FST virtual key signing party on 2015-11-12
by Eric Christensen
Next week we'll do our virtual key signing party using Bluejeans[0] during our
normal meeting time. We'll be using the Keysigning Party HOWTO[1] to help
organize the event of which I'm leaning toward the Hash Based Method[2].
It's okay if you aren't comfortable using this method of keysigning but I did
want to make this available as an option to help extend trust among FST
members.
If you want to participate please send me your PGP/GPG key fingerprint via a
signed and encrypted email to sparks(a)fedoraproject.org using my key 0x024BB3D1
(fingerprint 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1). Please also
make sure that your public key is available on the Fedora Key server[3]. When
I receive your fingerprint I'll add you to an invitation list where you will
receive a unique URL and passphrase to access the event. This will hopefully
improve the integrity of the event. Each participant will need to bring some
form of identification to the event.
After the event I would highly recommend using caff[4] to sign and distribute
the signatures. This tool encrypts the signature in an email which forces the
recipient to prove they have access to not only the email address but also the
key to obtain the signature.
Question? Did I miss anything? Reply now! Otherwise, please send me your
key fingerprints and we'll get this event going.
Thanks!
[0] Yeah, while not a FOSS solution, it at least supports Linux. I really
couldn't find a good FOSS solution for this but am open to suggestions in the
future.
[1]
http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
[2]
http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.h...
[3] https://keys.fedoraproject.org/
[4] https://sparkslinux.wordpress.com/2014/06/21/signing-pgp-keys/
--Eric
8 years, 5 months
Security Team meeting minutes for 2015-11-05
by Eric Christensen
Meeting started by Sparks at 14:00:21 UTC. The full logs are available
at
http://meetbot.fedoraproject.org/fedora-meeting/2015-11-05/fedora_securit...
.
Meeting summary
---------------
* Roll Call (Sparks, 14:00:26)
* LINK:
https://lists.fedoraproject.org/pipermail/security-team/2015-November/000...
(mhayden, 14:05:21)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:14:32)
* Follow up on last week's tasks (Sparks, 14:15:03)
* ACTION: Sparks to talk with mattdm regarding private security
tickets in BZ. (Sparks, 14:15:26)
* This was started but hasn't really moved forward. (Sparks,
14:15:42)
* ACTION: Sparks to discuss using Bluejeans for an online GPG key
signing event (Sparks, 14:15:50)
* This isn't mandatory so if you don't feel comfortable participating
or don't feel comfortable with not holding an ID in your hands then
you don't have to participate. (Sparks, 14:18:05)
* ACTION: mhayden to get Astradeus' changes to the stats script into
the fedora-security-team git repo (Sparks, 14:22:29)
* ACTION: pjp to give a status update on security policy in the wiki
(carried over) (Sparks, 14:23:37)
* Education and Training (Sparks, 14:23:42)
* LINK: https://fedoraproject.org/wiki/Information_Security_Training
(Sparks, 14:23:49)
* LINK:
https://benchmarks.cisecurity.org/downloads/multiform/index.cfm -
should it be there? (fenrus02, 14:25:27)
* LINK: https://wiki.mozilla.org/Security/Server_Side_TLS .. and ..
https://mozilla.github.io/server-side-tls/ssl-config-generator/ ?
or too much detail ? (fenrus02, 14:27:53)
* Astradeus' changes for the script are now merged ;) (mhayden,
14:27:59)
* Outstanding BZ Tickets (Sparks, 14:31:29)
* Thursday's numbers: Critical 1 (0), Important 40 (0), Moderate 457
(+11), Low 170 (+8), Total 668 (Sparks, 14:31:36)
* Current tickets owned: 85 (Sparks, 14:31:42)
* IDEA: FST gets copied on critical and important CVEs that come to
Fedora/EPEL. (Sparks, 14:34:49)
* ACTION: Sparks to work with PST to get our mailling list included on
BZ tickets for critical and important CVEs. (Sparks, 14:39:03)
* Apparently FST members can't look at security bugs. This is likely
a problem if we're supposed to be fixing such things. (Sparks,
14:40:32)
* ACTION: Sparks to figure out how FST members can get access to
Fedora security bugs (Sparks, 14:40:47)
* Anyone finding a security bug in Fedora that doesn't have a CVE
should let PST know so we can get a CVE issued. secalert(a)redhat.com
(Sparks, 14:41:32)
* Open floor discussion/questions/comments (Sparks, 14:43:34)
Meeting ended at 14:46:52 UTC.
Action Items
------------
* Sparks to talk with mattdm regarding private security tickets in BZ.
* Sparks to discuss using Bluejeans for an online GPG key signing event
* pjp to give a status update on security policy in the wiki (carried
over)
* Sparks to work with PST to get our mailling list included on BZ
tickets for critical and important CVEs.
* Sparks to figure out how FST members can get access to Fedora security
bugs
Action Items, by person
-----------------------
* Astradeus
* mhayden to get Astradeus' changes to the stats script into the
fedora-security-team git repo
* mattdm
* Sparks to talk with mattdm regarding private security tickets in BZ.
* mhayden
* mhayden to get Astradeus' changes to the stats script into the
fedora-security-team git repo
* Sparks
* Sparks to talk with mattdm regarding private security tickets in BZ.
* Sparks to discuss using Bluejeans for an online GPG key signing
event
* Sparks to work with PST to get our mailling list included on BZ
tickets for critical and important CVEs.
* Sparks to figure out how FST members can get access to Fedora
security bugs
* **UNASSIGNED**
* pjp to give a status update on security policy in the wiki (carried
over)
People Present (lines said)
---------------------------
* Sparks (72)
* mhayden (17)
* fenrus02 (6)
* Astradeus (6)
* zodbot (4)
* mattdm (3)
* rishi (2)
* jsmith (1)
14:00:21 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:00:21 <zodbot> Meeting started Thu Nov 5 14:00:21 2015 UTC. The chair is
Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:21 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link
#topic.
14:00:24 <Sparks> #meetingname Fedora Security Team
14:00:24 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:26 <Sparks> #topic Roll Call
14:00:29 * Sparks
14:01:50 * Astradeus
14:03:11 <Sparks> mhayden: ping
14:03:11 <zodbot> Sparks: Ping with data, please:
https://fedoraproject.org/wiki/No_naked_pings
14:03:22 <mhayden> Sparks: aaaaack, DST
14:03:28 <mhayden> :P
14:03:35 <Sparks> mhayden: We're on zulu time!
14:03:42 * mhayden scurries over to his calendar to adjust the invitation
14:03:48 <Sparks> mhayden: Could you run your script for numbers, please?
14:03:51 <mhayden> on it
14:03:56 <Sparks> TU
14:04:01 <Sparks> mattdm: You around?
14:05:21 <mhayden> #link https://lists.fedoraproject.org/pipermail/security-team/2015-November/000...
14:05:23 <mhayden> ^^ stats
14:08:01 <Sparks> Hmmm, I thought I took care of that Critical last week.
14:09:04 <rishi> fg
14:09:07 <rishi> sorry
14:10:56 <Sparks> Sorry for the delay, I'm still tweeking the minutes.
14:11:01 * Sparks is running behind this morning
14:13:15 <mhayden> DSt made all of my meetings scoot up
14:14:32 <Sparks> #info Participants are reminded to make liberal use of #info
#link #help in order to make the minutes "more better"
14:14:48 <Sparks> mhayden: Just put the TZ for this meeting as UTC and it'll
always be correct. :)
14:14:53 <Sparks> Okay, lets get started.
14:15:03 <Sparks> #topic Follow up on last week's tasks
14:15:13 <mhayden> figured out how to do that in android -- makes up for
Exchange's shortcomings :P
14:15:26 <Sparks> #action Sparks to talk with mattdm regarding private
security tickets in BZ.
14:15:42 <Sparks> #info This was started but hasn't really moved forward.
14:15:50 <Sparks> #action Sparks to discuss using Bluejeans for an online GPG
key signing event
14:16:04 <Sparks> I haven't done this but does anyone have a problem with
doing this?
14:16:12 <mhayden> i did my first gpg key signing at the last flock, it was fun!
14:16:45 <mhayden> i'm not sure how some folks might feel about their
identification cards/passports/licenses being on screen
14:16:52 <mhayden> someone could screenshot it and do nefarious things
14:17:17 <Sparks> Well, lots of people could do lots of things... I'm not
sure that it requires a screenshot.
14:17:26 <mhayden> haha
14:18:05 <Sparks> #info This isn't mandatory so if you don't feel comfortable
participating or don't feel comfortable with not holding an ID in your hands
then you don't have to participate.
14:18:18 <mattdm> Sparks: I'm around for, like, 11 minutes
14:18:51 <Sparks> mattdm: Can I get on your calendar for later today to
discuss furthering the mission of the FST?
14:19:05 <Astradeus> i think in that case hiding the passport number should be
enough to make it a little bit protected - the rest of the security features
is the same on all other identification-things
14:19:51 <Astradeus> e.g. the hologram and the name needs to be visible i
think, the passport number does not need to be
14:20:04 <Sparks> Okay, I'll try to send something to the list just after the
meeting while it's fresh on my mind.
14:20:15 <Sparks> Astradeus: True
14:20:24 <mhayden> i think sgallagh arranged the last signing at flock
14:20:42 <Sparks> Astradeus: I suspect that most Customs folks are using the
RFID chip for auth now anyway.
14:20:59 * mhayden is one of the few without a chipped passport at the moment
:P
14:21:09 <mattdm> Sparks: -- yes... maybe 3pm (US/Eastern)?
14:21:15 <Sparks> mhayden: Yeah, likely. I've usually done them at events
around here.
14:21:41 <Sparks> mattdm: 3pm ET works for me. I'll send you info. Thanks!
14:22:20 <Sparks> mhayden: What?!? How can you survive without the little
chip thingy? :)
14:22:25 <Sparks> Okay, moving on...
14:22:29 <Sparks> #action mhayden to get Astradeus' changes to the stats
script into the fedora-security-team git repo
14:22:38 <Sparks> mhayden: ^^^ did this happen?
14:23:15 <mattdm> Sparks: cool
14:23:20 <mhayden> nah, but i am going to look at it right now ;)
14:23:37 <Sparks> #action pjp to give a status update on security policy in
the wiki (carried over)
14:23:42 <Sparks> #topic Education and Training
14:23:49 <Sparks> #link
https://fedoraproject.org/wiki/Information_Security_Training
14:23:57 <Sparks> (From last week...)
14:24:31 <Sparks> I've started compiling training aids for learning about
information security. I've created the above wiki page to list them.
14:25:08 <Astradeus> i've been skipping over a few entries already - nice page
:)
14:25:27 <fenrus02>
https://benchmarks.cisecurity.org/downloads/multiform/index.cfm - should it be
there?
14:26:29 <Sparks> fenrus02: IDK. Is that educational or just benchmark
information?
14:26:43 <fenrus02> how / why to make alterations
14:27:05 <Sparks> It could be. Feel free to add it.
14:27:21 <fenrus02> ditto for https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ ?
14:27:53 <fenrus02> https://wiki.mozilla.org/Security/Server_Side_TLS .. and
.. https://mozilla.github.io/server-side-tls/ssl-config-generator/ ? or too
much detail ?
14:27:59 <mhayden> #info Astradeus' changes for the script are now merged ;)
14:28:30 <Sparks> fenrus02: Yes, but use a WorldCat URL for books.
https://www.worldcat.org/title/bulletproof-ssl-and-tls/oclc/889874499
14:28:47 <fenrus02> ok. why worldcat instead of the publisher page?
14:29:09 <Sparks> Worldcat shows where to get the book (and not just from
Amazon) like libraries
14:29:27 <Sparks> I want to make it easier for folks to find the materials.
14:29:37 <Sparks> Especially if they can get them for free.
14:31:29 <Sparks> #topic Outstanding BZ Tickets
14:31:36 <Sparks> #info Thursday's numbers: Critical 1 (0), Important 40 (0),
Moderate 457 (+11), Low 170 (+8), Total 668
14:31:42 <Sparks> #info Current tickets owned: 85
14:31:55 <Sparks> +Tickets by Priority--+-------+---------+
14:31:55 <Sparks> | Priority | Count | Owned | Unowned |
14:31:55 <Sparks> +-------------+-------+-------+---------+
14:31:55 <Sparks> | medium | 457 | 45 | 412 |
14:31:56 <Sparks> | low | 170 | 14 | 156 |
14:31:58 <Sparks> | high | 40 | 26 | 14 |
14:32:00 <Sparks> | unspecified | 4 | 0 | 4 |
14:32:03 <Sparks> | urgent | 1 | 0 | 1 |
14:32:05 <Sparks> +-------------+-------+-------+---------+
14:32:09 <Astradeus> i didn't have the time to look at tickets unfortunately
:/
14:32:16 <Sparks> Anyone have anything ticket-wise to discuss?
14:34:26 <Sparks> Oh, I have something.
14:34:49 <Sparks> #idea FST gets copied on critical and important CVEs that
come to Fedora/EPEL.
14:35:03 <fenrus02> +1
14:35:43 <Sparks> I figure that way we will get notified immediately instead of
finding out something has been there after a few days/weeks.
14:37:01 <Sparks> mhayden: ^^^
14:37:17 <mhayden> that'd be nifty
14:39:03 <Sparks> #action Sparks to work with PST to get our mailling list
included on BZ tickets for critical and important CVEs.
14:40:32 <Sparks> #info Apparently FST members can't look at security bugs.
This is likely a problem if we're supposed to be fixing such things.
14:40:47 <Sparks> #action Sparks to figure out how FST members can get access
to Fedora security bugs
14:41:32 <Sparks> #info Anyone finding a security bug in Fedora that doesn't
have a CVE should let PST know so we can get a CVE issued.
secalert(a)redhat.com
14:42:08 <Sparks> Anyone have anything else?
14:42:14 * jsmith shows up late, and has nothing :-(
14:42:27 <Sparks> jsmith: Welcome!
14:43:34 <Sparks> #topic Open floor discussion/questions/comments
14:43:45 <Sparks> Okay, does anyone have anything before we close for the day?
14:45:16 <Sparks> Nothing?
14:45:52 <Sparks> Okay, I'm going to go ahead and close the meeting and try to
update next week's agenda now (for a change) and start working on my action
items.
14:45:57 <Sparks> Thanks, all, for coming out!
14:46:11 <Astradeus> thank you for managing the meeting :)
14:46:52 <Sparks> #endmeeting
8 years, 5 months
Fedora Security Team Report - 2015-11-05
by Major Hayden
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2015-11-05 08:04:30.816513
|_| \___|\__,_|\___/|_| \__,_|
- -------------------------------------------------------------------------------
+Tickets by Priority--+-------+---------+
| Priority | Count | Owned | Unowned |
+-------------+-------+-------+---------+
| medium | 457 | 45 | 412 |
| low | 170 | 14 | 156 |
| high | 40 | 26 | 14 |
| unspecified | 4 | 0 | 4 |
| urgent | 1 | 0 | 1 |
+-------------+-------+-------+---------+
+Tickets by Status-+-------+---------+
| Status | Count | Owned | Unowned |
+----------+-------+-------+---------+
| NEW | 561 | 66 | 495 |
| ON_QA | 65 | 14 | 51 |
| MODIFIED | 24 | 0 | 24 |
| ASSIGNED | 22 | 5 | 17 |
+----------+-------+-------+---------+
+Tickets by Severity--+-------+---------+
| Severity | Count | Owned | Unowned |
+-------------+-------+-------+---------+
| medium | 456 | 45 | 411 |
| low | 170 | 14 | 156 |
| high | 43 | 26 | 17 |
| urgent | 2 | 0 | 2 |
| unspecified | 1 | 0 | 1 |
+-------------+-------+-------+---------+
+Tickets by Component---+-------+---------+
| Component | Count | Owned | Unowned |
+---------------+-------+-------+---------+
| mingw-libxml2 | 10 | 0 | 10 |
| cacti | 10 | 0 | 10 |
| bugzilla | 9 | 1 | 8 |
| nagios | 9 | 9 | 0 |
| glibc | 8 | 0 | 8 |
| kernel | 7 | 0 | 7 |
| quassel | 7 | 1 | 6 |
| mingw-icu | 7 | 0 | 7 |
| libsndfile | 6 | 0 | 6 |
+---------------+-------+-------+---------+
+Tickets by Distro Version-------+---------+
| Distro Version | Count | Owned | Unowned |
+----------------+-------+-------+---------+
| el6 | 228 | 41 | 187 |
| 22 | 166 | 2 | 164 |
| 21 | 116 | 6 | 110 |
| el5 | 76 | 20 | 56 |
| epel7 | 41 | 4 | 37 |
| 23 | 34 | 12 | 22 |
| rawhide | 5 | 0 | 5 |
| unspecified | 3 | 0 | 3 |
| 7.3 | 1 | 0 | 1 |
+----------------+-------+-------+---------+
- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWO2ICAAoJEHNwUeDBAR+xk00QAKDAGawRcLVrEP0wjtkySrHC
jGj3gLEbSdDVE2hy2JvZ1iggcWhPJkW3bBnpvVKQhOub99uBhhxy/7hxVAglb0Gg
eRqdOA7p6ohC3z5z3b0NIwHqNvn3B4penNFSNjX27UspNl7jHqhLD9jB4JLPP+Qe
fgf+DPmQso9xCBSC4tyNZPcNFdj9iRVVE6sQCUc8drgRf845TwpHXHlAFm0v89Ly
Th4ppw3Ojs3kYxGzAj8s1Of66yZuMtX4+8nyFLNCH0ST4rZ4zy0H+kif70W2g3M1
D06Kkx+ocA4C5SZivgbDWPUYv+rqVobqD4QYpeqje7EU1mM7N3xbMC/gvb8mX+xy
+hah2D6jRBKYMHB3YRyYo6bcqbbuJE8SllWTKhUyNvu4a1A6e8QBfMdc9vB0Kqyu
IM2cCiusocClY+EMcAvXQ9uAWHUISkF54yOxg5NKIs88UpLTzB9xCsf1jBTNrNhR
zSQ171O0xs4g5JhwJ4iL8bDa6aNN4ADb5+DdnXEUkadtFCeaShIeS9x6EKOSirVG
iRxC6s/RnXNqmu90prmeySHvi8EE8a6fapZ4P1u4+LtKPn3rLsDe1aVCjVMwgdV6
He55wWQd9WF4sArL9sDKwOsV6utart2LSPBRQu4NTwaa2CruMK8rD3cTxitumV20
Se/rNSzB6uuLSJH/XGeE
=1p3a
-----END PGP SIGNATURE-----
8 years, 5 months