Security Padawans process and status

1. Security recruits

The recruitment process for security developers is somewhat different from the mainstream recruitment process. Knowledge of Gentoo specifics is not as important as it is for other developers, since they won't have commit rights to the Portage tree. On the other hand, they must have a good security background, good knowledge of written English and must progressively be given more responsibility.

The whole recruitment process should take between 2 and 3 months, depending on your personal skills and the amount of time you can invest. While we are talking about time: most of the tasks you need to do will take less then 10 minutes, but you should be able to react on problems with a low latency. Thus, constant dedication is more important than endless hours of spare time. Security recruits in training will be called padawans throughout this document.

Current padawans status

Padawan name	Username	Rank
NeilK	mu-b	Scout
Emanuele Gentili	bathym	Scout
Matt Fleming	mjf	Apprentice
Lars Hartmann	psychoschlumpf	Apprentice
Shyam Mani	fox2mike	Apprentice
Jule Slootbeek	dizzutch	Apprentice
Daniel Black	dragonheart	Apprentice
Adir Abraham	adir	Apprentice

Note: Developers and senior developers appear on the Security project page.

2. Recruitment steps

To become a padawan, you'll have to submit an application with your background and qualifications to security@gentoo.org. You'll have to join us on IRC on the #gentoo-security channel to get a feel of how we work. You can read the GLSA Coordinator Guide and if you're still interested in the job, you can start as a Scout.

Scout

First step in joining the team is to be a scout. You will have to follow major security lists and websites (your choice) and submit bugs for things that are not yet in the current Security bugs. Search for duplicates in resolved bugs before submitting! We will assign a senior developer as 'Mentor' to you. He will show you around and answer all your questions (but don't hesitate to contact any other senior developer for help). It's also wise to add security@gentoo.org to your list of watched users. To do this, open the preferences of your bugzilla account, go to "Email Preferences" and add security@gentoo.org into the editbox at the bottom. Now you will automatically receive every bugmail of security@gentoo.org, except for the restricted ones. This will help you to stay up to date.

If you managed to file a new security bug, you are also welcome to try to resolve it (meaning, CCing the maintainer, setting and updating the status whiteboard and all the other things as described in the GLSA coordinator guide). Unfortunately, this only works for bugs you filed. You will be allowed to edit and move other bugs around when you are developer on probation.

Finding security bugs can be very difficult and boring, but try to go through the slave labor. You can also try to find other tasks that interest you, for example trying to get in touch with developers that are late with ebuilding and/or stabling or verify a vulnerability where it's not sure whether or not Gentoo is affected. You could also try to ask your mentor for a task.

You will need: A Gentoo bugzilla account
We will provide you: Nothing
Estimated time until promotion: between 2 weeks and a month, but depends on your personal effort and skills.

Apprentice

If you do a good job as a scout, you'll be invited to be an apprentice. We will add you to a secret tool called the 'GLSAMaker' and you will be asked to draft, comment and review security advisories. You are also responsible to fix advisories you drafted as fast as possible. Besides that, you should try to continue your scouting work. Drafting GLSAs is usually much more relaxed than hunting bugs, so you will hopefully start to enjoy your work at this point.

You will need: To learn the Security Policy and the GLSA Coordinator Guide by heart
We will provide you: A GLSAMaker account
Estimated time until promotion: until we are confident that you are able to draft quality advisories. That should take roughly a month if you are good.

Developer (on probation)

Remarkable GLSAs and dedication will bring you to the next step. We will open a recruitment bug for you and you will get the magic powers to edit and move bugs around that weren't filed by you. A 30 day trial period will start and you will have to answer the staffer-quiz correctly in order to become a full developer. During the probation period, you should get used to your new responsibilities, while demonstrating that you are ready to handle them.

You will need: to provide everything required to be a Gentoo developer
We will provide you: A Gentoo developer account, security@gentoo.org membership and improved Bugzilla rights
Estimated time until promotion: 30 days.

Developer

At the end of your probation period, you'll be made a full GLSA Coordinator and you will be able to commit and send your own GLSAs. Glory and bounces will come to you.

You will need: Tears and sweat
We will provide you: GLSA commit rights, gentoo-announce posting rights, www_glsamaker group membership, padawan approval power

Senior Security Developer

To reach the holy grail of the padawans path and have almost infinite powers, you'll have to pass through classic developer quizzes to gain portage CVS commit rights. You'll have to prove you don't have a life outside #gentoo-security. Then you will be granted masking powers.

You will need: Successful Gentoo developer quizzes
We will provide you: Portage commit rights for package masking

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.