security team is worthwhile.  Evidence based
on other distros seems to point to the fact that it is.  If you are not
convinced that's fine, but please provide constructive criticism and
not mindless trolling like suggesting naming a security team after a
Mexican food dish or the British English slang word for buttocks.

If you don't want any part of this, other than the odd email on
arch-general you won't be hindered or pestered in any way.

3.  WE NEED YOUR HELP

There is no Arch security team as of now.  Hopefully there soon will
be.  If you want to help it would be helpful if you have the following
skills or experience:

-Ability to modify PKGBUILDs, rebuild and test packages.
-Know how to patch and compile software
-Are willing to subscribe to several security related mailing lists
-Know basic usage of GPG in email
-Are willing to hang out in the arch-security IRC channel
-Are willing to file bugs in the Arch bug tracker

You don't need to be security guru, just willing to help out, learn and
with a desire to make our favourite Linux distro even better than it
already is.

If you want to help out please subscribe to the Google Group and
submit a message with the subject "I want to join the team", without
quotes.

http://groups.google.com/group/arch-security

If you don't have or don't want to create a Google account, please send
me a personal email and I'll add you to the member list.

4.  SCOPE OF THE SECURITY TEAM

It is my intention that at this point, the security team will only deal
with finding and fixing security related issues.  This will entail
providing interim pkgbuilds, reporting issues on the bug tracker and
sending out alert notices via email.

All communications to the 'outside world' (emails, wiki articles etc)
from the team will state that (for now) the team's work is completely
unofficial and unsupported by the Arch Developers.  This is to avoid
sullying the reputation of the Arch developers.

5.  LONG TERM GOALS

Most Arch stuff starts out as external projects than then merge with
the main distro.  If our work turns out to be useful, and I hope it
will be, I would like us to become an official Arch Team.  We could
then having something like Debian does, with two mailing lists, one for
security discussion and a read only list where announcements are
posted. The details of this remain to be determined as this initiative
is only just starting out.

6.  FINAL WORDS

I hope this message has made things a bit clearer for everyone.  I
won't start on the actual process/policy documents till after this
weekend coming as I have some things to attend to before that.  Of
course feel free to suggest things on the Google Group, I'd like to
make things as open and transparent over there as possible.

If you have any questions, don't hesitate to post on the Google Group
or email me personally.

Thanks,

Ananda Samaddar

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20100621/62f9c16c/attachment.bin>