This document contains procedures applying to the security team recruitment process.
The recruitment process for security developers is somewhat different from the mainstream recruitment process. Knowledge of Gentoo specifics is not as important as it is for other developers, since they don't need to have commit rights to the Portage tree. On the other hand, they must have a strong interest in security matters, good knowledge of written English and must progressively be given more responsibility. A professional security background is not required at all.
The whole recruitment process should take between 2 and 3 months, depending on your personal skills and the amount of time you can invest. While we are talking about time: most of the tasks you need to do will take less than 10 minutes, but you should be able to react on problems with a low latency. Thus, constant dedication is more important than endless hours of spare time. Security recruits in training will be called Padawans throughout this document.
Developers, senior developers and current Padawans appear on the Security project page.
To become a Padawan, you'll have to submit an informal introduction to email@example.com. A simple mail telling us a bit about yourself (things like where you're from, hobbies, job, previous experience in open-source projects and security) is sufficient. You should join us on IRC on the #gentoo-security channel to get a feel of how we work. You can read the GLSA Coordinator Guide and if you're still interested in the job, you can start as a Scout:
First step in joining the team is to be a Scout. You will have to follow major security lists and websites (your choice) and submit bugs for things that are not yet in the current Security bugs. The goal is to learn how the security community in general works, and how we handle security bugs at Gentoo.
You are encouraged to ask questions in the #gentoo-security IRC channel. Existing team members may also email you directly or comment on the bugs you open with suggestions. It's also wise to add firstname.lastname@example.org to your list of watched users. To do this, open the preferences of your Bugzilla account, go to "Email Preferences" and add email@example.com into the editbox at the bottom. Now you will automatically receive every bugmail of firstname.lastname@example.org, except for the restricted ones. This will help you to stay up to date.
If you managed to file a new security bug, you are also welcome to try to manage it (meaning, CCing the maintainer(s), setting and updating the status whiteboard and all the other things as described in the GLSA coordinator guide). Unfortunately, this only works for bugs you filed. You will be allowed to edit and move other bugs around when you are an Apprentice.
To CC maintainers, refer to the maintainer and herd sections of the package metadata.xml.
Finding security bugs can be very difficult and boring, but try to go through the slave labor. There are several ways to make your life easier. Some primary channels have a rather low signal-to-noise ratio like Full-Disclosure, but there are also other mailing lists like oss-security that are more focused for distribution vendors. You might also be interested in secondary channels, for instance, BugTraq BIDs and CVE identifiers can be followed via RSS feeds. You can find tools to easily handle newly assigned CVE identifiers, and perform other routine tasks in the Security SVN. Please consult the README provided there.
Furthermore, you can also try to find other tasks that interest you, for example trying to get in touch with developers that are late with ebuilding and/or stabling or verify a vulnerability where it's not sure whether or not Gentoo is affected. You could also try asking on IRC or emailing email@example.com for a task.
- You will need: A Gentoo Bugzilla account
- We will provide you: Nothing
- Estimated time until promotion: between 2 weeks and a month, but depends on your personal effort and skills.
CVE identifiers can be searched in Bugzilla by separating the year and identifier number. For example: "CVE-2013 4411".
If you do a good job as a Scout, you'll be invited to be an Apprentice. You will get the magic powers to edit and move bugs around that weren't filed by you. More importantly, we will add you to a secret tool called the 'GLSAMaker' and you will be asked to draft, comment and review security advisories. You are also responsible to fix advisories you drafted as fast as possible. Besides that, you should try to continue your scouting work. Drafting GLSAs is usually much more relaxed than hunting bugs, so you will hopefully start to enjoy your work at this point.
- You will need: To learn the Security Policy and the GLSA Coordinator Guide by heart
- We will provide you: A GLSAMaker account, improved Bugzilla rights
- Estimated time until promotion: until we are confident that you are able to draft quality advisories. That should take roughly a month if you are good.
Have you read more than one page on the oss-security wiki yet?
Developer in training
Remarkable GLSAs and dedication will bring you to the next step as you should now be fully familiar with the Security team's workflows. In order to become a Gentoo developer, we will open a recruitment bug for you and ask you to fill out the developer quiz correctly. The goal of this quiz is to learn a few bits about Gentoo's inner workings in order to integrate you into the Gentoo developer community. Don't worry if this sounds too hard, you will be assigned a mentor who will help you throughout the process. Once you and your mentor are satisfied with your answers, one of the Gentoo recruiters will have a review session with you on IRC.
- You will need: to provide everything required to be a Gentoo developer
- We will provide you: A Gentoo developer account and firstname.lastname@example.org membership.
- Estimated time until promotion: 30 days.
Upon successfully completing the recruitment process, you'll be a Gentoo developer and a full GLSA Coordinator, meaning that you will be able to commit and publish your own GLSAs. Glory and bounces will come to you.
- You will need: Tears and sweat
- We will provide you: GLSA commit rights, gentoo-announce posting rights and Padawan approval power
Developer with tree commit rights
Once you have achieved the status of developer in the previous step, there's nothing left to do security-wise. However, Gentoo itself is a big project and along the way you have probably become interested in working in other areas and teams in Gentoo. Most of these require commit rights to the Portage tree, for which you'll have to pass through the classic developer quizzes (the ebuild quiz and the end of mentoring quiz).
- You will need: Successful Gentoo developer quizzes
- We will provide you: Portage commit rights
This article is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: Thierry Carrez, Stefan Cornelius, Raphael Marichez, Robert Buchholz, Tim Sammut
They are listed here as the Wiki history does not allow for any external attribution. If you edit the Wiki article, please do not add yourself here; your contributions are recorded on the history page.