Fedora Security SIG

Daniel Milnes, Christopher Klooz

The Fedora Security SIG exists to advocate for security across the Fedora userbase and contributor ecosystem. It aims to embed a security conscious mindset into the community and collect best practices for secure usage of Fedora and its downstreams.

With the experiences made during the XZUtils incident of 2024, the Security SIG has been founded to fill a gap: it aims to act as point of exchange, to create and transfer knowledge with a security filter enabled. This allows to make people talk who would not talk otherwise, and connect SIGs and teams who would not be connected otherwise: maximizing the likelihood that the knowledge that is necessary at a given place will end up there on time, and that it has been filtered for security issues that might not always be obvious until it is too late.

The Security SIG complements but does not replace Red Hat Product Security, but it replaces the preceding Security Team.

The Security SIG has integrated security related SIG as Sub-SIG, such as the Confined Users SIG.

The SIG has already contributed to review and updating Docs for security issues and helped to update them. This included an emphasis on cryptography topics, which is a topic that is aimed to be more actively pursued in future.

Contact

The Security SIG has currently two dedicated places to connect and to exchange:

Matrix channel: #security:fedoraproject.org
General Discourse tag: #security-sig
Confined Users Sub-SIG Discourse tag: #confined-users

If you have questions with security relevance, you can ask them on ask.fedora:

General Ask.Fedora Discourse tag: #security
SELinux-specific User Confinement: #selinux-confined-users
privilege/su/sudo-specific User Confinement: #su-confined-users

You can also submit a ticket to the Security SIG on Fedora Forge. If you have a specific request that you’d like completed, this is the best place to do it.

All of these communication channels are public, and therefore not appropriate for reporting a security vulnerability. For that, you should use the Responsible Disclosure Process from this documentation.

Get Involved

The Security SIG meets weekly on Matrix, and you’re welcome to join if you’d like to get involved in our initiatives!

Meetings are held in Fedora Meeting 3 on Thursday at 11am Eastern Time. You can use the below command to convert this to your local time.

$ date -d @$(TZ=America/New_York date -d "next Thursday 11:00" +%s)

Want to help? Learn how to contribute to Fedora Docs ›