Security Team meeting minutes for 2015-09-24
by Eric Christensen
======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:00:57 UTC. The full logs are available
at
http://meetbot.fedoraproject.org/fedora-meeting/2015-09-24/fedora_securit...
.
Meeting summary
---------------
* Roll Call (Sparks, 14:01:02)
* LINK:
https://lists.fedoraproject.org/pipermail/security-team/2015-September/00...
(mhayden, 14:06:07)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:09:53)
* Follow up on last week's tasks (Sparks, 14:09:59)
* Outstanding BZ Tickets (Sparks, 14:12:01)
* Thursday's numbers: Critical 0 (0), Important 42 (-2), Moderate 409
(+7), Low 152 (-4), Total 603 (Sparks, 14:12:10)
* The recent BZ upgrade has broken my script so I'll need to get that
worked out OR I can just start using/relying on mhayden's script.
(Sparks, 14:12:42)
* IDEA: Use mhayden's script to create a dashboard and host it
somewhere (fedorapeople?) (Sparks, 14:16:54)
* IDEA: Somehow push information to fedmsg (Sparks, 14:17:18)
* LINK: https://github.com/major/fedora-meeting-report (mhayden,
14:17:57)
* LINK: https://github.com/major/fedora-meeting-report (Sparks,
14:18:06)
* ACTION: Sparks to add "issues" to fedora-meeting-report on github
(Sparks, 14:19:25)
* Handling embargoed issues (Sparks, 14:23:25)
* We now have security(a)fp.o going to security-private(a)l.fp.o and we
have a few people subscribed to security-private(a)l.fp.o. (Sparks,
14:24:19)
* FabioOlive Started a discussion on security-team(a)l.fp.o regarding
moving the FST into a more proactive role of handling security bugs.
(Sparks, 14:25:33)
* 1,639 views on the fedoramag blog post about the security team
(mhayden, 14:26:54)
* It appears we *could* create a GPG key and put it on several
Yubikeys and hand those out. (Sparks, 14:27:17)
* ACTION: Sparks to talk with mattdm regarding private security
tickets in BZ. (Sparks, 14:38:19)
* Open floor discussion/questions/comments (Sparks, 14:51:06)
* https://sparkslinux.wordpress.com/?s=keysigning (Sparks, 14:57:00)
* ACTION: Sparks to start a discussion on the FST list regarding an
online video GPG key signing event. (Sparks, 14:57:51)
Meeting ended at 15:00:08 UTC.
Action Items
------------
* Sparks to add "issues" to fedora-meeting-report on github
* Sparks to talk with mattdm regarding private security tickets in BZ.
* Sparks to start a discussion on the FST list regarding an online video
GPG key signing event.
Action Items, by person
-----------------------
* Sparks
* Sparks to add "issues" to fedora-meeting-report on github
* Sparks to talk with mattdm regarding private security tickets in BZ.
* Sparks to start a discussion on the FST list regarding an online
video GPG key signing event.
* **UNASSIGNED**
* (none)
People Present (lines said)
---------------------------
* Sparks (97)
* FabioOlive (24)
* mhayden (22)
* Astradeus (20)
* zodbot (5)
* threebean (3)
* d-caf (2)
* Southern_Gentlem (2)
* CRob (1)
14:00:57 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:00:57 <zodbot> Meeting started Thu Sep 24 14:00:57 2015 UTC. The chair is
Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:57 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link
#topic.
14:01:00 <Sparks> #meetingname Fedora Security Team
14:01:00 <zodbot> The meeting name has been set to 'fedora_security_team'
14:01:02 <Sparks> #topic Roll Call
14:01:04 * Sparks
14:01:06 * d-caf
14:01:09 * Astradeus
14:02:50 * mhayden
14:03:19 <Sparks> Oh good, the BZ upgrade broke my script.
14:03:52 <Sparks> mhayden: Does your script still work?
14:04:00 * mhayden looks
14:04:08 <Sparks> mhayden: Mine is coming back as "2" for each category.
14:04:20 <Sparks> Oh which I'm assuming is incorrect.
14:04:33 <mhayden> sorry, forgot to send out the summary today
14:05:28 <mhayden> Sparks: sent to ML just now
14:05:32 <Sparks> TU
14:06:07 <mhayden> https://lists.fedoraproject.org/pipermail/security-team/2015-September/00...
14:07:53 <Sparks> Okay, the agenda has been updated.
14:09:53 <Sparks> #info Participants are reminded to make liberal use of #info
#link #help in order to make the minutes "more better"
14:09:59 <Sparks> #topic Follow up on last week's tasks
14:10:06 <Sparks> mhayden to work with Ryan to get the article published
14:10:19 <Sparks> mhayden: This happened. Anything you'd like to say here?
14:10:32 <mhayden> thanks for the help in getting that together, everyone
14:10:35 * mhayden will go check the stats
14:11:04 <Sparks> FabioOlive to write up a summary of the embargo discussion
and send it to the security team list.
14:11:23 <Sparks> This happened as well. I haven't responded, yet, but I have
some ideas.
14:11:52 * Sparks thinks FabioOlive is not feeling well this morning and won't
be joining us.
14:12:01 <Sparks> #topic Outstanding BZ Tickets
14:12:10 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 42 (-2),
Moderate 409 (+7), Low 152 (-4), Total 603
14:12:42 <Sparks> #info The recent BZ upgrade has broken my script so I'll
need to get that worked out OR I can just start using/relying on mhayden's
script.
14:13:01 <Sparks> Anyone have anything regarding BZ tickets?
14:13:05 <mhayden> i just merged in Astradeus' sqlite changes in github
14:13:48 <Astradeus> and i just verified, that that version still works with
bugzilla
14:13:49 <Sparks> mhayden: I wonder how difficult it would be to use your script
to create a web "dashboard" with pretty charts and such.
14:13:51 <mhayden> i'll give it a test
14:14:09 <mhayden> Sparks: if we have a database accessible, not terribly
difficult
14:14:17 <mhayden> could even generate static html with it
14:14:20 <Sparks> We can still report basic numbers here but I've always
wanted something better.
14:14:42 <Sparks> mhayden: I'll happily help out but I'm not really sure how
to get from here to there.
14:15:31 <Sparks> mhayden: Maybe show how many FST members have how many
tickets and their trends (how many tickets have each FST member helped close,
etc).
14:16:04 <Sparks> mhayden: And it would be really nice if we could somehow
feed that kind of data into fedmsg
14:16:08 <mhayden> totally
14:16:21 <mhayden> i'd be glad to help but $dayjob is heating up for the next
1-2 months :/
14:16:41 <Astradeus> i'd have some time, but i'd need requests ;)
14:16:54 <Sparks> #idea Use mhayden's script to create a dashboard and host it
somewhere (fedorapeople?)
14:17:17 <threebean> where is this script?
14:17:18 <Sparks> #idea Somehow push information to fedmsg
14:17:32 <Sparks> mhayden: Should we just use github for devel?
14:17:43 <Sparks> mhayden: And, if so, could you post the URL?
14:17:57 <mhayden> https://github.com/major/fedora-meeting-report
14:17:58 <Astradeus> and i'd need someone to assist me a little bit with
fedora infrastructure
14:18:06 <Sparks> #link https://github.com/major/fedora-meeting-report
14:18:19 <Sparks> mhayden: What's it written in?
14:18:28 <mhayden> python
14:18:36 * Sparks goes to find his python book
14:18:58 * mhayden has his head in openstack all day ;)
14:18:59 <threebean> ty. FYI, we expect to have fedmsg messages from bugzilla
in early 2016 (like, January). but the date has been pushed back many times
now..
14:19:15 <mhayden> threebean: i will buy you a breakfast taco when that's
working :)
14:19:23 <mhayden> (that's like currency in south texas)
14:19:25 <Sparks> #action Sparks to add "issues" to fedora-meeting-report on
github
14:19:26 <threebean> I will totally eat it, mhayden.
14:20:05 <Sparks> threebean: That will be awesome when that happens.
14:21:57 <Sparks> Okay, anything else on this?
14:22:59 <d-caf> nope, I'm still slammed at work so not much progress
14:23:10 <Sparks> d-caf: Understood
14:23:18 * Sparks summons FabioOlive to the room
14:23:25 <Sparks> #topic Handling embargoed issues
14:23:33 <Sparks> Sorry, I just added this to the agenda
14:23:44 <FabioOlive> .fas fleite
14:23:44 <zodbot> FabioOlive: fleite 'Fabio Olive Leite'
<fabio.olive(a)gmail.com>
14:23:59 <FabioOlive> hmm that should have changed to fabio(a)olive.pro.br by
now
14:24:19 <Sparks> #info We now have security(a)fp.o going to security-
private(a)l.fp.o and we have a few people subscribed to security-private(a)l.fp.o.
14:24:52 <Sparks> FabioOlive: https://admin.fedoraproject.org/accounts
14:25:33 <Sparks> #info FabioOlive Started a discussion on security-
team(a)l.fp.o regarding moving the FST into a more proactive role of handling
security bugs.
14:25:47 <Sparks> Does anyone have anything they'd like to discuss regarding
that?
14:26:36 <FabioOlive> how do we manage a private key for encrypted reports?
14:26:48 <Sparks> FabioOlive: I spoke with bress the other day...
14:26:54 <mhayden> #info 1,639 views on the fedoramag blog post about the
security team
14:27:11 <Sparks> It appears we *could* create a GPG key and put it on several
Yubikeys and hand those out.
14:27:17 <Sparks> #info It appears we *could* create a GPG key and put it on
several Yubikeys and hand those out.
14:28:23 <Sparks> There would be a cost for the Yubikeys but, to me, that's
the best way to handle distributing keys.
14:29:06 <Sparks> s/best/better
14:29:19 <FabioOlive> that is interesting, considering there is a cost, do we
want to limit the participation in the private list?
14:29:27 <Sparks> There is likely a best way but it involves using
hard/software that's proprietary
14:29:35 <FabioOlive> like 3 or 4 people at most, and obviously without too
much turnover
14:29:48 <Sparks> That was my thought.
14:30:20 <Sparks> The responsibility of those people should be to open/manage
a BZ ticket that's "private" and use that to keep upstream and packagers
informed.
14:30:25 <Sparks> IMO
14:31:29 <FabioOlive> yeah. any ideas for how we handle the BZs? if we can't
have private BZs, do we want to have "empty" BZs or something?
14:32:12 <Sparks> I wonder if we *could* have private BZs in this case. We'd
end up making the entire ticket public at some point in the future is that
still bad?
14:32:17 <Sparks> mattdm: ^^^
14:32:27 * Sparks ponders who to talk with regarding that.
14:33:49 <Astradeus> what use do 'empty' BZs have?
14:35:00 <FabioOlive> yeah, they would just signal "a bug in component X", so
it would be dumb
14:35:27 <FabioOlive> and if we open an empty bug and later on fill it with
security stuff, it becomes obvious for the future "empty" bugs
14:35:46 <FabioOlive> sorry, I'm feeling particularly stupid today, been a bit
sick
14:36:06 <Sparks> I don't like that idea. We need a sane place to do work.
14:36:06 <Astradeus> so it would be for statistics?
14:36:20 <FabioOlive> yeah, forget I ever mentioned "empty" bugs
14:37:25 <Sparks> FabioOlive: I mean, it's an idea but I don't think it's very
useful for what I feel we need.
14:37:30 <FabioOlive> yeah
14:37:46 <Sparks> Okay, I'll talk with mattdm OOB and see what he thinks.
14:37:50 <Sparks> Anyone have anything else?
14:37:56 <Astradeus> anyone has an idea on the traffic on those security@-lists?
14:38:19 <Sparks> #action Sparks to talk with mattdm regarding private
security tickets in BZ.
14:38:32 <Sparks> Astradeus: What's the question?
14:38:52 <Astradeus> i mean if it's 4 embargo-worthy tickets a months i'd say
just keep it without a BZ-ticket until it is public
14:39:22 <Sparks> Astradeus: Well, how do we communicate, securely, with
upstream and the packager?
14:39:39 <Sparks> Astradeus: And if we don't then what's the purpose of
knowing about an embargoed issue ahead of time?
14:41:15 <FabioOlive> Sparks: can we use the private list only for getting the
notification and assigning a responsible FST member to deal with it? then this
FST member emails the maintainer privately, using their GPG key, and the
maintainer talks to the upstream project, privately, to obtain the fix?
14:41:30 <Astradeus> so the idea is that only a few people have the private
gpg key and have some means to distribute the issue to a bigger group
(=security team or something alike) if necessary?
14:41:48 <FabioOlive> so the security-private list would serve only as a
central point of contact and "dispatching" the work to the right maintainer
14:42:11 <FabioOlive> and maybe taking over the work in case of a non-
responsive maintainer
14:42:25 <Astradeus> more or less what FabioOlive said^^
14:42:27 <Sparks> FabioOlive: Assuming that's all possible...
14:42:56 <FabioOlive> yeah, I'm trying to think of the workflow, and then we
figure out the resources needed given the workflow
14:43:17 <Sparks> FabioOlive: Which is why I liked the idea of using BZ...
It's a fairly common, secure means of communicating with all parties involved.
14:43:26 <FabioOlive> the goal being that we can prepare a security update
during embargo in order to build and approve immediately after unembargo
14:43:55 <FabioOlive> Sparks: yeah, but can Fedora use private bugs? I don't
know that, my only use of BZ has been with my Red Hat credentials.
14:44:27 <Astradeus> Sparks: what stops us from getting the same method for
private tickets in BZ as the RH people?
14:44:37 <Sparks> FabioOlive: Assuming we can. I'm going to talk with mattdm
and then whomever he says I should talk with to get an answer on that.
14:44:55 <Sparks> Astradeus: Trust
14:45:18 <Astradeus> Sparks: so there is only one kind of private tickets?
14:45:46 <Sparks> Astradeus: Well, there are private and there are public.
The private tickets are private to a specific group.
14:46:16 <Sparks> Astradeus: Well, the specific group and whomever you add onto
that ticket.
14:47:39 <Astradeus> i thought of asking for a tickettype whose tickets are
private to e.g. the group "fedora-security"
14:48:00 <FabioOlive> yeah, we would need a fedora-security group in bugzilla,
and having the people in the private security list be on that group
14:48:13 <Sparks> Yes.
14:48:15 <Sparks> That
14:48:42 <Astradeus> but lets see, what new info we'll have next week :)
14:49:05 <Sparks> Okay, we'll carry this over to next week with a hopeful
update on the listserv.
14:49:05 <FabioOlive> :)
14:49:11 <Sparks> Anyone have anything else before we move on?
14:51:06 <Sparks> #topic Open floor discussion/questions/comments
14:51:12 <Sparks> Anyone have anything?
14:51:38 <Astradeus> is it interesting in any way that medium-severity-tickets
are growing?
14:51:52 <Sparks> Astradeus++ For his db work on mhayden's script
14:51:58 <Astradeus> thx :)
14:52:03 <Sparks> Astradeus++
14:52:05 <mhayden> Astradeus++
14:52:05 <zodbot> mhayden: Karma for astra changed to 2 (for the f22 release
cycle): https://badges.fedoraproject.org/tags/cookie/any
14:52:11 <mhayden> MACAROONS FOR EVERYONE
14:52:15 <Sparks> What the heck?
14:52:17 <Astradeus> oha :)
14:52:30 <mhayden> wut
14:52:39 <CRob> yum
14:52:41 <Sparks> Astradeus: Medium-severity tickets will always be growing.
14:53:01 <Sparks> Astradeus: We can attack them as soon as we get all the
Important ones out of the way. :)
14:53:45 * Sparks contemplates an online video GPG key signing event for FST
14:54:47 * Sparks notes no one took the bait
14:54:50 <Sparks> Okay then
14:55:08 <Astradeus> i did think about it in terms like "what is this" ^^
14:55:34 <FabioOlive> Sparks: like people gather in a videoconf and speak
their key fingerprints and people sign each others keys?
14:55:35 <Sparks> Astradeus: Ever participated in a key-signing event?
14:56:04 <Sparks> FabioOlive: I was thinking that if we all wrote them down
and provided ID then it would be like doing it face-to-face
14:56:39 <Astradeus> Sparks: yes, standard key signing
14:56:39 <FabioOlive> yeah, as long as we can confirm the fingerprints in a way
that is not easy to tamper with, like online video, maybe it will work :)
14:56:48 <Astradeus> never with video so far
14:56:52 * Sparks contemplates a blog post
14:57:00 <Sparks> #info https://sparkslinux.wordpress.com/?s=keysigning
14:57:11 <Sparks> Shameless plug
14:57:16 <FabioOlive> Sparks: let's try it out, wouldn't hurt
14:57:51 <Sparks> #action Sparks to start a discussion on the FST list
regarding an online video GPG key signing event.
14:57:58 <Sparks> Anyone have anything else?
14:57:59 <Southern_Gentlem> Sparks, as long as its a live video of theperson
14:58:05 <Sparks> Southern_Gentlem: Right
14:58:23 <FabioOlive> then show a piece of paper with the ID printed out and
spell it out
14:58:35 * Sparks figured putting something on his blog might yield someone's
input of why it wouldn't be a good idea
14:58:37 <FabioOlive> multiple redundant confirmations of the information that
would be hard to tamper with
14:58:52 <Southern_Gentlem> upload keys and eveyone display there keys
14:59:23 <Sparks> Okay, anything else before we sign off for the day?
14:59:33 * Sparks notes there is another meeting starting immenently
15:00:05 <Sparks> Okay, thanks for coming out! See you all on the interwebz.
15:00:08 <Sparks> #endmeeting
8 years, 2 months
Fedora Security Team Report - 2015-09-24
by Major Hayden
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2015-09-24 09:04:42.961752
|_| \___|\__,_|\___/|_| \__,_|
-------------------------------------------------------------------------------
+Tickets by Priority--+-------+---------+
| Priority | Count | Owned | Unowned |
+-------------+-------+-------+---------+
| medium | 409 | 43 | 366 |
| low | 152 | 14 | 138 |
| high | 42 | 25 | 17 |
| unspecified | 4 | 0 | 4 |
+-------------+-------+-------+---------+
+Tickets by Status-+-------+---------+
| Status | Count | Owned | Unowned |
+----------+-------+-------+---------+
| NEW | 520 | 64 | 456 |
| ON_QA | 51 | 12 | 39 |
| ASSIGNED | 23 | 6 | 17 |
| MODIFIED | 13 | 0 | 13 |
+----------+-------+-------+---------+
+Tickets by Severity--+-------+---------+
| Severity | Count | Owned | Unowned |
+-------------+-------+-------+---------+
| medium | 409 | 43 | 366 |
| low | 152 | 14 | 138 |
| high | 44 | 25 | 19 |
| unspecified | 2 | 0 | 2 |
+-------------+-------+-------+---------+
+Tickets by Component+-------+---------+
| Component | Count | Owned | Unowned |
+------------+-------+-------+---------+
| cacti | 10 | 0 | 10 |
| bugzilla | 10 | 0 | 10 |
| xen | 9 | 0 | 9 |
| nagios | 9 | 9 | 0 |
| qemu | 8 | 4 | 4 |
| glibc | 7 | 0 | 7 |
| quassel | 7 | 0 | 7 |
| mingw-icu | 7 | 0 | 7 |
| mingw-pcre | 6 | 0 | 6 |
+------------+-------+-------+---------+
+Tickets by Distro Version-------+---------+
| Distro Version | Count | Owned | Unowned |
+----------------+-------+-------+---------+
| el6 | 212 | 37 | 175 |
| 22 | 127 | 3 | 124 |
| 21 | 125 | 7 | 118 |
| el5 | 68 | 20 | 48 |
| epel7 | 35 | 4 | 31 |
| 23 | 33 | 11 | 22 |
| unspecified | 3 | 0 | 3 |
| rawhide | 3 | 0 | 3 |
| 6.6 | 1 | 0 | 1 |
+----------------+-------+-------+---------+
--
Major Hayden
8 years, 2 months
Discussion about handling embargoes
by Fabio Olive Leite
Hello everyone,
On the last FST meeting I took the action item of summarizing to the
list the discussion about how we can handle embargoes and private
information about vulnerabilities being a 100% open project and only
having public build infrastructure. This is not simply an extract from
the logs, as it has some commentary, opinions, suggestions, and likely
also some mistakes, as it took me a few days to be able to come back to
this action item.
The Fedora Project, as an independent entity, has a Security Team of
its own, but the reality is that the majority of the work is reactive,
getting maintainers to update packages after vulnerabilities become
public, or handled by Red Hat Product Security engineers when packages
span both Fedora and RHEL. There is nothing wrong with Red Hat
engineers maintaining Fedora packages, but there should not be a
dependence on Red Hat people to perform the work.
The main question brought up in the meeting was: how can Fedora deal
with embargoed vulnerabilities and prepare updates in a timely fashion
if all of its infrastructure is public and open? How can Fedora have a
private team of trusted individuals to receive embargoed notifications
and prepare an update to be available after unembargo?
Clearly it must be possible to do so, since other community projects
such as Debian, Gentoo and the BSDs have also earned the trust of
companies and organizations and do get embargoed notifications of
vulnerabilities. The Fedora Security Team must organize the right
resources to make this happen as well.
Florian Weimer noted that it wasn't magical for Debian, they just set
up with the team, the processes and policies, hoping for the best. In
Debian the folks in the Security team are all Debian Developers, so
there is some level of trust. Maybe for Fedora we could go with a few
Proven Packagers?
Maybe what we need to do is come up with a policy stating how we deal
with embargoed information, form a team with 3-4 trusted individuals
that can receive embargoed information and subscribe them to the
security-private mailing list, and then try to win the trust of other
distros and vendors that we will do the right thing.
There was also the discussion of how much can Fedora benefit from
embargoed notifications. The answer seems to be "not much", but one
possibility is that, upon receiving the notification to the private
list, one of the members of the list gets in touch with the affected
package maintainer and helps them prepare a patched package that would
be submitted to the build system immediately after the embargo is
lifted. This would at least buy us several hours, and we may be able
to have updates out on the same day as the vulnerabilities go public.
On a later conversation with Sparks, we were also considering how
quickly we can push a security update through our mirrors system. It
wouldn't be much use to rush a security fix out to the master
repositories and have it take days to reach all the mirrors.
Would we need some kind of "security-updates" repository that would
only carry security fixes while they are fresh and not mirrored
everywhere else? Maybe a small centralized repository would not need
to handle too much load, if it only contains security fixes for a small
period of time while they are still being copied to the other mirrors.
Let's discuss this on the list and see what are the next actions on
this effort.
Cheers!
--
Fábio Olivé --- Seja hoje melhor do que você foi ontem.
PGP: F1C1 1876 3922 1906 6631 0C31 92A5 9276 250D 8380
8 years, 2 months
Security Team meeting minutes from 2015-09-17
by Eric Christensen
======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:00:48 UTC. The full logs are available
at
http://meetbot.fedoraproject.org/fedora-meeting/2015-09-17/fedora_securit...
.
Meeting summary
---------------
* Roll Call (Sparks, 14:00:58)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:04:51)
* Major's article (Sparks, 14:05:02)
* LINK: http://i.imgur.com/reMiI9p.png (Sparks, 14:05:15)
* ACTION: mhayden to work with Ryan to get the article published
(Sparks, 14:11:31)
* AGREED: The article is ready to go. (Sparks, 14:11:41)
* security@ email address (Sparks, 14:11:55)
* security(a)fp.o redirects to security-private(a)l.fp.o (Sparks,
14:12:12)
* Right now embargoed issues typically get reported to Red Hat Product
Security. Those issues get worked on internally and then
information flows to Fedora once the embargo is lifted/expires.
(Sparks, 14:30:05)
* LINK: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-7188 <--
embargo example (mhayden, 14:31:03)
* IDEA: We establish a trusted relationship with Red Hat to get
embargo notice on Fedora-only shipped packages. (Sparks, 14:41:34)
* ACTION: FabioOlive to write up a summary of the embargo discussion
and send it to the security team list. (Sparks, 14:47:37)
* LINK: https://fedoraproject.org/wiki/Legal:Main#Legal (d-caf,
14:48:13)
* LINK:
https://www.redhat.com/en/technologies/linux-platforms/articles/relations...
(d-caf, 14:48:22)
* Outstanding BZ Tickets (Sparks, 14:50:42)
* Thursday's numbers: Critical 0 (0), Important 44 (+5), Moderate 402
(0), Low 156 (0), Total 558 (Sparks, 14:50:47)
* Current tickets owned: 82 (~15%) (Sparks, 14:50:51)
* Tickets closed: 372 (0) (Sparks, 14:50:58)
* Open floor discussion/questions/comments (Sparks, 14:53:30)
Meeting ended at 14:59:50 UTC.
Action Items
------------
* mhayden to work with Ryan to get the article published
* FabioOlive to write up a summary of the embargo discussion and send it
to the security team list.
Action Items, by person
-----------------------
* FabioOlive
* FabioOlive to write up a summary of the embargo discussion and send
it to the security team list.
* mhayden
* mhayden to work with Ryan to get the article published
* **UNASSIGNED**
* (none)
People Present (lines said)
---------------------------
* Sparks (91)
* mhayden (38)
* d-caf (32)
* FabioOlive (18)
* fweimer (12)
* Astradeus (11)
* zodbot (6)
* bress (4)
* zoglesby (3)
* pjones (1)
Generated by `MeetBot`_ 0.1.4
.. _`MeetBot`: http://wiki.debian.org/MeetBot
8 years, 2 months
Fedora Security Team Report - 2015-09-17
by Major Hayden
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2015-09-17 08:46:09.070521
|_| \___|\__,_|\___/|_| \__,_|
-------------------------------------------------------------------------------
+Tickets by Priority--+-------+---------+
| Priority | Count | Owned | Unowned |
+-------------+-------+-------+---------+
| medium | 406 | 43 | 363 |
| low | 156 | 14 | 142 |
| high | 44 | 25 | 19 |
| unspecified | 4 | 0 | 4 |
+-------------+-------+-------+---------+
+Tickets by Status-+-------+---------+
| Status | Count | Owned | Unowned |
+----------+-------+-------+---------+
| NEW | 521 | 71 | 450 |
| ON_QA | 52 | 5 | 47 |
| ASSIGNED | 24 | 6 | 18 |
| MODIFIED | 13 | 0 | 13 |
+----------+-------+-------+---------+
+Tickets by Severity--+-------+---------+
| Severity | Count | Owned | Unowned |
+-------------+-------+-------+---------+
| medium | 406 | 43 | 363 |
| low | 156 | 14 | 142 |
| high | 46 | 25 | 21 |
| unspecified | 2 | 0 | 2 |
+-------------+-------+-------+---------+
+Tickets by Component--+-------+---------+
| Component | Count | Owned | Unowned |
+--------------+-------+-------+---------+
| qemu | 11 | 4 | 7 |
| cacti | 10 | 0 | 10 |
| bugzilla | 10 | 0 | 10 |
| nagios | 9 | 9 | 0 |
| xen | 8 | 0 | 8 |
| glibc | 7 | 0 | 7 |
| quassel | 7 | 0 | 7 |
| mingw-icu | 7 | 0 | 7 |
| avr-binutils | 6 | 0 | 6 |
+--------------+-------+-------+---------+
+Tickets by Distro Version-------+---------+
| Distro Version | Count | Owned | Unowned |
+----------------+-------+-------+---------+
| el6 | 210 | 37 | 173 |
| 22 | 130 | 3 | 127 |
| 21 | 126 | 7 | 119 |
| el5 | 67 | 20 | 47 |
| epel7 | 37 | 4 | 33 |
| 23 | 33 | 11 | 22 |
| unspecified | 3 | 0 | 3 |
| rawhide | 3 | 0 | 3 |
| 6.6 | 1 | 0 | 1 |
+----------------+-------+-------+---------+
--
Major Hayden
8 years, 2 months