The recruitment process for security developers is somewhat different from the mainstream recruitment process. Knowledge of Gentoo specifics is not as important as it is for other developers, since they don't need to have commit rights to the Portage tree. On the other hand, they must have a good security background, good knowledge of written English and must progressively be given more responsibility.
The whole recruitment process should take between 2 and 3 months, depending on your personal skills and the amount of time you can invest. While we are talking about time: most of the tasks you need to do will take less then 10 minutes, but you should be able to react on problems with a low latency. Thus, constant dedication is more important than endless hours of spare time. Security recruits in training will be called padawans throughout this document.
| Padawan name | Username | Rank | Mentor |
| Stefan Behte | craig | Apprentice | rbu |
| Tony Vroon | Chainsaw | Apprentice | a3li |
| Matti Bickel | mabi | Apprentice | none yet |
Note: Developers and senior developers appear on the Security project page. |
To become a padawan, you'll have to submit an application with your background and qualifications to security@gentoo.org. You'll have to join us on IRC on the #gentoo-security channel to get a feel of how we work. You can read the GLSA Coordinator Guide and if you're still interested in the job, you can start as a Scout.
First step in joining the team is to be a scout. You will have to follow major security lists and websites (your choice) and submit bugs for things that are not yet in the current Security bugs. Search for duplicates in resolved bugs before submitting! We will assign a senior developer as 'Mentor' to you. He will show you around and answer all your questions (but don't hesitate to contact any other senior developer for help). It's also wise to add security@gentoo.org to your list of watched users. To do this, open the preferences of your bugzilla account, go to "Email Preferences" and add security@gentoo.org into the editbox at the bottom. Now you will automatically receive every bugmail of security@gentoo.org, except for the restricted ones. This will help you to stay up to date.
If you managed to file a new security bug, you are also welcome to try to resolve it (meaning, CCing the maintainer, setting and updating the status whiteboard and all the other things as described in the GLSA coordinator guide). Unfortunately, this only works for bugs you filed. You will be allowed to edit and move other bugs around when you are developer on probation.
Finding security bugs can be very difficult and boring, but try to go through the slave labor. There are several ways to make your life easier. Some primary channels have a rather low signal-to-noise ratio like Full-Disclosure, but there are also other mailing lists like oss-security that are more focussed for distribution vendors. You might also be interested in secondary channels, for instance, Secunia Advisories can be subscribed to via a mailing list, or BugTraq BIDs and CVE identifiers can be followed via RSS feeds. You can find tools to easily handle newly assigned CVE identifiers, and perform other routine tasks in the Security SVN. Please consult the README provided there.
Furthermore, you can also try to find other tasks that interest you, for example trying to get in touch with developers that are late with ebuilding and/or stabling or verify a vulnerability where it's not sure whether or not Gentoo is affected. You could also try to ask your mentor for a task.
Note: Do you know how to look up a bug by CVE identifier in the Bug trackers of the other distributions? If not, try to find it out or ask your mentor. |
If you do a good job as a scout, you'll be invited to be an apprentice. We will add you to a secret tool called the 'GLSAMaker' and you will be asked to draft, comment and review security advisories. You are also responsible to fix advisories you drafted as fast as possible. Besides that, you should try to continue your scouting work. Drafting GLSAs is usually much more relaxed than hunting bugs, so you will hopefully start to enjoy your work at this point.
Note: Have you read more than one page on the oss-security wiki yet? |
Remarkable GLSAs and dedication will bring you to the next step. We will open a recruitment bug for you and you will get the magic powers to edit and move bugs around that weren't filed by you. A 30 day trial period will start and you will have to answer the staffer-quiz correctly in order to become a full developer. During the probation period, you should get used to your new responsibilities, while demonstrating that you are ready to handle them.
At the end of your probation period, you'll be made a full GLSA Coordinator and you will be able to commit and send your own GLSAs. Glory and bounces will come to you.
To reach the holy grail of the padawans path and have almost infinite powers, you'll have to pass through classic developer quizzes to gain portage CVS commit rights. You'll have to prove you don't have a life outside #gentoo-security. Then you will be granted masking powers.
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.