On Tue, 2019-07-30 at 09:50 -0300, Chris Lamb wrote:
Dear all,
[..]
Other security topics perhaps ought to be discussed privately and I intend to kick off the topic with stakeholders.
A quick thought: whilst the specific details of this might be more suitable for some initial discussions to be held «in camera» would it be appropriate to briefly outline the very approximate areas in a security or politically sensitive way?
Yes, I think so. Thanks for the suggestion. A high-level outline of topics I'd like to see addressed are;
1. How will we use the Security mailing list we now have? Is it to be used in the same manner as the Debian Security list? Or are we going to address PureOS specific security issues? What are the expecatations for embargos (if any)?
2. Do we have a policy for server setup with regard to authentication and authorization? Examples: no root ssh logins, password-less logins, ssh key size and cipher, etc. These policies are meant for the PureOS infrastructure which hopefully will not host user data (so no immediate need for GDPR audit, etc.)
I welcome other input, this is what comes to mind at the moment.
Regards,
Jeremiah