Security Padawans process and status
The recruitment process for security developers is somewhat different from
the mainstream recruitment process. Knowledge of Gentoo specifics is not
as important as it is for other developers, since they don't need to have commit
rights to the Portage tree. On the other hand, they must have a good
security background, good knowledge of written English and must progressively
be given more responsibility.
The whole recruitment process should take between 2 and 3 months, depending on
your personal skills and the amount of time you can invest. While we are
talking about time: most of the tasks you need to do will take less then 10 minutes,
but you should be able to react on problems with a low latency. Thus, constant
dedication is more important than endless hours of spare time.
Security recruits in training will be called padawans throughout
Developers, senior developers and current padawans appear on the
Security project page.
To become a padawan, you'll have to submit an informal application to
firstname.lastname@example.org. A simple mail telling
us a bit about yourself (things like where you're from, hobbies, job, previous
experience in open-source projects and security) is sufficient.
You should join us on IRC on the #gentoo-security channel to
get a feel of how we work.
You can read the
GLSA Coordinator Guide
and if you're still interested in the job, you can start as a Scout:
First step in joining the team is to be a scout. You will have to
follow major security lists and websites (your choice) and submit bugs
for things that are not yet in the
current Security bugs.
Search for duplicates in existing bugs before submitting! You are encouraged
to ask questions in the #gentoo-security IRC channel. Existing team members may
also email you directly or comment on the bugs you open with suggestions.
It's also wise to add email@example.com to your
list of watched users. To do this, open the preferences of your bugzilla account,
go to "Email Preferences" and add firstname.lastname@example.org into the editbox at the
bottom. Now you will automatically receive every bugmail of email@example.com,
except for the restricted ones. This will help you to stay up to date.
If you managed to file a new security bug, you are also welcome to try
to resolve it (meaning, CCing the maintainer, setting and updating the status
whiteboard and all the other things as described in the GLSA coordinator guide).
Unfortunately, this only works for bugs you filed. You will be allowed to edit and move
other bugs around when you are developer on probation.
Finding security bugs can be very difficult and boring, but try to go through the
slave labor. There are several ways to make your life easier. Some primary channels have
a rather low signal-to-noise ratio like Full-Disclosure, but there are also
lists like oss-security that are more focussed for distribution vendors.
You might also be interested in secondary channels, for instance, Secunia Advisories can be
subscribed to via a mailing list, or BugTraq BIDs and CVE identifiers can be followed via
RSS feeds. You can find tools to easily handle newly assigned CVE identifiers, and
perform other routine tasks in the Security SVN.
Please consult the README provided there.
Furthermore, you can also try to find other tasks that interest you, for example trying
to get in touch with developers that are late with ebuilding and/or stabling or verify
a vulnerability where it's not sure whether or not Gentoo is affected. You could also try
asking in IRC or emailing firstname.lastname@example.org for a task.
- You will need: A
- We will provide you: Nothing
- Estimated time until promotion: between 2 weeks and a month, but depends on your
personal effort and skills.
Do you know how to look up a bug by CVE identifier in the Bug trackers of the
other distributions? If not, try to find it out or ask us in IRC.
If you do a good job as a scout, you'll be invited to be an apprentice. We will add you
to a secret tool called the 'GLSAMaker' and you will be asked to draft, comment and
review security advisories. You are also responsible to fix advisories you drafted as
fast as possible. Besides that, you should try to continue your scouting work. Drafting
GLSAs is usually much more relaxed than hunting bugs, so you will hopefully start to enjoy
your work at this point.
- You will need: To learn the
GLSA Coordinator Guide
- We will provide you: A GLSAMaker account
- Estimated time until promotion: until we are confident that you are able to
draft quality advisories. That should take roughly a month if you are good.
Have you read more than one page on the oss-security wiki yet?
Developer (on probation)
Remarkable GLSAs and dedication will bring you to the next step. We will open
a recruitment bug for you and you will get the magic powers to edit and move bugs
around that weren't filed by you. A 30 day trial period will start and you will
have to answer the staffer-quiz correctly in order to become a full developer.
During the probation period, you should get used to your new responsibilities, while
demonstrating that you are ready to handle them.
- You will need: to provide everything required to be a Gentoo
- We will provide you: A Gentoo developer account, email@example.com
membership and improved Bugzilla rights
- Estimated time until promotion: 30 days.
At the end of your probation period, you'll be made a full GLSA Coordinator
and you will be able to commit and send your own GLSAs. Glory and bounces
will come to you.
- You will need: Tears and sweat
- We will provide you: GLSA commit rights, gentoo-announce
posting rights and padawan approval power
Senior Security Developer
To reach the holy grail of the padawans path and have almost infinite powers,
you'll have to pass through classic developer quizzes to gain portage CVS
commit rights. You'll have to prove you don't have a life outside
#gentoo-security. Then you will be granted masking powers.
- You will need: Successful Gentoo developer quizzes
- We will provide you: Portage commit rights for package masking
The contents of this document, unless otherwise expressly stated, are licensed under the CC-BY-SA-2.5 license. The Gentoo Name and Logo Usage Guidelines apply.