This was call
2024-05-16 Meeting notes
Start: 18:00 (UTC+1)
Attendees:
- c8h4 (Christoph)
- CodingPuffin
- dfh (Olly)
- Skyler
Checkin
- How are you?
- What’s alive in you?
Agenda
-
Now that we are a committee, what does that mean to us for the future?
- What does it mean to be a committee, what are long running processes for this committee
- [CodingPuffin] System Hardening + Sandboxing + Authorization/ Permission management for software
- [dfh] (Automated) Vuln Tracking + auditing (GLSA-like), Operational Support for the whole org (possible SIGs: core, infra)
- [skyler] 2 dimensions: The distro we are producing - the organization we are running, COMSEC is supposed the leader on security questions
- [dfh] Offer members serving as permanent liasons between COMSEC and SIGs/COMs/WGs
- What does it mean to be a committee, what are long running processes for this committee
-
Security “Roadmap”, tracking ideas and tasks - where/how?
- [skyler] Forgejo implementation ongoing, talks with Codeberg and plane.so Results should come in the next few weeks
- [dfh] Home | Disroot.org is doing something similar
- [dfh] Issue/project tracking?
- [skyler] Ongoing talks with Plane, but currently rather stalled
- [dfh] Codeberg/Forgejo has similar features as GitHub
- {D} We’ll wait out the Codeberg + Plane conversation
- [skyler] Forgejo implementation ongoing, talks with Codeberg and plane.so Results should come in the next few weeks
-
Internal/non-public communication channels will be needed too, for potential sensitive matters
- Establishing a “trusted” COMSEC core, handling sensitive matters
- [dfh] @skyler Will there be email server?
- {D} Skyler + dfh to look into it
- [dfh] Will there be @auxolotl.org email addys for security team members, bare minimum: security@auxolotl.org
- {D} PGP signing to organize, possibly digitally
- [skyler] pgp crypted with multiple keys might get messy with email
- [dfh] How can we use multiple security keys per person well?
- [skyler] pgp crypted with multiple keys might get messy with email
-
Security contact possibilities, e.g. security.txt, email, etc.
- [codingpuffin] Let’s deploy first ‘security.txt’ once email address is available
- [dfh] Have a section on the website/ wiki with the details
- [codingpuffin] Add a ‘Teams’ page to the COMSEC wiki.
- Arch Wiki has some good structure Arch Security Team - ArchWiki
- Debian has a team page too Teams/Security - Debian Wiki
-
Custom infra/tooling for COMSEC - as COMSEC works differently than most other COMs/SIGs, this will definitely needed at some point
- [dfh] COMSEC might need complete private spaces for communication for e.g. incident handling (internal & external)
- [c8h4] e.g. mailing-lists:distros [OSS-Security] as reference
- [dfh] requirements: private note-taking, video conferencing, email with proper RBAC (role-based access control)
- [dfh] @skyler: Will take the need for private coordination spaces to COMSteer
- [dfh] COMSEC might need complete private spaces for communication for e.g. incident handling (internal & external)
Decisions
- Aim for 1.5h meetings length at max