Project:Security/Padawan Process

From Gentoo Wiki
< Project:Security
Revision as of 15:07, 26 January 2014 by Ackle (Talk | contribs)

Jump to: navigation, search

This document contains procedures applying to the security team recruitment process.

Security recruits


The recruitment process for security developers is somewhat different from the mainstream recruitment process. Knowledge of Gentoo specifics is not as important as it is for other developers, since they don't need to have commit rights to the Portage tree. On the other hand, they must have a good security background, good knowledge of written English and must progressively be given more responsibility.

The whole recruitment process should take between 2 and 3 months, depending on your personal skills and the amount of time you can invest. While we are talking about time: most of the tasks you need to do will take less then 10 minutes, but you should be able to react on problems with a low latency. Thus, constant dedication is more important than endless hours of spare time. Security recruits in training will be called padawans throughout this document.

Developers, senior developers and current padawans appear on the Security project page.

Recruitment steps

To become a padawan, you'll have to submit an informal application to A simple mail telling us a bit about yourself (things like where you're from, hobbies, job, previous experience in open-source projects and security) is sufficient. You should join us on IRC on the #gentoo-security channel to get a feel of how we work. You can read the GLSA Coordinator Guide and if you're still interested in the job, you can start as a Scout:


First step in joining the team is to be a scout. You will have to follow major security lists and websites (your choice) and submit bugs for things that are not yet in the current Security bugs . Search for duplicates in existing bugs before submitting! You are encouraged to ask questions in the #gentoo-security IRC channel. Existing team members may also email you directly or comment on the bugs you open with suggestions. It's also wise to add to your list of watched users. To do this, open the preferences of your bugzilla account, go to "Email Preferences" and add into the editbox at the bottom. Now you will automatically receive every bugmail of, except for the restricted ones. This will help you to stay up to date.

If you managed to file a new security bug, you are also welcome to try to resolve it (meaning, CCing the maintainer, setting and updating the status whiteboard and all the other things as described in the GLSA coordinator guide). Unfortunately, this only works for bugs you filed. You will be allowed to edit and move other bugs around when you are developer on probation.

To CC maintainers, refer to the maintainer and herd sections of the package metadata.xml. Email aliases for herds can be found on herds.xml.

Finding security bugs can be very difficult and boring, but try to go through the slave labor. There are several ways to make your life easier. Some primary channels have a rather low signal-to-noise ratio like Full-Disclosure, but there are also other mailing lists like oss-security that are more focussed for distribution vendors. You might also be interested in secondary channels, for instance, Secunia Advisories can be subscribed to via a mailing list, or BugTraq BIDs and CVE identifiers can be followed via RSS feeds. You can find tools to easily handle newly assigned CVE identifiers, and perform other routine tasks in the Security SVN . Please consult the README provided there.

Furthermore, you can also try to find other tasks that interest you, for example trying to get in touch with developers that are late with ebuilding and/or stabling or verify a vulnerability where it's not sure whether or not Gentoo is affected. You could also try asking in IRC or emailing for a task.

  • You will need: A Gentoo bugzilla account
  • We will provide you: Nothing
  • Estimated time until promotion: between 2 weeks and a month, but depends on your personal effort and skills.
CVE identifiers can be searched in Bugzilla by separating the year and identifier number. For example: "CVE-2013 4411".


If you do a good job as a scout, you'll be invited to be an apprentice. We will add you to a secret tool called the 'GLSAMaker' and you will be asked to draft, comment and review security advisories. You are also responsible to fix advisories you drafted as fast as possible. Besides that, you should try to continue your scouting work. Drafting GLSAs is usually much more relaxed than hunting bugs, so you will hopefully start to enjoy your work at this point.

  • You will need: To learn the Security Policy and the GLSA Coordinator Guide by heart
  • We will provide you: A GLSAMaker account
  • Estimated time until promotion: until we are confident that you are able to draft quality advisories. That should take roughly a month if you are good.
Have you read more than one page on the oss-security wiki yet?

Developer (on probation)

Remarkable GLSAs and dedication will bring you to the next step. We will open a recruitment bug for you and you will get the magic powers to edit and move bugs around that weren't filed by you. A 30 day trial period will start and you will have to answer the staffer-quiz correctly in order to become a full developer. During the probation period, you should get used to your new responsibilities, while demonstrating that you are ready to handle them.

  • You will need: to provide everything required to be a Gentoo developer
  • We will provide you: A Gentoo developer account, membership and improved Bugzilla rights
  • Estimated time until promotion: 30 days.


At the end of your probation period, you'll be made a full GLSA Coordinator and you will be able to commit and send your own GLSAs. Glory and bounces will come to you.

  • You will need: Tears and sweat
  • We will provide you: GLSA commit rights, gentoo-announce posting rights and padawan approval power

Senior Security Developer

To reach the holy grail of the padawans path and have almost infinite powers, you'll have to pass through classic developer quizzes to gain portage CVS commit rights. You'll have to prove you don't have a life outside #gentoo-security. Then you will be granted masking powers.

  • You will need: Successful Gentoo developer quizzes
  • We will provide you: Portage commit rights for package masking


We would like to thank the following authors and editors for their contributions to this guide:

  • Thierry Carrez
  • Stefan Cornelius
  • Raphael Marichez
  • Robert Buchholz
  • Tim Sammut