Security Team Meeting minutes for 2015-12-17
by Eric Christensen
======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:08:09 UTC. The full logs are available
at
http://meetbot.fedoraproject.org/fedora-meeting/2015-12-17/fedora_securit...
.
Meeting summary
---------------
* Roll Call (Sparks, 14:08:14)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:12:29)
* Education and Training (Sparks, 14:13:14)
* LINK: https://fedoraproject.org/wiki/Information_Security_Training
(Sparks, 14:13:21)
* LINK: http://www.cl.cam.ac.uk/~rja14/book.html (d-caf, 14:21:07)
* ACTION: Sparks to copy the PS Certification information over to the
Fedora wiki for further review (Sparks, 14:21:30)
* Apprenticeship (Sparks, 14:22:13)
* LINK: https://fedoraproject.org/wiki/Security_Team_Apprenticeship
(Sparks, 14:22:21)
* Security Team Fedora Activity Day (Sparks, 14:23:23)
* LINK: http://whenisgood.net/8fshcdf/results/9czp49s (Sparks,
14:25:03)
* Sparks is looking into a videoteleconferencing option for the event
to accomidate distance folks. (Sparks, 14:29:18)
* Open floor discussion/questions/comments (Sparks, 14:32:47)
* AGREED: Next week's meeting will be cancelled. (Sparks, 14:36:46)
* LINK: http://shmoocon.org/general-information/ (d-caf, 14:38:59)
Meeting ended at 14:51:08 UTC.
Action Items
------------
* Sparks to copy the PS Certification information over to the Fedora
wiki for further review
Action Items, by person
-----------------------
* Sparks
* Sparks to copy the PS Certification information over to the Fedora
wiki for further review
* **UNASSIGNED**
* (none)
People Present (lines said)
---------------------------
* Sparks (60)
* d-caf (29)
* jsmith (15)
* zodbot (5)
* rsc (4)
* mhayden (3)
* Astradeus (2)
14:08:09 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:08:09 <zodbot> Meeting started Thu Dec 17 14:08:09 2015 UTC. The chair is
Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:08:09 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link
#topic.
14:08:09 <zodbot> The meeting name has been set to 'security_team_meeting_-
_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:08:12 <Sparks> #meetingname Fedora Security Team
14:08:12 <zodbot> The meeting name has been set to 'fedora_security_team'
14:08:14 <Sparks> #topic Roll Call
14:08:16 * Sparks
14:08:20 * d-caf
14:08:47 <Sparks> mhayden jsmith zoglesby: We're starting
14:08:58 <mhayden> .hello mhayden
14:08:59 <zodbot> mhayden: mhayden 'Major Hayden' <major(a)mhtx.net>
14:09:41 * jsmith is in a ${DAYJOB} meeting, but will try to multitask
14:10:51 * Sparks notes that this meeting does not require himself and
encourages others to take the reigns when necessary.
14:11:24 * d-caf Notes Sparks thoughts...
14:12:15 <Sparks> Okay, lets get started
14:12:29 <Sparks> #info Participants are reminded to make liberal use of #info
#link #help in order to make the minutes "more better"
14:13:07 * Sparks is going to avoid previous weeks' tasks for today since he
doesn't have any update on them
14:13:14 <Sparks> #topic Education and Training
14:13:21 <Sparks> #link
https://fedoraproject.org/wiki/Information_Security_Training
14:14:29 <Sparks> I'm working on an internal-to-Red-Hat certification process
for people in Product Security. I'm thinking about extending it into the
Fedora realm if we're interested.
14:14:54 <d-caf> Is this trust certification or skill certification?
14:15:10 <Sparks> skill
14:15:17 <rsc> How would this look like and how about costs for Fedora people?
14:15:51 <jsmith> Sparks: Definitely interested :-)
14:15:59 <mhayden> nice
14:16:02 <Sparks> rsc: This would be free.
14:16:17 <Sparks> rsc: Except, perhaps, for some of the resources used.
14:16:40 <rsc> Sparks: sounds cool (just asked because Red Hat
certifications/trainings are usually expensive)
14:16:43 <Sparks> rsc: I'm trying to make sure that all the resources that I
pick are available from the public library system in the US.
14:17:02 <rsc> Sparks: ahh...how does this work in EMEA/APAC then?
14:17:04 <d-caf> If we tie it inot the Apprenticeship program that would be
helpful #link https://fedoraproject.org/wiki/Security_Team_Apprenticeship
14:17:18 <d-caf> which I've been putting some stuff together, but haven't added
to the wiki yet
14:17:47 <Sparks> rsc: The same, I just can't guarantee free access to books
(see the above link).
14:18:12 <Sparks> d-caf: Yes, I'll try to copy over what I've been working on
for PS to our wiki.
14:18:17 <Sparks> ...today
14:18:17 <rsc> Sparks: so we talk about online library systems? That would be
fine, too.
14:19:15 <Sparks> rsc: One of the texts I use is the "Hacking Exposed" book.
Very good resource but I can't guarantee that it'll be available in all public
libraries.
14:19:24 <Sparks> rsc: Applied Cryptography is another.
14:19:41 <Sparks> rsc: Perhaps there will be some personal copies that could
be shared.
14:19:53 <d-caf> Sparks: rsc: Security Engineering is another good one
14:20:09 <d-caf> and free online pdf's as well (buy the book if you can to
support the author..)
14:20:26 <Sparks> d-caf: Can you add that to the page? I've got so many
resources I'm looking at I don't know if that one is on my list, yet.
14:20:33 <d-caf> yes
14:21:07 <d-caf> #link http://www.cl.cam.ac.uk/~rja14/book.html
14:21:21 <d-caf> Can't edit the wiki at the moment, but will add it later
14:21:30 <Sparks> #action Sparks to copy the PS Certification information over
to the Fedora wiki for further review
14:21:35 <Sparks> d-caf: Thanks
14:21:45 <Sparks> Anyone have anything else training-related?
14:22:13 <Sparks> #topic Apprenticeship
14:22:21 <Sparks> #link
https://fedoraproject.org/wiki/Security_Team_Apprenticeship
14:22:34 <Sparks> This really folds into the previous discussion.
14:22:58 <Sparks> I'll try to populate this today and we'll come back to it
next time.
14:23:23 <Sparks> #topic Security Team Fedora Activity Day
14:23:33 <d-caf> I'll try and merge my stuff in with yours
14:23:38 <d-caf> on previous topic
14:23:43 <Sparks> d-caf: Thanks
14:24:04 <Sparks> Last time we started talking about a FAD in the Washington
DC area...
14:25:03 <Sparks> #link http://whenisgood.net/8fshcdf/results/9czp49s
14:25:04 <d-caf> have 4 people added tothe WhenIsGood
14:25:30 <Sparks> jsmith: I noticed you only added January dates. Are
February and March completely out?
14:25:54 <jsmith> Sparks: Oooh, I didn't know you were looking at
February/March
14:26:04 <jsmith> Sparks: I'm open all of February/March, as far as I know.
14:26:19 <jsmith> Sparks: (Unless I get to speak at Devconf in Brno)
14:26:22 <Sparks> jsmith: Okay, could you edit your response, please?
14:26:30 <jsmith> Sparks: If I can find the link...
14:26:59 * Sparks points up
14:27:33 <d-caf> Somewhat related to this is there anyone else going to
ShmooCon, specially out of town folk, that would make it convienit to schedule
a FAD around that time?
14:27:48 <Sparks> d-caf: Could. When is it again?
14:27:52 <jsmith> Sparks: Done...
14:27:53 * Sparks did not get tickets
14:28:05 <d-caf> Jan 15-17
14:28:09 * jsmith did not get tickets either
14:28:31 <Sparks> d-caf: Appears that we're not all available around then.
14:28:48 <d-caf> Well, there is the 18th
14:29:18 <Sparks> #info Sparks is looking into a videoteleconferencing option
for the event to accomidate distance folks.
14:29:46 <Sparks> d-caf: True, although I'm wondering if we'd want to meet for
a couple of days. Maybe not...
14:30:06 <Astradeus> Sparks: yey :)
14:30:10 <Sparks> jsmith: Are Tuesdays out? Hard stop?
14:30:34 <jsmith> Sparks: No, but most of my ${DAYJOB} meetings are on
Tuesdays, so I'd likely be distracted
14:30:38 <Sparks> Astradeus: We used BlueJeans for the Docs FAD we had a few
years ago and that seemed to work well.
14:30:45 <jsmith> Sparks: Of course, if I change jobs, all bets are off...
14:30:50 <d-caf> I tend to have a lot of meetings Monday/Tuesday, but
sometimes can get out of them
14:31:04 * jsmith will do his best to be flexible
14:31:10 <Sparks> jsmith: Ditto. I'd have to cancel a bunch of stuff to be
available on a Tuesday
14:32:28 <Sparks> Okay, we'll continue to work on this and there will be
discussion on the list.
14:32:47 <Sparks> #topic Open floor discussion/questions/comments
14:33:18 <Sparks> Next week's meeting falls on Christmas Eve. I suspect many
of us will be off work or otherwise detained. Cancel?
14:34:41 <Astradeus> guess so. i'll be around though if a meeting comes up :)
14:34:43 <d-caf> I will likely miss the meeting
14:36:20 <jsmith> +1 to cancel
14:36:46 <Sparks> #agreed Next week's meeting will be cancelled.
14:36:53 <Sparks> Does anyone have anything else?
14:37:18 <mhayden> not i
14:37:30 <d-caf> one thing
14:37:46 <d-caf> I may have access to a few Shmoocon tickets
14:38:03 <jsmith> d-caf: OK, please let us know if you do
14:38:03 <d-caf> Who would be interested if I get them? Would be at cost
14:38:15 <Sparks> d-caf: What's the cost?
14:38:28 <jsmith> Depends on the cost...
14:38:29 <d-caf> Shmoocon charges $150 per ticket
14:38:59 <d-caf> #link http://shmoocon.org/general-information/
14:39:58 <Sparks> d-caf: I might be able to swing that. I can't be certain
right now, though.
14:40:20 <jsmith> Yeah, I'm on the fence too... but let me know if you can get
tickets, and I"ll make a quick decision
14:40:21 <d-caf> Not talking about a lot of tickets, at most 2 or 3 (not
counting mine)
14:41:24 <Sparks> okay
14:41:58 <d-caf> so Sparks and jsmith are interested
14:44:07 <Sparks> d-caf: You might contact zoglesby as he might be interested
as well
14:44:23 <Sparks> Okay, anyone have anything else?
14:44:37 <d-caf> Sparks: I'll reach out to him
14:44:44 <d-caf> him/her
14:44:51 <d-caf> whom
14:44:53 <d-caf> :-)
14:44:54 <Sparks> Him... Zach
14:46:37 <Sparks> Anyone have anything else?
14:49:10 <Sparks> Hearing none... We'll go ahead and close the meeting for
today.
14:51:04 <Sparks> Thanks, everyone, for coming out today!
14:51:08 <Sparks> #endmeeting
7 years, 9 months
Fedora Security Report - 2015-12-17
by Major Hayden
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2015-12-17 07:46:35.770837
|_| \___|\__,_|\___/|_| \__,_| Data from: 2015-12-17
-------------------------------------------------------------------------------
+Tickets by Priority-+-------+---------+
| Priority | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| medium | 437 | 40 | 397 |
| low | 153 | 13 | 140 |
| high | 37 | 21 | 16 |
+----------+---------+-------+---------+
+Tickets by Status---+-------+---------+
| Status | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| NEW | 533 | 66 | 467 |
| ON_QA | 52 | 4 | 48 |
| MODIFIED | 23 | 0 | 23 |
| ASSIGNED | 19 | 4 | 15 |
+----------+---------+-------+---------+
+Tickets by Severity-+-------+---------+
| Severity | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| medium | 437 | 40 | 397 |
| low | 153 | 13 | 140 |
| high | 37 | 21 | 16 |
+----------+---------+-------+---------+
+Tickets by Component-----+-------+---------+
| Component | Tickets | Owned | Unowned |
+---------------+---------+-------+---------+
| mingw-pcre | 32 | 0 | 32 |
| mingw-libxml2 | 15 | 0 | 15 |
| glib2 | 13 | 0 | 13 |
| cacti | 10 | 0 | 10 |
| bugzilla | 9 | 1 | 8 |
| pcre | 8 | 0 | 8 |
| qemu | 8 | 4 | 4 |
| kernel | 7 | 0 | 7 |
| quassel | 7 | 1 | 6 |
| salt | 7 | 0 | 7 |
+---------------+---------+-------+---------+
+Tickets by Distro Version-+-------+---------+
| Distro Version | Tickets | Owned | Unowned |
+----------------+---------+-------+---------+
| el6 | 230 | 38 | 192 |
| 22 | 132 | 1 | 131 |
| 23 | 128 | 11 | 117 |
| el5 | 76 | 21 | 55 |
| epel7 | 55 | 3 | 52 |
| rawhide | 6 | 0 | 6 |
+----------------+---------+-------+---------+
--
Major Hayden
7 years, 9 months
Announcing Security Team FAD 2016
by Eric Christensen
In this week's meeting we figured out that many Security Team members are local
(or close by, anyway) to the Washington, D.C. area. With that in mind we're
going to try to host a FAD in early 2016 in the Washington, D.C. area to work
on the apprenticeship and maybe hammer out some bugs.
We are planning on having some sort of video-teleconference available for
those that aren't in the D.C. area to be able to participate.
If you are interested in participating please visit our FAD page[0] and sign
up.
[0] https://fedoraproject.org/wiki/Security_Team_FAD_2016
--Eric
7 years, 9 months
Meeting with mattdm and my notes OR The Future of FST
by Eric Christensen
I just completed a meeting with Matthew Miller, FPL, regarding the future of
the FST. I believe we are ready to move forward with putting more
responsibility on the team.
The Problem
----------------
Security bugs come into Fedora/EPEL by way of Red Hat Product Security,
mostly. Any bug that has an embargo is not entered into Bugzilla (BZ) for
Fedora/EPEL until the embargo expires. Eventually we hope to develop a
trusted team that can actively work embargoed vulnerabilities to speed fixes to
users as soon as the embargo expires.
The Solution
----------------
The first piece of the solution will be an apprenticeship where new FST members
can prove themselves and get up to speed (similar to what Infrastructure has).
The second piece of the solution will be the establishment of a private group
in BZ that allows trusted members of the FST access to sensitive information.
Third is the possibility of private builds in Koji. While we can do private
builds to maintain confidentiality of the vulnerability it would be better to
make sure that the build is done correctly and is available for immediate QA.
Last is a "gentleman's agreement" that those in the trusted group will
maintain confidentiality and abide by certain information security measures to
prevent a leak of information.
It should be noted that none of these private mechanisms are in place to
maintain indefinite confidentiality; quite the opposite, in fact. ALL work done
in BZ will become public as soon as the embargo expires. This is important to
ensure transparency and openness in this process and so as soon as we possibly
can we want to provide the community with all the information that is
available.
The Work
------------
There is a lot of work that needs to be done to bring us to the point of being
ready to actively handle security issues (as opposed to just chasing after
vulnerabilities that are months/years old). The first, and most basic, is
education. It was suggested that we have some sort of apprenticeship where we
can bring in new people and help them get up to speed. This would also give
us time to instill the need for trust. I've started compiling information on
the apprenticeship[0] but it needs more eyes/hands.
We also need to work on a workflow that includes proper protections of
embargoed information and a policy for working with embargoed information.
Thoughts? Comments? Lets get a discussion going here.
--Eric
[0] https://fedoraproject.org/wiki/Security_Team_Apprenticeship
7 years, 9 months
Security Team meeting minutes for 2015-12-03
by Eric Christensen
======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:00:38 UTC. The full logs are available
at
http://meetbot.fedoraproject.org/fedora-meeting/2015-12-03/fedora_securit...
.
Meeting summary
---------------
* Roll Call (Sparks, 14:00:52)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:10:26)
* Follow up on last week's tasks (Sparks, 14:10:59)
* LINK:
https://lists.fedoraproject.org/archives/list/security-team%40lists.fedor...
(Sparks, 14:11:40)
* ACTION: pjp to give a status update on security policy in the wiki
(carried over) (Sparks, 14:11:55)
* Not sure we can dynamically add FST to crtical and important CVEs
with the current tool set. (Sparks, 14:12:43)
* ACTION: Sparks to figure out how FST members can get access to
Fedora security bugs (Sparks, 14:12:55)
* Education and Training (Sparks, 14:14:45)
* LINK: https://fedoraproject.org/wiki/Information_Security_Training
(Sparks, 14:14:58)
* The Information Security Training page is available to provide
educational links to help people become more security literate.
(Sparks, 14:15:54)
* Apprenticeship (Sparks, 14:23:37)
* LINK: https://fedoraproject.org/wiki/Security_Team_Apprenticeship
(Sparks, 14:23:59)
* Outstanding BZ Tickets (Sparks, 14:34:54)
* Thursday's numbers: Critical 0 (-1), Important 36 (-5), Moderate 424
(-30), Low 145 (-33), Total 605 (Sparks, 14:35:07)
* Current tickets owned: 80 (Sparks, 14:35:19)
* Open floor discussion/questions/comments (Sparks, 14:45:05)
* IDEA: Host a FST DC Meet Up (Sparks, 14:52:23)
* ACTION: Sparks to create a FST 2016 FAD page and start collecting
info (Sparks, 14:59:43)
Meeting ended at 15:01:09 UTC.
Action Items
------------
* pjp to give a status update on security policy in the wiki (carried
over)
* Sparks to figure out how FST members can get access to Fedora security
bugs
* Sparks to create a FST 2016 FAD page and start collecting info
Action Items, by person
-----------------------
* Sparks
* Sparks to figure out how FST members can get access to Fedora
security bugs
* Sparks to create a FST 2016 FAD page and start collecting info
* **UNASSIGNED**
* pjp to give a status update on security policy in the wiki (carried
over)
People Present (lines said)
---------------------------
* Sparks (125)
* d-caf (48)
* linuxmodder (35)
* mhayden (30)
* Astradeus (6)
* zodbot (6)
* zoglesby (5)
* jsmith (4)
* Southern_Gentlem (4)
14:00:38 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:00:39 <zodbot> Meeting started Thu Dec 3 14:00:38 2015 UTC. The chair is
Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:39 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link
#topic.
14:00:39 <zodbot> The meeting name has been set to 'security_team_meeting_-
_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:00:42 <Sparks> #meetingname Fedora Security Team
14:00:42 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:52 <Sparks> #topic Roll Call
14:00:54 * Sparks
14:01:38 * Astradeus (more or less)
14:02:21 <Sparks> Astradeus: I feel the same way
14:05:27 * d-caf
14:05:36 <Sparks> mhayden: Are you here?
14:05:48 <mhayden> aaah, yes
14:05:50 <mhayden> .hello mhayden
14:05:51 <zodbot> mhayden: mhayden 'Major Hayden' <major(a)mhtx.net>
14:06:06 * mhayden switched to evolution this week and is getting used to its
quirky calendar
14:06:56 <Southern_Gentlem> mhayden, may gawd have mercy on you
14:07:47 <mhayden> Southern_Gentlem: thanks -- my work life is in MS Exchange
:/
14:08:12 <d-caf> mhayden: oh, I'm so sorry
14:08:28 <Southern_Gentlem> mhayden, i am lucky that we have not had to do
that yet ( i have 5 secretaries that use exchange)
14:08:52 <mhayden> Southern_Gentlem: ah, for some reason i thought you worked
for RHT
14:09:11 <mhayden> sorry for sending us wildly OT, Sparks ;)
14:09:16 <Southern_Gentlem> mhayden, i thought you came to Fudcon Blacksburg
14:09:32 <Southern_Gentlem> ops sorry
14:09:48 <mhayden> nah, i couldn't make that one
14:10:00 <mhayden> interested to hear where fudcon will be in 2016
14:10:01 * linuxmodder here
14:10:02 <Sparks> mhayden: What'd I do?
14:10:04 <Sparks> :)
14:10:09 <Sparks> Okay, lets get started
14:10:13 <mhayden> Sparks broke bugzilla
14:10:26 <Sparks> #info Participants are reminded to make liberal use of #info
#link #help in order to make the minutes "more better"
14:10:43 * Sparks did not broke bugzilla
14:10:45 <Sparks> mhayden: https://bugzilla.redhat.com/show_bug.cgi?id=1288076
14:10:59 <Sparks> #topic Follow up on last week's tasks
14:11:15 <Sparks> And by "last week" I mean a few weeks ago
14:11:21 <Sparks> Sparks to talk with mattdm regarding private security
tickets in BZ.
14:11:26 <Sparks> Yep, I did this (and more).
14:11:40 <Sparks> #link
https://lists.fedoraproject.org/archives/list/security-team%40lists.fedor...
14:11:47 <Sparks> We'll talk more about this later.
14:11:55 <Sparks> #action pjp to give a status update on security policy in
the wiki (carried over)
14:12:12 <Sparks> Sparks to work with PST to get our mailing list included on
BZ tickets for critical and important CVEs.
14:12:43 <Sparks> #info Not sure we can dynamically add FST to crtical and
important CVEs with the current tool set.
14:12:55 <Sparks> #action Sparks to figure out how FST members can get access
to Fedora security bugs
14:13:04 <Sparks> Did I miss anything else?
14:14:03 <mhayden> i think that's it
14:14:45 <Sparks> #topic Education and Training
14:14:58 <Sparks> #link
https://fedoraproject.org/wiki/Information_Security_Training
14:15:18 <Sparks> I don't think anyone has added any resources to this page,
yet, but please do.
14:15:31 <mhayden> can we add non-free stuff?
14:15:54 <Sparks> #info The Information Security Training page is available to
provide educational links to help people become more security literate.
14:16:08 <d-caf> Sparks: I had added some links regarding OWASP, but not much
more than that
14:16:23 <Sparks> mhayden: Ummm... I'd like to keep it all free if at all
possible. I want it to be easy access for people.
14:16:24 <linuxmodder> FST ?
14:16:43 <Sparks> mhayden: Books can be found at libraries but also can be
purchased so I think they are okay.
14:16:47 <d-caf> linuxmodder: FST = Fedora Security Team
14:17:14 <mhayden> Sparks: got it
14:17:22 <mhayden> i added a link for STIG's
14:17:32 <Sparks> mhayden: Perhaps we have a separate area for non-free stuff?
There are some good resources out there.
14:17:36 <Sparks> mhayden++
14:17:37 <zodbot> Sparks: Karma for mhayden changed to 3 (for the f23 release
cycle): https://badges.fedoraproject.org/tags/cookie/any
14:17:39 <mhayden> that would be good
14:17:49 <mhayden> i'd like to put a relevant SANS course in there
14:17:54 <mhayden> not free, but good knowledge there
14:17:58 <Sparks> true
14:18:02 <d-caf> mhayden: was justing thinking about SANS
14:18:02 * mhayden chomps on his cookie
14:18:07 <jsmith> nom nom nom
14:18:15 <Sparks> Mmmm... cookies
14:18:16 <mhayden> also, what about RHT's relevant security course(s) as part
of the RHCA track?
14:18:20 <d-caf> mhayden: they do have free webinars, though often more
product pitches
14:18:20 * Sparks still hasn't had breakfast
14:18:30 <mhayden> oh their webinars make me cry
14:18:36 <Sparks> mhayden: That would probably be good to add.
14:18:51 <Sparks> mhayden: And, really, any other Linux security training
courses.
14:18:56 <Sparks> jsmith: moin
14:19:08 <d-caf> mhayden: I've seen an occasional good one like webbreachers
stuff
14:19:55 <d-caf> Might consider adding regional/local group links/section for
in person resources?
14:20:09 <d-caf> Local security focused meetups and such
14:20:42 <linuxmodder> Linux foundation has a few
14:20:46 <Sparks> d-caf: Yeah, that's a good idea, too.
14:20:50 <linuxmodder> more sysadmin ish but good
14:21:04 <linuxmodder> +1 for meetup idea
14:21:33 <d-caf> I know my area around DC is littered with them, i'll get some
of the better ones listed
14:22:10 <linuxmodder> d-caf, we are both in the same locale (have you been
to the new one on Tuesday in Adams Morgan? )
14:22:38 <Sparks> d-caf: You are in DC?
14:22:49 <d-caf> linuxmodder: No, hadn't heard of anything in Adams Morgan
14:23:05 <d-caf> Sparks: Outside in the Northern Virginia area
14:23:14 <Sparks> d-caf: I'm in Maryland
14:23:21 <linuxmodder> Tysons /Falls Church
14:23:27 <Sparks> Okay, lets move on to other things...
14:23:32 <d-caf> Don't go into DC that much (prefer to keep my commute under
30 minutes..)
14:23:37 <Sparks> #topic Apprenticeship
14:23:46 <Sparks> And here's the really fun stuff
14:23:56 <linuxmodder> d-caf, indeed metro sucks but some good meets there
14:23:59 <Sparks> #link
https://fedoraproject.org/wiki/Security_Team_Apprenticeship
14:24:20 <linuxmodder> will be looking to join
14:24:52 <linuxmodder> also anyone who has a minute this week looking to
finish a audit /review of security guide for -docs
14:25:01 <Sparks> linuxmodder: Sure
14:25:13 <Sparks> So, the Apprenticeship page has been established.
14:25:24 <Sparks> It needs to be fleshed out more, though.
14:25:35 <linuxmodder> mostly the deep dive selinux stuff while I've gotten
way better in the last few months some of it is still klingon to me
14:26:02 <Sparks> I'd like to have the Apprenticeship ready to go by 2016
14:26:14 <linuxmodder> can take a look this week Sparks wordpress and docs
work has got me in groove
14:26:33 <linuxmodder> what all still needs to be setup ?
14:27:07 <Sparks> Well, we need to figure out the framework, the work that
needs to be completed, and the certification process.
14:27:35 <d-caf> Are you going to setup formal "levls" of the FST?
14:27:53 <mhayden> level 9 dungeon master
14:28:04 <d-caf> mhayden: :-)
14:28:06 <Sparks> In the [U.S.] Navy we have PQSs that involve training and
OJT which is followed by some sort of certification board that meets to review
your paperwork and ask you questions. I think we should do something similar
to this.
14:28:09 <linuxmodder> lol
14:28:15 <mhayden> that's a bunch of acronyms ;)
14:28:18 <Sparks> mhayden: +1
14:28:29 <linuxmodder> +1
14:28:37 <mhayden> at my company, we use empty cups of coffee and grey hair to
figure out the levels of each security person :P
14:28:40 <d-caf> was thinking along the lines of apprentice/novice, normal
contributors, and then those that have gotten "certified" and handle embargo
stuff etc...
14:28:56 <Sparks> PQS == personnel qualification standards
14:29:04 <Sparks> OJT = on the job training
14:29:05 <mhayden> this gets tricky because Fedora doesn't legally exist as an
entity, right?
14:29:11 <mhayden> thanks, Sparks
14:29:35 <linuxmodder> possible to have a tie in with sayt rhca i'm sure
14:30:00 <d-caf> Would prefer to keep a path that is free as in beer for
people to work there way up
14:30:11 <Sparks> d-caf: +1
14:30:45 <d-caf> Though that doesn't excluce rhca as a possible alternative
path to meet requirements
14:30:57 <d-caf> excluce/exclude
14:31:10 <Sparks> Well, that's more of a sysadmin thing. We're trying to work
vulnerabilities.
14:32:33 <linuxmodder> make it a training path FOR rhca and the like then
14:33:00 <d-caf> So we need to come up with core "skills/experience" that a
candidate should have 1 or more of
14:33:06 <Sparks> Can I get some volunteers to help put the apprenticeship
together?
14:33:12 <Sparks> d-caf: Yes
14:33:16 <linuxmodder> donations (time or money always welcome) -- we train
you to be secure / safe with option to get rhca and the like (you pay for
cert )
14:33:18 <d-caf> Sparks: more than willing to hel
14:33:25 <linuxmodder> Sparks, count me in
14:33:35 <d-caf> hel/help
14:33:36 <Astradeus> Sparks: I can try
14:33:47 <Sparks> Okay, lets talk more about this on the list, then.
14:34:00 <d-caf> I've gone through enough certification process to have an idea
of what does or doesn't work
14:34:51 <Sparks> Okay, moving on
14:34:54 <Sparks> #topic Outstanding BZ Tickets
14:35:07 <Sparks> #info Thursday's numbers: Critical 0 (-1), Important 36
(-5), Moderate 424 (-30), Low 145 (-33), Total 605
14:35:19 <Sparks> #info Current tickets owned: 80
14:35:29 <Sparks> +Tickets by Priority----+-------+---------+
14:35:29 <Sparks> | Priority | Tickets | Owned | Unowned |
14:35:29 <Sparks> +-------------+---------+-------+---------+
14:35:29 <Sparks> | medium | 424 | 45 | 379 |
14:35:29 <Sparks> | low | 145 | 13 | 132 |
14:35:31 <Sparks> | high | 36 | 22 | 14 |
14:35:34 <Sparks> | unspecified | 1 | 0 | 1 |
14:35:36 <Sparks> +-------------+---------+-------+---------+
14:35:52 <Astradeus> uh, somebody did quite much work o_O
14:36:03 <Sparks> Does anyone have any questions?
14:36:17 * Sparks needs to figure out the "unspecified" ticket.
14:36:25 <d-caf> noticed some old fedora tickets got aged out
14:36:27 <linuxmodder> what is the unspec one about?
14:36:43 <linuxmodder> with 21 going eol i assume?
14:36:47 <Sparks> linuxmodder: It's likely a community ticket that got started
without a CVE
14:36:48 <d-caf> Sparks: probably another severity set but priority not
14:36:50 <mhayden> i think the unspec was an epel one
14:36:57 <mhayden> something w/RHEL 6
14:36:59 <mhayden> IIRC
14:37:09 <Sparks> d-caf: I thought we were going off of severity and not
priority
14:37:14 <linuxmodder> nice :(
14:37:22 <d-caf> Sparks: not sure if the scritps got updated
14:37:23 <Astradeus> oh. was thinking of the best, but yeah, i've seen the
aging-out too
14:37:26 <linuxmodder> c6.4 and c7.2 only none Fedora I use
14:37:30 <d-caf> and we didn't get a firm consnensus
14:37:47 <Sparks> Yeah, the drop in tickets are likely from where F21 got
EOL'd.
14:38:02 * Sparks wonders how many of those tickets should have been moved
forward.
14:38:04 <linuxmodder> pardon the ignorance which scripts d-caf ?
14:38:25 <d-caf> The report scripts, and the links on the FST page
14:38:31 <linuxmodder> ah
14:39:03 <d-caf> at minimum I vote to have the scripts search on severity and
priority, or just move to severity only
14:39:10 <Sparks> linuxmodder: https://git.fedorahosted.org/cgit/fedora-security-team.git
14:39:44 <Sparks> d-caf: I think just severity as the priority might change
based on the priorities of the project but the severity shouldn't.
14:39:55 <Sparks> ...as that should be based off of the CVSS score.
14:40:01 <linuxmodder> what is the bar for priority ?
14:40:39 <d-caf> Sparks: true, but just in case someone miss used the tags (as
there seemed to be some confusion even in our group to usage) it might be good
to trigger on priority as well to catch edge cases
14:40:45 <d-caf> since security is all about edge cases
14:40:53 <Sparks> linuxmodder: The priority is usually set, by the tools, to
whatever the severity is
14:41:12 <linuxmodder> which I don't see changing until EOL dates and since
next is not for what 11 months that would be good idea in my book
14:41:40 <Sparks> d-caf: I'm just not sure how you would categorize a ticket
that has mis-matched values
14:42:01 <linuxmodder> although we still run issue of user defiuned priority /
real world with that dcmorton
14:42:03 <linuxmodder> d-caf,
14:42:11 * Sparks is a dolt
14:42:29 <Sparks> d-caf: Okay, that table is specifically "by Priority" (as
indicated)
14:42:34 <Sparks> +Tickets by Severity-+-------+---------+
14:42:34 <Sparks> | Severity | Tickets | Owned | Unowned |
14:42:34 <Sparks> +----------+---------+-------+---------+
14:42:34 <Sparks> | medium | 424 | 45 | 379 |
14:42:34 <Sparks> | low | 145 | 13 | 132 |
14:42:36 <Sparks> | high | 37 | 22 | 15 |
14:42:39 <Sparks> +----------+---------+-------+---------+
14:42:41 <Sparks> There's the count by severity
14:42:44 <Sparks> Ugh
14:42:48 <linuxmodder> can we still flag for further info like other bugs in
that case tho ?
14:43:26 <d-caf> Yeah, so fine with both, but would update the search links on
FST page to also include something like:
14:43:31 * Sparks would like to see all unowned "high" cases picked up by next
week.
14:44:21 <d-caf> Sparks: noticed a few QEMU dropped this week, was going to
pick those up but wasn't on a browser I could safely log into FAS with
14:44:34 <linuxmodder> will look today on the high pri
14:44:47 <Sparks> Okay, with only a few minutes left...
14:45:04 <d-caf> Would like to update our Bugzilla links on the FST page to
pick up both high severity and priority when clicking on the respective
unowned links
14:45:05 <Sparks> #topic Open floor discussion/questions/comments
14:45:17 <Sparks> d-caf: Do it
14:45:28 <Sparks> Okay, does anyone have anything of general interest?
14:45:30 <d-caf> ok, willdo
14:45:50 * Sparks is thinking about a DC meet up since there are so many
people around the area that could come.
14:46:13 * Sparks also wonders if we have the budget to fly mhayden in for
lunch
14:46:16 <d-caf> Sparks: like the idea, good pgp signing time as well ;-)
14:46:23 <Sparks> d-caf: +1
14:47:09 <mhayden> i always love the free roller coaster ride into Reagan!
14:47:17 * mhayden tightens the seatbelt
14:47:49 <d-caf> Everyone one should get shmocon tickets and make it a meetup
and sec conference at the same time
14:47:57 <mhayden> that might not be a bad idea either
14:48:00 <d-caf> assuming they get there registration process up to speed
14:48:12 <d-caf> and we get enough lucky clicks
14:48:17 <Astradeus> did the online keysigning happen and i've just missed it?
14:48:37 * d-caf already got my shmocon ticket during first round, luckily...
14:48:42 <d-caf> Astradeus: nope
14:48:43 <Sparks> shmocon++
14:48:57 <Sparks> I'm never fast enough to get tickets
14:49:16 <Sparks> Astradeus: No one showed up for it.
14:49:17 <d-caf> I've been lucky and gotten tickets every years since year 2
14:49:23 <Sparks> d-caf: Nice
14:49:30 <linuxmodder> +1 to key signing
14:49:41 <Sparks> zoglesby: ^^^
14:49:54 <Sparks> jsmith: I'm assuming you could come up as well?
14:50:21 <jsmith> Sparks: ACK!
14:50:49 <linuxmodder> Sparks, if you set one up and I miss it mentioned
I'm game
14:50:54 <jsmith> Sparks: (Assuming the timing and my employment situation
allows it)
14:52:03 <Astradeus> Sparks: sorry for missing it :/
14:52:23 <Sparks> #idea Host a FST DC Meet Up
14:52:54 <Sparks> Okay, does anyone have anything else?
14:53:18 <Sparks> You know, we could probably use the DC library for a meeting
spot for a FAD.
14:53:28 <Sparks> They have space like that available.
14:54:10 <Sparks> Okay, does anyone have anything else?
14:54:46 <d-caf> Nope
14:55:00 <d-caf> will get on documentation the next few days and grab tickets
14:55:03 <zoglesby> reading...
14:55:55 <zoglesby> I am in!
14:56:24 <jsmith> Sparks: I might have a lead on another location to meet as
well...
14:56:40 <zoglesby> We could also use my office
14:56:59 <zoglesby> They tend to be very nice about this kind of stuff
14:57:21 <d-caf> Ok, so apparently a lot more in this area than I knew...
14:57:37 <Sparks> d-caf: Yep, there are quite a few of us.
14:57:49 <Sparks> There's also the Red Hat space over in Tyson's
14:57:56 <d-caf> Sparks: I had assumed you were down in NC
14:58:02 <Sparks> d-caf: I used to be
14:58:12 <Sparks> d-caf: My heart still is.
14:58:14 <d-caf> Yeah, been by the Tyson's office
14:58:27 <d-caf> I used to live down there, still a TriLUG member
14:58:39 <zoglesby> My office is on 14th and New York, near lots of metro stops
14:59:15 <Sparks> d-caf: I do miss TriLUG
14:59:43 <Sparks> #action Sparks to create a FST 2016 FAD page and start
collecting info
15:00:02 <Sparks> Okay, any last minute thoughts before we run out of time
15:00:03 <Sparks> ?
15:00:09 <Sparks> s/minute/second
15:00:51 <Sparks> Okay, hearing none, we'll adjourn to #fedora-security-team
and continue ranting there.
15:00:51 <linuxmodder> Sparks, the MLK one ?
15:00:54 <Sparks> Thanks everyone!
15:00:56 <Sparks> linuxmodder: yes
15:01:04 <Sparks> linuxmodder: The one with the 3D printer! :)
15:01:06 <linuxmodder> if so I CAN easily help with that
15:01:09 <Sparks> #endmeeting
7 years, 10 months
Fedora Security Team Report - 2015-12-03
by Major Hayden
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2015-12-03 07:35:46.920166
|_| \___|\__,_|\___/|_| \__,_| Data from: 2015-12-03
-------------------------------------------------------------------------------
+Tickets by Priority----+-------+---------+
| Priority | Tickets | Owned | Unowned |
+-------------+---------+-------+---------+
| medium | 424 | 45 | 379 |
| low | 145 | 13 | 132 |
| high | 36 | 22 | 14 |
| unspecified | 1 | 0 | 1 |
+-------------+---------+-------+---------+
+Tickets by Status---+-------+---------+
| Status | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| NEW | 519 | 65 | 454 |
| ON_QA | 47 | 11 | 36 |
| MODIFIED | 21 | 0 | 21 |
| ASSIGNED | 19 | 4 | 15 |
+----------+---------+-------+---------+
+Tickets by Severity-+-------+---------+
| Severity | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| medium | 424 | 45 | 379 |
| low | 145 | 13 | 132 |
| high | 37 | 22 | 15 |
+----------+---------+-------+---------+
+Tickets by Component-----+-------+---------+
| Component | Tickets | Owned | Unowned |
+---------------+---------+-------+---------+
| mingw-pcre | 32 | 0 | 32 |
| mingw-libxml2 | 15 | 0 | 15 |
| glib2 | 13 | 0 | 13 |
| pcre | 12 | 0 | 12 |
| nagios | 9 | 9 | 0 |
| bugzilla | 9 | 1 | 8 |
| qemu | 8 | 2 | 6 |
| cacti | 8 | 0 | 8 |
| kernel | 7 | 0 | 7 |
| avr-binutils | 6 | 0 | 6 |
+---------------+---------+-------+---------+
+Tickets by Distro Version-+-------+---------+
| Distro Version | Tickets | Owned | Unowned |
+----------------+---------+-------+---------+
| el6 | 226 | 42 | 184 |
| 22 | 139 | 2 | 137 |
| 23 | 105 | 14 | 91 |
| el5 | 76 | 20 | 56 |
| epel7 | 52 | 2 | 50 |
| rawhide | 8 | 0 | 8 |
+----------------+---------+-------+---------+
--
Major Hayden
7 years, 10 months
