GLEP [insert number]: Security Project's purpose and abilities

Abstract

This GLEP outlines the purpose, responsibilities and abilities of the Gentoo Security Project.

Motivation

This glep aims to document the processes of the Security Project and enpowering the project to operate on a wide scale across the Gentoo tree, within the structure provided by this GLEP.

Specification

The Security Project's purpose is to ensure users are provided with applications that to the best of the knowledge of the Gentoo Developers are free of vulnerabilities. In order to achive this purpose, the Security Project require certain abilities and responsibilities as outlined in this GLEP in order to ensure the best interests of all users.

Project Lead

• The Security Project is required to have a Project Lead
• The Project Lead is chosen at least yearly by private or public election among the members of the Project.
• The Project Lead is required to be confirmed by the Council. The Project Lead's term expires one year after confirmation, and during any period that the position is vacant the council may appoint an interim lead.
• The Project Lead can choose one member as a Deputy. The Deputy has all of its powers directly delegated from the Project Lead and thus the Deputy's actions and decisions should be considered equal to those of the Project Lead.
• The Deputy is directly responsible to the Project Lead and its actions reflects upon the Project Lead.

Joining the Project

• All members wanting to join the Project needs to be approved by the Project Lead (or if a Deputy is appointed; the Deputy).
• The applicant must demonstrate a thorough understanding of the duties he or she would like to perform.
• The applicant must have successfully completed the Gentoo Developer quiz.
• By accepting the applicant the Project Lead will accept the responsibility to direct them as part of the team and will be held responsible for any action the Project Member takes on behalf of the Security Project.

Security package version/revision bumps and package masks

• The Security Project does not want to override the maintainer's autonomy, but if inactive might be required to fix a security vulnerability by means of version bump or application of a patch in a revision bump.
• If a vulnerability is unlikely to be fixed by upstream it might require a package mask. Such mask should never break the stable dependency tree.
• These actions, performed on behalf of the Security Project, should only be used if the Project finds it is in the best interest of users and fellow developers to have the issue addressed as soon as possible. Such action needs to be approved by the Project Lead (or if a Debuty is appointed; the Deputy)

Miscellaneous

• The Security Project is excempt from the guideline of waiting 30 days for stabilization of a new package version.
• Bugs in the Gentoo Security category shall not be closed without the consent of a Gentoo Security Member.

Subscription to security lists and acting on behalf of Gentoo

Auditing and public reporting of issues in the name of Gentoo

Upstream reporting of expected security bugs should only be done using the @gentoo.org email addresse if done by a member of the Security Auditing Project or the issue has been privately reported and accepted as a security vulnerability in accordance with the procedures set forth by the Security Project (at the time of writing found in [GLSACG, section 2.4 Auditing].

Embargoed lists

Security Project Members should always keep information learned through access to embargoed lists confidential. Access to other Gentoo Developers should only be granted on a need to know basis, and Gentoo Developers gaining access to such embargoed lists are required to keep the information confidential.

Requests to gain access to embargoed lists in the name of Gentoo should only be done with the approval of the Security Project Lead (or if a Deputy is appointed; the Deputy). The Project Lead is responsible for maintaining a list of who has access to various embargoed lists and ensure proper updates in access in accordance with developments of the Security Project both in terms of active participation to ensure that the Security Project can act on the information provided on these lists in a responsible manner and ensuring a member no longer active in the Security Project has access in the name of Gentoo.

CVE Numbering Authority (CNA) status

The Security Project shall maintain tools and processes in a manner that is compatible with becomming a CVE Numbering Authority[CNA]

Documentation of process

The Project shall have procedures in place to document its process and regularly update the documentation.

References

[GLSACG] https://wiki.gentoo.org/wiki/Project:Security/GLSA_Coordinator_Guide

[VULNTP] https://www.gentoo.org/support/security/vulnerability-treatment-policy.html

[CNA] https://cve.mitre.org/cve/cna.html

Backwards Compatibility

Not applicable for this GLEP.

Copyright

This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/