The deluge of software vulnerabilities creates challenges for system administrators, developers, and users. Although many vulnerabilities are corner cases that are often difficult to exploit and have limited effects, there are the occasional vulnerabilities that become front page news. Many people have heard of Heartbleed, Shellshock, and VENOM, but there are many other lesser known vulnerabilities that appear every day.
Members of the Fedora Security Team take on these challenging vulnerabilities in Fedora packages and find ways to eliminate them. We’re looking for more Fedora contributors who want to contribute to this mission.
Here are three ways that you can get involved:
Wrangle a bug
The Red Hat Bugzilla has plenty of security-related tickets open for various packages. As of September 10, 2015, there were 601 open bugs for various packages. Many of these vulnerabilities are medium to low severity and they are often easy to patch.
If you’d like to join the effort, take a look at the security bug workflow and look for bugs in software packages that you use regularly. After you tag the ticket with your Fedora username, try to figure out if the bug is still valid for the package. If it is, you can reach out to the maintainer to remind them about the bug or suggest a possible patch. For those of you who package software for Fedora already, you can offer to co-maintain the package if the maintainer doesn’t have time to fix it.
Updating packages to fix security bugs can be challenging, especially if the bug still exists upstream. Fortunately, the Fedora Security Team has members with a wide array of skillsets and you may find someone who can help you get a patch submitted upstream.
There are plenty of ways to talk with the team and we’d love to hear from you! We meet regularly in IRC (currently on Thursdays at 14:00 UTC) and our members hang out in #fedora-security-team on Freenode. Feel free to come by, introduce yourself, and share your interests in Fedora.
We also have a mailing list where we discuss specific bugs or more general issues affecting Fedora as a whole. Send an email to firstname.lastname@example.org to get a conversation started. (If you know about a critical security issue, please email email@example.com directly to ensure someone gets notified immediately.)
Our membership is totally informal; there’s no need to have a deep background in computer science or information security. The most important thing is that you care about making Fedora better, especially within the realm of information security.
Think globally, act locally
One of the more nebulous roles of the Fedora Security Team is to find ways to increase awareness around security throughout the Fedora community. No matter where you contribute, keep security in mind. If you’re building a package, writing documentation, or making a design decision, try to think about the security impact from that change.
If you’re ever unsure about the potential effects of a change, reach out to our team! We’re glad to review it during our weekly meetings or on the mailing list.
Photo credit: By Wm. Notman and Son [Public domain], via Wikimedia Commons