path: root/xml/htdocs/security/en/padawans.xml

<?xml version='1.0' encoding="UTF-8"?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
<guide link="/security/en/padawans.xml">
<title>Security Padawans process and status</title>
<author title="Author">
  <mail link="koon@gentoo.org">Thierry Carrez</mail>
</author>
<author title="Author">
  <mail link="dercorny@gentoo.org">Stefan Cornelius</mail>
</author>
<author title="Author">
  <mail link="falco@gentoo.org">Raphael Marichez</mail>
</author>
<author title="Author">
  <mail link="rbu@gentoo.org">Robert Buchholz</mail>
</author>

<abstract>
This document contains procedures applying to the security team
recruitment process and current recruit status.
</abstract>

<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
<license/>

<version>0.3.8</version>
<date>2009-04-14</date>

<chapter>
<title>Security recruits</title>
<section>
<title>Padawans</title>
<body>

<p>
The recruitment process for security developers is somewhat different from
the mainstream recruitment process. Knowledge of Gentoo specifics is not
as important as it is for other developers, since they don't need to have commit
rights to the Portage tree. On the other hand, they must have a good
security background, good knowledge of written English and must progressively
be given more responsibility.</p>
<p>
The whole recruitment process should take between 2 and 3 months, depending on
your personal skills and the amount of time you can invest. While we are
talking about time: most of the tasks you need to do will take less then 10 minutes,
but you should be able to react on problems with a low latency. Thus, constant
dedication is more important than endless hours of spare time.

Security recruits in training will be called <b>padawans</b> throughout
this document.
</p>

</body>
</section>
<section>
<title>Current padawans status</title>
<body>

<table>
<tr>
<th>Padawan name</th>
<th>Username</th>
<th>Rank</th>
<th>Mentor</th>
</tr>
<!-- inactive (vorlon 2008-07-04)
<tr>
<ti>NeilK</ti>
<ti>mu-b</ti>
<ti>Scout</ti>
</tr>
-->
<tr>
<ti>Tomás Touceda</ti>
<ti>chiiph</ti>
<ti>Apprentice</ti>
<ti>keytoaster</ti>
</tr>

<tr>
<ti>Tony Vroon</ti>
<ti>Chainsaw</ti>
<ti>Apprentice</ti>
<ti>a3li</ti>
</tr>
<!-- inactive, rbu 2009-04-14<tr>
<ti>Emanuele Gentili</ti>
<ti>emgent</ti>
<ti>Scout</ti>
<ti>none yet</ti>
</tr>-->
<!-- inactive, a3li 2009-11-06 <tr>
<ti>Lars Hartmann</ti>
<ti>psychoschlumpf</ti>
<ti>Apprentice</ti>
<ti>none yet</ti>
</tr>-->
<tr>
<ti>Matti Bickel</ti>
<ti>mabi</ti>
<ti>Apprentice</ti>
<ti>none yet</ti>
</tr>
<!-- inactive (vorlon 2008-07-04)
<tr>
<ti>Jule Slootbeek</ti>
<ti>dizzutch</ti>
<ti>Apprentice</ti>
</tr>
-->
<!-- inactive (vorlon 2008-07-04)
<tr>
<ti>Adir Abraham</ti>
<ti>adir</ti>
<ti>Apprentice</ti>
</tr>
-->
</table>

<note>
Developers and senior developers appear on the
<uri link="/proj/en/security/index.xml">Security project page</uri>.
</note>

</body>
</section>
</chapter>

<chapter>
<title>Recruitment steps</title>
<section>
<body>

<p>
To become a padawan, you'll have to submit an application with your
background and qualifications to 
<mail link="security@gentoo.org">security@gentoo.org</mail>.
You'll have to join us on IRC on the #gentoo-security channel to
get a feel of how we work.
You can read the 
<uri link="/security/en/coordinator_guide.xml">GLSA Coordinator Guide</uri>
and if you're still interested in the job, you can start as a Scout.</p>

</body>
</section>
<section>
<title>Scout</title>
<body>

<p>
First step in joining the team is to be a scout. You will have to
follow major security lists and websites (your choice) and submit bugs
for things that are not yet in the
<uri link="https://bugs.gentoo.org/buglist.cgi?query_format=advanced&amp;short_desc_type=allwordssubstr&amp;short_desc=&amp;product=Gentoo+Security&amp;long_desc_type=allwordssubstr&amp;long_desc=&amp;bug_file_loc_type=allwordssubstr&amp;bug_file_loc=&amp;status_whiteboard_type=allwordssubstr&amp;status_whiteboard=&amp;keywords_type=allwords&amp;keywords=&amp;bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;emailassigned_to1=1&amp;emailtype1=substring&amp;email1=&amp;emailassigned_to2=1&amp;emailreporter2=1&amp;emailcc2=1&amp;emailtype2=substring&amp;email2=&amp;bugidtype=include&amp;bug_id=&amp;votes=&amp;chfieldfrom=&amp;chfieldto=Now&amp;chfieldvalue=&amp;cmdtype=doit&amp;order=Reuse+same+sort+as+last+time&amp;field0-0-0=noop&amp;type0-0-0=noop&amp;value0-0-0=">current Security bugs</uri>.
Search for duplicates in resolved bugs before submitting! We will assign
a senior developer as 'Mentor' to you. He will show you around and answer
all your questions (but don't hesitate to contact any other senior
developer for help). It's also wise to add security@gentoo.org to your
list of watched users. To do this, open the preferences of your bugzilla account,
go to "Email Preferences" and add security@gentoo.org into the editbox at the
bottom. Now you will automatically receive every bugmail of security@gentoo.org,
except for the restricted ones. This will help you to stay up to date.</p>
<p>If you managed to file a new security bug, you are also welcome to try
to resolve it (meaning, CCing the maintainer, setting and updating the status
whiteboard and all the other things as described in the GLSA coordinator guide).
Unfortunately, this only works for bugs you filed. You will be allowed to edit and move
other bugs around when you are developer on probation.</p>
<p>Finding security bugs can be very difficult and boring, but try to go through the
slave labor. There are several ways to make your life easier. Some primary channels have
a rather low signal-to-noise ratio like Full-Disclosure, but there are also
other <uri link="http://oss-security.openwall.org/wiki/mailing-lists">mailing
lists</uri> like oss-security that are more focussed for distribution vendors.
You might also be interested in secondary channels, for instance, <uri
link="https://secunia.com/advisories/">Secunia Advisories</uri> can be
subscribed to via a mailing list, or <uri
link="http://www.securityfocus.com/bid">BugTraq BIDs</uri> and <uri
link="http://cve.mitre.org/">CVE identifiers</uri> can be followed via
RSS feeds. You can find tools to easily handle newly assigned CVE identifiers, and
perform other routine tasks in the <uri
link="http://overlays.gentoo.org/proj/security/timeline">Security SVN</uri>.
Please consult the README provided there.</p>
<p>Furthermore, you can also try to find other tasks that interest you, for example trying
to get in touch with developers that are late with ebuilding and/or stabling or verify
a vulnerability where it's not sure whether or not Gentoo is affected. You could also try
to ask your mentor for a task.</p>
<ul>
<li>You will need: A 
<uri link="https://bugs.gentoo.org/createaccount.cgi">Gentoo bugzilla
account</uri></li>
<li>We will provide you: Nothing</li>
<li>Estimated time until promotion: between 2 weeks and a month, but depends on your
personal effort and skills.</li>
</ul>
<note>
Do you know how to look up a bug by CVE identifier in the Bug trackers of the
other distributions? If not, try to find it out or ask your mentor.
</note>

</body>
</section>
<section>
<title>Apprentice</title>
<body>

<p>
If you do a good job as a scout, you'll be invited to be an apprentice. We will add you
to a secret tool called the 'GLSAMaker' and you will be asked to draft, comment and 
review security advisories. You are also responsible to fix advisories you drafted as
fast as possible. Besides that, you should try to continue your scouting work. Drafting
GLSAs is usually much more relaxed than hunting bugs, so you will hopefully start to enjoy
your work at this point.
</p>

<ul>
<li>You will need: To learn the
  <uri link="/security/en/vulnerability-policy.xml">Security Policy</uri>
  and the
  <uri link="/security/en/coordinator_guide.xml">GLSA Coordinator Guide</uri>
  by heart</li>
<li>We will provide you: A GLSAMaker account</li>
<li>Estimated time until promotion: until we are confident that you are able to
draft quality advisories. That should take roughly a month if you are good.</li>
</ul>
<note>
Have you read more than one page on the <uri
link="http://oss-security.openwall.org/wiki/">oss-security wiki</uri> yet?
</note>

</body>
</section>
<section>
<title>Developer (on probation)</title>
<body>

<p>
Remarkable GLSAs and dedication will bring you to the next step. We will open
a recruitment bug for you and you will get the magic powers to edit and move bugs
around that weren't filed by you. A 30 day trial period will start and you will
have to answer the staffer-quiz correctly in order to become a full developer.
During the probation period, you should get used to your new responsibilities, while 
demonstrating that you are ready to handle them.
</p>

<ul>
<li>You will need: to provide everything required to be a Gentoo
    developer</li>
<li>We will provide you: A Gentoo developer account, security@gentoo.org
    membership and improved Bugzilla rights</li>
<li>Estimated time until promotion: 30 days.</li>
</ul>

</body>
</section>
<section>
<title>Developer</title>
<body>

<p>
At the end of your probation period, you'll be made a full GLSA Coordinator
and you will be able to commit and send your own GLSAs. Glory and bounces
will come to you.
</p>

<ul>
<li>You will need: Tears and sweat</li>
<li>We will provide you: GLSA commit rights, gentoo-announce
    posting rights, www_glsamaker group membership, padawan approval
    power</li>
</ul>

</body>
</section>
<section>
<title>Senior Security Developer</title>
<body>

<p>
To reach the holy grail of the padawans path and have almost infinite powers,
you'll have to pass through classic developer quizzes to gain portage CVS
commit rights. You'll have to prove you don't have a life outside
#gentoo-security. Then you will be granted masking powers.
</p>

<ul>
<li>You will need: Successful Gentoo developer quizzes</li>
<li>We will provide you: Portage commit rights for package masking</li>
</ul>

</body>
</section>
</chapter>
</guide>