From Fedora Project Wiki
Fedora Project Board Meeting :: Tuesday 2008-08-26
- Attendees: John Poelstra, Paul Frields, Jesse Keating, Matt Domsch, Jef Spaleta, Bill Nottingham, Chris Tyler, Karsten Wade, Spot Callaway, Seth Vidal
- Regrets: Harald Hoyer
Discussion About Incident Handling
- Could other groups have been brought into knowledge of the incident earlier?
- Could the Fedora Board have been notified or kept in the loop better?
- Would probably require signed NDAs which most are not in favor of
- Event was complicated by co-announcement made by Red Hat
- Ongoing tension between Fedora being able to act independently and Red Hat being liable for Fedora's actions
- Could Community Architecture Group be involved earlier to help facilitate communication?
- Don't want to get into a situation where every Fedora decision or announcement has to be vetted through Red Hat executive levels
- Create a predefined flow-chart or decision tree that explains steps that we will take in similar situations
- one potential flow through could be Red Hat Legal
- get advanced agreement from all parties involved
- include time limits where appropriate to speed up the response time and make the decision work flow more efficient.
- standardize types of messages that should be published and how often
- one path might be the necessity of shutting down the entire infrastructure--would need to enable the ability to efficiently do that if not already present
- Cross-link to established industry security standards
- one condition of agreeing to process flow is that actions could be initiated without requiring constant sign-off which is the intention behind advanced agreement
- FESCo to discuss proposal from release engineering about updating package signing keys on Wednesday (2008-08-27) at 18:00 UTC: http://lists.fedoraproject.org/pipermail/rel-eng/2008-August/001614.html
- board members should be aware of and attend as appropriate
- No board meeting on September 2, 2008--follows holiday weekend and some people are away
- Move IRC and Board Q&A meeting to September 9, 2008
- Next regular board meeting September 16, 2008