Re: DragonFly Security Officer and Security Team

[Hiten Pandya <hmp@xxxxxxxxxxxxx>]

Simon 'corecode' Schubert wrote:
> On 18.11.2004, at 18:35, Hiten Pandya wrote:
>
> > It is not just about picking committers with free time and better 
> > understanding of code.  The people elected should have more than 
> > adequate knowledge of security concepts.
> >
> > To conclude, all I am saying is that such a team is not necessary 
> > right now; but... when we do plan on creating such a team, I would 
> > rather put people with proven track record in security related things 
> > and just anyone.  I do not mean to offend anyone's attempt at 
> > contribution or giving their time.
>
>
> For sure, the people involved need to be experienced with security. But 
> in my opinion the primary responsibility of a security officer is being 
> responsible. The security officer is the one who is the sole contact 
> person for third parties regarding security issues, and it is the 
> responsibility of the security officer to be carful with this additional 
> knowledge.
>
> This means both not disclosing exploit information when there is a 
> advisory release schedule, but also taking responsibility and 
> fixing/letting fix (no need to do this himself) code and send HEADS UP 
> when a long delay is not acceptable, etc.
>
> I don't want to push somebody into something, but one obvious choice 
> would be Matt... In principle it's just one entry on the web page 
> stating: "Concerning security issues, please contact Matt Dillon <link>"
>
> cheers
>   simon

	I would rather, that if we are going to go ahead with this, it
	be a team of contacts, and not just a direct link to Matt.  I
	have experience with security related issues, but most of all,
	I can hold responsibility.

	This is not a self-nomination mail, but more to say, let it be
	a team of peoplet than just hogging it on Matt.

		-Hiten