[oniro-dev] Security tooling meeting minutes June 29th, 2022

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[oniro-dev] Security tooling meeting minutes June 29th, 2022

From: Marta Rybczynska <marta.rybczynska@xxxxxxxxxx>
Date: Tue, 12 Jul 2022 05:36:11 +0000
Accept-language: en-US
Delivered-to: oniro-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/oniro-dev/>
List-help: <mailto:oniro-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/oniro-dev>, <mailto:oniro-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/oniro-dev>, <mailto:oniro-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AdiVsN+DnQIZFz72Rv2iHw7W7nT9hw==
Thread-topic: Security tooling meeting minutes June 29th, 2022

Hello all,
Sending to a wider audience my notes from a security tooling meeting.

Presents: Agustín Benito Bethencourt, Mikael Barbero, Sebastien Heurtematte, Marta Rybczynska

Short term (needed before Oniro Goofy release end of 2022):
* Security bugtracker
Oniro needs a confidential bugtracker with limited audience. We might have embargoed issues that are on need-to-know basis until the embargo end. This might be highly sensitive and affects devices in the field.
Currently in GitLab confidential issues are visible for everyone with Reporter rights and above, so in practice for everyone. For this reason we can't use the regular Oniro project issues for this bugtracker. A solution is to create a separate project with a committer list including only the security team.

Next steps (Agustin, could you confirm please?) - Marta to write a proposal (a project proposal?)

* Private forks
Working on security issues might require private forks to share code between developers working on the issue, ask a domain expert for advice etc. Commit messages might include sensitive information here - will be cleaned up before submitting the final public patch. This development also happens during the embargo period (see above).
The goal is to always release the patch, but the intermediate state might be sensitive (in timing and code).

Next steps: an IT ticket?

* CNA for code written in the scope of the Oniro project OK, Eclipse is a CNA. 

Next steps: Mikael to provide information on how to submit such request. Marta to update the Oniro Security Policy.
Done: Documented in the handbook https://www.eclipse.org/projects/handbook/#vulnerability-cve

Medium term:
* Pipelines for the private forks
Could not use the generic pipeline as the results are public and  developers might need to test patches on all boards supported by Oniro. Will probably require separate resources.

* Oniro inclusion on the distro-security mailing list A specific mailing list (handled outside of EF) is used to handle synchronization between Linux distributions when releasing embargoed patched. Being on that list makes Oniro receive the latest information. To be included Oniro needs (among other things) to have exemplary security record for at least 1 year. Having an Eclipse project on the list might also indirectly help other Eclipse projects (more people to work on security fixes for those projects, prevention etc). We could also try to use Eclipse's general security record as an argument for Oniro's inclusion.

Regards,
Marta

Prev by Date: [oniro-dev] PMC Approval required for Committer Election for Francesco Pham on Eclipse Oniro Core Platform
Next by Date: [oniro-dev] Security tooling meeting minutes June 29th, 2022
Previous by thread: [oniro-dev] PMC Approval required for Committer Election for Francesco Pham on Eclipse Oniro Core Platform
Next by thread: [oniro-dev] Security tooling meeting minutes June 29th, 2022
Index(es):
- Date
- Thread

Breadcrumbs