Bugsquad membership

C de-Avillez hggdh2 at ubuntu.com
Wed Feb 17 20:06:23 UTC 2016 

On Sat, 13 Feb 2016 05:21:02 +0000
halfdog <me at halfdog.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello List,
> 
> As fixing of security bugs might be quite laborious thus inducing
> delays, bugs believed to be minor security issues might backfire later
> on, e.g. like with [0] resulting in [1] later on. As the whole process
> of detection of security bugs to fixing often takes month, sometimes
> even years, I would like to join bugsquad to coordinate and create
> fixes for at least some of the bugs I reported, e.g. [2]. Bugsquad
> membership should make it easier then to have a clean bug state after
> triage to start with [3], thus for the Ubuntu Security team just to
> review the updated package diffs and take over the package.

Membership in the BugSquad team is open to all, with the following
caveats:

* you must have a Launchpad account;
* you must sign the Code of Conduct [1] (link to signing in you LP home
  page);
* you *should* subscribe to the BugSquad mailing list [2];
* you yourself should then apply for membership in the BugSquad [3]

> As I do not have deep insights into the bugsquad team management daily
> operations, does this make sense or is this contribution too minor to
> accept the membership-associated overhead for bugsquad management?

As related to security bugs, there is not much done by the BugSquad
team itself. Security bugs are dealt with by the Ubuntu Security team
[4]. Security bugs can still be reported on LP, but set as either
public or private security bugs (see a reported bug, near the top
right corner "this report contains ... information." These bugs are
reviewed by the Security team.

Security issues can also be directly passed to the Security team via
email to ecurity at ubuntu.com. This email can be GPG-encryted to
individual members of the team; teir public keys are available [5].

Additional contact may be pursued via IRC (freenode.net, channel
#ubuntu-hardened).

> If membership has a net gain, could someone please subscribe me to the
> team?

As I pointed up above, you yourself must subscribe to the team, if you
want.

> 
> If you wonder, why e.g. [0], [1] were reported to Ubuntu via e-mail
> but not via Launchpad: As it would be the most natural thing for e.g.
> NSA, China, ... (those with capabilities to monitor large amount of
> network traffic) to just record all mails from large-scale Linux
> distribution issue tracking systems containing the keyword "security",
> and as this is very cheap way to get to near-zero day material, I
> would assume, that this is already done. Hence really critical
> security material perhaps should not go to Launchpad or Launchpad
> could be modified to send security issues only in encrypted mails
> without talkative title, members without key should get only message
> "Bug [Number]: Info changed" including the HTTPS link to the issue.
> 
> Kind regards,
> hd

Cheers,

..C..

[1] http://www.ubuntu.com/about/about-ubuntu/conduct
[2] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugsquad
[3] https://launchpad.net/~bugsquad
[4] https://wiki.ubuntu.com/SecurityTeam
[5] https://wiki.ubuntu.com/SecurityTeam/FAQ#Contact
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-bugsquad/attachments/20160217/247a1c9c/attachment.sig>

More information about the Ubuntu-bugsquad mailing list