You're interested in participating in a community-driven project? That's great – we need helping hands in a couple of areas. Please check the following list to get an impression on what you might be able to do.
Please make sure how much spare time you have to spend on this project. It is important to us what we can rely on you, once you took over a certain task. Don't overestimate yourself – even if you think that you can only a little thing for us, it's better to focus on that thing and do it well instead of burdening yourself with a load of tasks that you can't fulfill. In turn, if you have much spare time, we don't object if you take more than one task at once.
You are familiar with common security and vulnerability tracking mailing lists, ideally you're already reading some of the more important lists (we should mention some here!). Reading the Red Hat advisories for current releases of Red Hat Enterprise Linux and Fedora Core is a must. Don't worry, you don't have to do this alone; vulnerability tracking is spread over a couple of people.
Your task is to inform the fedora-legacy-list about vulnerabilities that affect versions of Red Hat Linux and/or Fedora Core that are currently supported by us. You'll open a bug on Bugzilla for that specific vulnerability and describe what you've found out. If you're familiar with creating patches, this task can be linked well with the next one, but it's no problem if you stop here.
You are familiar with reviewing code and creating patches.
Your task is to find out what needs to be done to eliminate the vulnerability. Check out what the authors have been done, and check what others already did on this issue. In some cases it is a simple one liner. In other cases you might need to find the revision fixed in CVS and run a diff with the revision in the current tarball. This posting can help you finding out what policy might be appropriate. In any case, we require you to communicate with other people on the list and/or on IRC to establish a consensus on what needs to be done.
You are familiar with creating or adepting specfiles and building RPMs.
Your task is to monitor (and participate) in the discussions on the mailing list and on IRC about a vulnerability and build up a specfile for an update package that includes any patches or updated tarballs that are needed to eliminate the vulnerability. Build a source RPM, create its md5sum and gpg --clearsign it, then upload it to a public server. Update the Bugzilla entry with the URL of the source RPM and inform the mailing list about your work.
I need more information on what exactly needs to be done. From my point of view this task should end up in giving PUBLISH votes on Bugzilla.
I need more information on what exactly needs to be done. From my point of view this task should end up in uploading the package to download.fedora.us into the updates-testing channel.
I need more information on what exactly needs to be done. From my point of view this task should end up in checking the signatures of a package in updates-testing to make sure that the test uploading the package to download.fedora.us into the updates-testing channel.