March 2016 - security-team - Fedora Mailing-Lists

Security Team meeting minutes for 2016-03-31

by Eric Christensen

====================================================================================================== #fedora-meeting: Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings ====================================================================================================== Meeting started by Sparks at 14:00:03 UTC. The full logs are available at https://meetbot.fedoraproject.org/fedora-meeting/2016-03-31/fedora_securi... . Meeting summary --------------- * Roll Call (Sparks, 14:00:09) * Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" (Sparks, 14:08:12) * Follow up on last week's tasks (Sparks, 14:08:38) * ACTION: pjp to give a status update on security policy in the wiki (carried over) (Sparks, 14:09:01) * ACTION: Sparks to figure out how FST members can get access to Fedora security bugs (carried over) (Sparks, 14:09:11) * ACTION: pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. (Sparks, 14:10:05) * ACTION: Sparks to contact gd to see if he is working on a patch for samba in Fedora. (Sparks, 14:10:14) * Apprenticeship (Sparks, 14:10:38) * zoglesby sent a message to the list regarding Apprenticeship training (Sparks, 14:10:58) * LINK: https://lists.fedoraproject.org/archives/list/security-team@lists.fedorap... (Sparks, 14:11:05) * Tummala Dhanvi UTC+5:30, CommOps,Docs,Security,* (c0mrad3, 14:12:55) * ACTION: everyone read the security docs (zoglesby, 14:14:11) * Outstanding BZ Tickets (Sparks, 14:17:27) * Thursday's numbers: Critical 0 (0), Important 67 (0), Moderate 485 (0), Low 171 (+2), Total 723 (Sparks, 14:17:34) * Open floor discussion/questions/comments (Sparks, 14:26:06) * d-caf will mentor c0mrad3 (Sparks, 14:30:34) * zoglesby will mentor Astradeus (Sparks, 14:31:08) Meeting ended at 14:34:08 UTC. Action Items ------------ * pjp to give a status update on security policy in the wiki (carried over) * Sparks to figure out how FST members can get access to Fedora security bugs (carried over) * pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. * Sparks to contact gd to see if he is working on a patch for samba in Fedora. * everyone read the security docs Action Items, by person ----------------------- * d-caf * pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. * Sparks * Sparks to figure out how FST members can get access to Fedora security bugs (carried over) * Sparks to contact gd to see if he is working on a patch for samba in Fedora. * **UNASSIGNED** * pjp to give a status update on security policy in the wiki (carried over) * everyone read the security docs People Present (lines said) --------------------------- * Sparks (60) * d-caf (19) * c0mrad3 (16) * zoglesby (13) * zodbot (6) * Astradeus (4) * mhayden (3) 14:00:03 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:00:03 <zodbot> Meeting started Thu Mar 31 14:00:03 2016 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:03 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:00:03 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_t...' 14:00:06 <Sparks> #meetingname Fedora Security Team 14:00:06 <zodbot> The meeting name has been set to 'fedora_security_team' 14:00:09 <Sparks> #topic Roll Call 14:00:10 * Sparks 14:00:20 * d-caf 14:01:10 * mhayden woots 14:03:06 <Sparks> zoglesby jsmith: Good morning! 14:03:42 <zoglesby> yeah, yeah. I am here 14:06:08 * Sparks gives everyone a few more minutes to arrive 14:06:13 <Astradeus> hi :) 14:06:43 <d-caf> Astradeus: HI!! 14:07:58 <Sparks> Astradeus: Welcome 14:08:06 <Sparks> Okay, lets get started 14:08:12 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:08:29 <Sparks> #chair d-caf mhayden zoglesby Astradeus 14:08:29 <zodbot> Current chairs: Astradeus Sparks d-caf mhayden zoglesby 14:08:38 <Sparks> #topic Follow up on last week's tasks 14:08:50 * Sparks notes pjp isn't here today 14:09:01 <Sparks> #action pjp to give a status update on security policy in the wiki (carried over) 14:09:11 <Sparks> #action Sparks to figure out how FST members can get access to Fedora security bugs (carried over) 14:09:28 <Sparks> d-caf: Did you work on the Koji and Bodhi private builds topic? 14:09:47 <d-caf> Sparks: No was out traveling all last week, so getting ramped back up this week, sorry 14:09:56 <Sparks> no problem 14:10:05 <Sparks> #action pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. 14:10:14 <Sparks> #action Sparks to contact gd to see if he is working on a patch for samba in Fedora. 14:10:33 <Sparks> Okay, that's all from last week... I think we got one things marked off. 14:10:38 <Sparks> #topic Apprenticeship 14:10:58 <Sparks> #info zoglesby sent a message to the list regarding Apprenticeship training 14:11:05 <Sparks> #link https://lists.fedoraproject.org/archives/list/security-team@lists.fedorap... 14:11:06 <zoglesby> I did that! 14:11:14 <Sparks> zoglesby: Would you like to lead this discussion? 14:11:38 <zoglesby> no, I think I said in the email we don't need to talk about it here :) 14:11:40 <d-caf> zoglesby: thanks, helped prod me to remember to add two more training links I found (adde this morning) 14:11:57 * c0mrad3 hi guys 14:12:01 <zoglesby> but really, please read the docs and reply to the list what you think are good for entry level security folks 14:12:53 <zoglesby> We don't want to make the list to large, so once we have a list of stuff we may need to make it shorter, but we need to start with something before we can do that 14:12:55 <c0mrad3> #info Tummala Dhanvi UTC+5:30, CommOps,Docs,Security,* 14:12:56 <d-caf> speaking of apprentiship, welcome c0mrad3 who mentioned wanting to join the apprentiship 14:13:12 <c0mrad3> yes :) 14:13:41 <zoglesby> Sparks: that is all I have for this topic 14:13:53 <Sparks> zoglesby: I actually had a dream that we finished doing this. 14:14:11 <zoglesby> #action everyone read the security docs 14:14:15 <mhayden> the list there in the wiki is quite comprehensive 14:14:24 <c0mrad3> what about the reading material for apprentiship 14:14:24 <Sparks> Okay, so I'll reply to the list and lets see if we can get this done before the next meeting 14:14:43 <c0mrad3> I think I have seen an email about the same 14:15:00 <zoglesby> mhayden: yep, that is the issue. We need a smaller list. We don't want to cause information overload 14:15:10 <Sparks> c0mrad3: Yeah, that's what we're talking about... the email. :) 14:15:17 <mhayden> perhaps we break it up into experience/maturity level? 14:15:39 <zoglesby> that is the plan, but we wanted to start with lowest level first 14:15:40 <d-caf> c0mrad3: There is a page here #link 14:15:45 <Sparks> mhayden: Yeah, we need to pull from that list what we think would be important for an apprentise to know 14:15:52 <d-caf> c0mrad3: There is a page here #link https://fedoraproject.org/wiki/Security_Team_Apprenticeship#Reading 14:16:17 <d-caf> that we are building for apprentiship, feel free to take a look and add any commentes to the email list on your take comming in fresh 14:16:30 <c0mrad3> sure d-caf 14:16:54 <Sparks> Okay, lets move on 14:16:59 <d-caf> but mostly we need to find some focused security training from this page that's good for new people in security (there is a lot there) #link https://fedoraproject.org/wiki/Information_Security_Training 14:17:20 * Sparks skips the discussion regarding handling embargoed vulnerabilities for now 14:17:27 <Sparks> #topic Outstanding BZ Tickets 14:17:34 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 67 (0), Moderate 485 (0), Low 171 (+2), Total 723 14:17:41 <Sparks> +Tickets by Severity-+-------+---------+ 14:17:41 <Sparks> | Severity | Tickets | Owned | Unowned | 14:17:42 <Sparks> +----------+---------+-------+---------+ 14:17:42 <Sparks> | medium | 485 | 40 | 445 | 14:17:42 <Sparks> | low | 171 | 13 | 158 | 14:17:43 <Sparks> | high | 67 | 30 | 37 | 14:17:46 <Sparks> +----------+---------+-------+---------+ 14:18:11 <Sparks> Would someone like to start poking through the highs and see if we can mark any of them an easy fix? 14:18:22 <Sparks> easy fix == upstream has already released a fix 14:18:41 <d-caf> I've been working a few tickets the last two weeks, finally have movement and resolution on git and latex2rtf 14:19:09 <Sparks> woot! 14:19:12 <Sparks> d-caf++ 14:19:13 <c0mrad3> I think git 1.8 have fixed a vuln 14:19:23 <Sparks> grr 14:19:46 <d-caf> d-caf vs dcafaro... I have to many handles... 14:20:20 <d-caf> Git is now 2.5.5 in fc23 14:20:21 <c0mrad3> dcafaro++ 14:20:21 <zodbot> c0mrad3: Karma for dcafaro changed to 2 (for the f23 release cycle): https://badges.fedoraproject.org/tags/cookie/any 14:20:33 <Sparks> Yeah, that one. 14:20:35 <d-caf> fc22 also got an update 14:20:46 <Sparks> d-caf: You should really put your IRC nick into FAS. :) 14:21:20 <c0mrad3> correction git 2.8! had fixed a vuln which is introduced in 2.7 14:21:20 <d-caf> Oh, yeah, that's probably a good idea :-) 14:21:45 <d-caf> v2.8 is FC24 and rawhide 14:22:00 <c0mrad3> or Sparks you can type his old handle like me :) 14:22:03 <d-caf> but patches are back ported to older versions for stability purposes when security 14:22:17 * c0mrad3 new to all these 14:25:27 <Sparks> Anything else regarding vulnerabilities? 14:26:06 <Sparks> #topic Open floor discussion/questions/comments 14:26:16 <Sparks> Anyone have anything? 14:27:01 <c0mrad3> ! 14:27:12 <Sparks> c0mrad3: Go 14:27:37 <c0mrad3> Can some one mentor me for the first few bugs so that I get used to the work cycle of the team ? 14:27:54 <Astradeus> same request here :) 14:28:31 <Sparks> zoglesby: I believe you were the one that figured out what a mentor is... 14:29:19 <d-caf> I am willing to help try and mentor through a but or to, hit me up on email. But i've got to head off to another meeting now 14:29:21 <Astradeus> i'd just like to follow the path one takes to close a bug - i think i can manage my own way from there 14:29:26 <d-caf> but/bug... 14:29:56 <Sparks> d-caf: Why don't you take c0mrad3 14:30:07 <Sparks> Astradeus: Either zoglesby or I will help you. 14:30:14 <Astradeus> thanks :) 14:30:24 <c0mrad3> cool 14:30:28 <d-caf> Sparks: sure c0mrad3 email me 14:30:34 <Sparks> #info d-caf will mentor c0mrad3 14:30:36 <zoglesby> sorry, was talking to someone else. 14:30:43 <zoglesby> That works for me 14:30:50 <Sparks> zoglesby: Do you want to mentor Astradeus? 14:31:04 <zoglesby> Sure, why not 14:31:08 <Sparks> #info zoglesby will mentor Astradeus 14:31:10 <Sparks> Great! 14:31:20 <Sparks> Okay, anyone have anything else? 14:31:46 <c0mrad3> zoglesby: I will ping you also if I am struck somewhere 14:32:34 <zoglesby> c0mrad3: talk to d-caf first. He is going to mentor you, but feel free to reach out to me, or anyone else if he can't help for any reason 14:33:05 <c0mrad3> sure zoglesby, I will make sure I will ping d-caf first 14:33:08 <Sparks> If no one has anything else they wish to discuss, we'll close for the day (and I'll have a few minutes to catch up before my next meeting) 14:34:05 <Sparks> Okay, thanks everyone for coming out today. 14:34:08 <Sparks> #endmeeting

7 years, 6 months

1
0
0 / 0

Fedora Security Team Report - 2016-03-31

by Major Hayden

__ _ / _| ___ __| | ___ _ __ __ _ | |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report | _| __/ (_| | (_) | | | (_| | Report date: 2016-03-31 08:48:47.093416 |_| \___|\__,_|\___/|_| \__,_| Data from: 2016-03-31 ------------------------------------------------------------------------------- +Tickets by Priority----+-------+---------+ | Priority | Tickets | Owned | Unowned | +-------------+---------+-------+---------+ | medium | 485 | 40 | 445 | | low | 171 | 13 | 158 | | high | 64 | 28 | 36 | | unspecified | 3 | 2 | 1 | +-------------+---------+-------+---------+ +Tickets by Status---+-------+---------+ | Status | Tickets | Owned | Unowned | +----------+---------+-------+---------+ | NEW | 635 | 71 | 564 | | ON_QA | 48 | 4 | 44 | | ASSIGNED | 23 | 6 | 17 | | MODIFIED | 17 | 2 | 15 | +----------+---------+-------+---------+ +Tickets by Severity-+-------+---------+ | Severity | Tickets | Owned | Unowned | +----------+---------+-------+---------+ | medium | 485 | 40 | 445 | | low | 171 | 13 | 158 | | high | 67 | 30 | 37 | +----------+---------+-------+---------+ +Tickets by Component-----+-------+---------+ | Component | Tickets | Owned | Unowned | +---------------+---------+-------+---------+ | cacti | 13 | 0 | 13 | | mingw-jasper | 12 | 0 | 12 | | glib2 | 12 | 0 | 12 | | jasper | 12 | 0 | 12 | | kernel | 11 | 0 | 11 | | bugzilla | 11 | 1 | 10 | | mingw-libxml2 | 10 | 0 | 10 | | qemu | 9 | 4 | 5 | | libxml2 | 9 | 0 | 9 | | moodle | 8 | 1 | 7 | +---------------+---------+-------+---------+ +Tickets by Distro Version-+-------+---------+ | Distro Version | Tickets | Owned | Unowned | +----------------+---------+-------+---------+ | el6 | 257 | 40 | 217 | | 23 | 212 | 16 | 196 | | 22 | 107 | 1 | 106 | | el5 | 86 | 23 | 63 | | epel7 | 54 | 3 | 51 | | 24 | 3 | 0 | 3 | | rawhide | 3 | 0 | 3 | | 21 | 1 | 0 | 1 | +----------------+---------+-------+---------+ -- Major Hayden

7 years, 6 months

1
0
0 / 0

[Fedocal] Reminder meeting : Security Team Meeting

by Nobody

Dear all, You are kindly invited to the meeting: Security Team Meeting on 2016-03-31 from 14:00:00 to 15:00:00 UTC At fedora-meeting(a)irc.freenode.net The meeting will be about: More information available at: [https://fedoraproject.org/wiki/Security_Team_meetings](https://fedoraproj... Source: https://apps.fedoraproject.org/calendar/meeting/2849/

7 years, 6 months

1
0
0 / 0

Apprenticeship Reading

by Zach Oglesby

As we discussed during the FAD, we need to read the documents listed on the wiki[1] and talk about what would be good reading for an apprentice[2] to the Security Team. There is a lot of stuff on the page, and I don't expect anyone to read it all before the next meeting. All that I ask is that we all make an effort to read the material and reply to this message with items that are a good fit for that level. [1]: https://fedoraproject.org/wiki/Information_Security_Training [2]: https://fedoraproject.org/wiki/Security_Team_Apprenticeship#Reading

7 years, 6 months

1
0
0 / 0

FST Logo

by P J P

Hello all, Here is a final .svg file of the new FST logo, it can be used for all printing jobs. -> https://fedorahosted.org/design-team/ticket/367#comment:73 Thank you so much for all the feedback and your inputs! :) --- -P J P http://feedmug.com

7 years, 6 months

3
2
0 / 0

Interested in joining Security Team Apprenticeship

by Tummala Dhanvi

Hello every one, * I am Tummala Dhanvi (call me Dhanvi) and c0mrad3 is my pseudonym and my IRC nick FAS ID is "Dhanvi" * GPG key finger print 39A7 A551 C684 60E7 1EE6 5CE3 FFDC 0CE9 64FD 54D3, please find attached my key attached. * My interests include Participating[0] in CTF's and Contributing to FREEdom software. * I would like to join the Fedora Security Team because I would like to combing both my interests of cyber security and free software. You can find more details about me in the Fedora wiki user page[1]. I am looking forward to join the team and contribute to fedora. [0]https://ctftime.org/user/4312 [1]https://fedoraproject.org/wiki/User:Dhanvi -- Regards Tummala Dhanvi https://www.dhanvi.org "Only thing that can never be 'RE-CYCLED' is 'WASTED TIME' ".

7 years, 6 months

2
1
0 / 0

FST logo final draft

by P J P

Hello all, -> https://fedorahosted.org/design-team/ticket/367#comment:66 Final draft of the FST logo is up for review at the above ticket. Please add your comments/inputs/review to the same. Thank you. --- -P J P http://feedmug.com

7 years, 6 months

1
0
0 / 0

Fedora Security Team Meeting minutes for 2016-03-24

by Eric Christensen

====================================================================================================== #fedora-meeting: Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings ====================================================================================================== Meeting started by Sparks at 14:05:20 UTC. The full logs are available at https://meetbot.fedoraproject.org/fedora-meeting/2016-03-24/fedora_securi... . Meeting summary --------------- * Roll Call (Sparks, 14:05:26) * Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" (Sparks, 14:10:54) * Follow up on last week's tasks (Sparks, 14:11:09) * ACTION: pjp to give a status update on security policy in the wiki (carried over) (Sparks, 14:11:40) * ACTION: Sparks to figure out how FST members can get access to Fedora security bugs (carried over) (Sparks, 14:11:49) * ACTION: pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. (Sparks, 14:12:08) * ACTION: zoglesby to take the Apprenticeship discussion to the list for further development (Sparks, 14:13:31) * Apprenticeship (Sparks, 14:13:38) * LINK: https://fedoraproject.org/wiki/Security_Team_Apprenticeship (Sparks, 14:14:13) * Handling embargoed vulnerabilities (Sparks, 14:16:45) * The management in Red Hat Product Security is investigating our ability to work closer with them. (Sparks, 14:18:02) * Outstanding BZ Tickets (Sparks, 14:23:24) * Thursday's numbers: Critical 0 (0), Important 67 (+13), Moderate 485 (+11), Low 169 (-18), Total 721 (Sparks, 14:23:32) * ACTION: Sparks to contact gd to see if he is working on a patch for Fedora. (Sparks, 14:29:21) * Open floor discussion/questions/comments (Sparks, 14:30:33) Meeting ended at 14:33:47 UTC. Action Items ------------ * pjp to give a status update on security policy in the wiki (carried over) * Sparks to figure out how FST members can get access to Fedora security bugs (carried over) * pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. * zoglesby to take the Apprenticeship discussion to the list for further development * Sparks to contact gd to see if he is working on a patch for Fedora. Action Items, by person ----------------------- * Sparks * Sparks to figure out how FST members can get access to Fedora security bugs (carried over) * Sparks to contact gd to see if he is working on a patch for Fedora. * zoglesby * zoglesby to take the Apprenticeship discussion to the list for further development * **UNASSIGNED** * pjp to give a status update on security policy in the wiki (carried over) * pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. People Present (lines said) --------------------------- * Sparks (63) * zoglesby (18) * linuxmodder (16) * zodbot (7) * Southern_Gentlem (1) 14:05:20 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:05:20 <zodbot> Meeting started Thu Mar 24 14:05:20 2016 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:05:20 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:05:20 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_t...' 14:05:21 <zoglesby> tick tock 14:05:23 <Sparks> #meetingname Fedora Security Team 14:05:23 <zodbot> The meeting name has been set to 'fedora_security_team' 14:05:26 <Sparks> #topic Roll Call 14:05:37 * Sparks 14:05:46 * zoglesby 14:06:39 * Sparks puts the final touches on the agenda for today 14:10:07 <Sparks> Okay, this promises to be a short meeting... 14:10:08 * linuxmodder 14:10:15 <zoglesby> not anymore 14:10:25 <linuxmodder> huh 14:10:43 <Sparks> Okay, lets get going 14:10:50 <linuxmodder> why not zoglesby 14:10:54 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:11:01 <Sparks> linuxmodder: Cause you're here 14:11:09 <Sparks> #topic Follow up on last week's tasks 14:11:12 <linuxmodder> what did dI do 14:11:23 * Sparks notes pjp is not here today and will just continue his actions 14:11:40 <Sparks> #action pjp to give a status update on security policy in the wiki (carried over) 14:11:49 <Sparks> #action Sparks to figure out how FST members can get access to Fedora security bugs (carried over) 14:12:08 <Sparks> #action pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. 14:12:24 <Sparks> zoglesby: Did you ever bring up the Apprenticeship on the list? 14:13:09 <zoglesby> nope, forgot until your ping, please move that to this week as well 14:13:31 <Sparks> #action zoglesby to take the Apprenticeship discussion to the list for further development 14:13:38 <Sparks> #topic Apprenticeship 14:14:00 <Sparks> There are a few more links that need to be populated on the Apprenticeship page 14:14:13 <Sparks> #link https://fedoraproject.org/wiki/Security_Team_Apprenticeship 14:15:13 <Sparks> Anyone have any thing to discuss for this topic? 14:16:26 <zoglesby> nope, only that it needs done 14:16:32 <Sparks> Okay, moving on 14:16:45 <Sparks> #topic Handling embargoed vulnerabilities 14:18:02 <Sparks> #info The management in Red Hat Product Security is investigating our ability to work closer with them. 14:18:16 <Sparks> I don't really have anything more than that. 14:18:29 * Sparks is waiting for pjp and d-caf to start their parts 14:18:43 <zoglesby> As in pre us doing what we need to or after we do FAD items? 14:18:43 <Sparks> Anyone have anything else? 14:19:59 <Sparks> No, overall 14:21:17 <Sparks> It's annoying as everyone seems to have a different idea of what we should have. 14:21:51 <zoglesby> well, if they have ideas they need to share them with us 14:21:51 <linuxmodder> what is the general concensus then 14:22:01 <Sparks> linuxmodder: There is none 14:22:14 <Sparks> zoglesby: I'm trying to figure out what ideas they might have... 14:22:19 <zoglesby> tell them fedora-security-team(a)lists.fedoraproject.org, not sparks(a)redhat.com 14:22:34 <Sparks> zoglesby: +1 14:23:01 <linuxmodder> noted 14:23:08 <Sparks> Okay, moving along... 14:23:24 <Sparks> #topic Outstanding BZ Tickets 14:23:24 <linuxmodder> but they may think its gonna get sparked off with the late r:) 14:23:32 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 67 (+13), Moderate 485 (+11), Low 169 (-18), Total 721 14:23:38 <Sparks> +Tickets by Severity-+-------+---------+ 14:23:38 <Sparks> | Severity | Tickets | Owned | Unowned | 14:23:38 <Sparks> +----------+---------+-------+---------+ 14:23:38 <Sparks> | medium | 485 | 40 | 445 | 14:23:38 <Sparks> | low | 169 | 13 | 156 | 14:23:40 <Sparks> | high | 67 | 30 | 37 | 14:23:43 <Sparks> +----------+---------+-------+---------+ 14:23:51 <Sparks> We appear to be letting these highs get away from us, again... 14:24:07 <linuxmodder> where is that new embargoed one expected to drop into? 14:24:39 <Sparks> linuxmodder: The samba one? 14:25:04 <linuxmodder> think so the one we were talkign loosely about yesterday / early this am 14:25:11 <zoglesby> by the website it is a crit 14:25:16 <linuxmodder> with the suspenseful teasers 14:25:23 <Sparks> Ummm.. I don't have it up at the moment. Sometime in April. 14:25:41 <zoglesby> april 12th 14:25:44 <Sparks> The 12th I think (patch Tuesday) 14:25:44 <linuxmodder> ick we were doing so well on no crits 14:26:12 <Sparks> linuxmodder: This may be already getting fixed for Fedora; I'll need to check. 14:26:14 <linuxmodder> anywhere I might be able to school up in in its current embargoed state? or shadow someone 14:26:29 <linuxmodder> get the feet wet persay 14:26:30 <Sparks> But we'll have another race to the finish line when it comes out. 14:26:59 <zoglesby> (I read it wrong, the website says it is a "crucial security bug") 14:27:33 <Sparks> What's the CVE? 14:27:42 <Sparks> nevermind 14:27:49 <zoglesby> I don't remember 14:28:09 <zoglesby> CVE-2016-2118 14:28:14 <Sparks> It's rated as Important 14:28:21 <zoglesby> but I don't think its important for this meeting 14:28:41 <Sparks> .whoowns samba 14:28:41 <zodbot> Sparks: gd 14:28:50 <Sparks> .fasinfo gd 14:28:52 <zodbot> Sparks: User: gd, Name: Guenther Deschner, email: gdeschner(a)redhat.com, Creation: 2007-05-03, IRC Nick: gd, Timezone: Europe/Berlin, Locale: en, GPG key ID: 8EE11688, Status: active 14:28:55 <zodbot> Sparks: Approved Groups: fedorabugs cla_fedora cla_done packager cla_redhat gitding-libs @gitgss-proxy 14:29:21 <Sparks> #action Sparks to contact gd to see if he is working on a patch for Fedora. 14:29:45 <Sparks> Anything else? 14:30:02 <linuxmodder> nfm 14:30:24 <zoglesby> no 14:30:33 <Sparks> #topic Open floor discussion/questions/comments 14:30:44 <Sparks> Okay, anything from anyone about anything? 14:30:47 <zoglesby> I have nothing more for today 14:31:57 <Sparks> linuxmodder: ??? 14:32:02 <Southern_Gentlem> Sparks study for your Extra at SELF 14:32:17 <Sparks> Southern_Gentlem: de WG3K 14:32:28 <linuxmodder> nothing from me 14:32:46 <zoglesby> Sparks: are you going to SELF? 14:32:48 * linuxmodder needs to study for that period :) 14:32:59 <Sparks> I hadn't really considered going... I could 14:33:05 <zoglesby> err, this is not meeting topic 14:33:32 <Sparks> Okay, let's move this discussion to #fedora-security-team 14:33:39 <Sparks> Southern_Gentlem: Please join us there! 14:33:43 <Sparks> Thanks all 14:33:47 <Sparks> #endmeeting

7 years, 6 months

1
0
0 / 0

[Fedocal] Reminder meeting : Security Team Meeting

by Nobody

Dear all, You are kindly invited to the meeting: Security Team Meeting on 2016-03-24 from 14:00:00 to 15:00:00 UTC At fedora-meeting(a)irc.freenode.net The meeting will be about: More information available at: [https://fedoraproject.org/wiki/Security_Team_meetings](https://fedoraproj... Source: https://apps.fedoraproject.org/calendar/meeting/2849/

7 years, 6 months

1
0
0 / 0

Security Team Meeting Minutes for 2016-03-17

by Eric Christensen

====================================================================================================== #fedora-meeting: Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings ====================================================================================================== Meeting started by Sparks at 14:05:58 UTC. The full logs are available at https://meetbot.fedoraproject.org/fedora-meeting/2016-03-17/fedora_securi... . Meeting summary --------------- * Roll Call (Sparks, 14:06:06) * Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" (Sparks, 14:10:17) * Fedora Security Team FAD (Sparks, 14:10:23) * Sparks wrote up zoglesby's notes on the FAD (Sparks, 14:10:44) * LINK: https://sparkslinux.wordpress.com/2016/03/16/security-team-post-fad-notes/ (Sparks, 14:10:49) * We'd like private builds in Koji and private staging in Bodhi (Sparks, 14:16:31) * Sparks would like to see some fail-safe in Bodhi that wouldn't allow the package to be shipped before the embargo has expired. (Sparks, 14:17:02) * dgilmore notes that the feature requests are possible but it'll take human resources that currently haven't stepped up. (Sparks, 14:19:51) * ACTION: pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. (Sparks, 14:30:33) * Outstanding BZ Tickets (Sparks, 14:31:48) * Apprenticeship (Sparks, 14:41:04) * LINK: https://fedoraproject.org/wiki/Security_Team_Apprenticeship (Sparks, 14:41:24) * There are documentation opportunities if someone wants to do something (Sparks, 14:42:41) * ACTION: zoglesby to take the Apprenticeship discussion to the list for further development (Sparks, 14:45:46) * Open floor discussion/questions/comments (Sparks, 14:46:12) Meeting ended at 14:48:56 UTC. Action Items ------------ * pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. * zoglesby to take the Apprenticeship discussion to the list for further development Action Items, by person ----------------------- * d-caf * pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. * pjp * pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. * zoglesby * zoglesby to take the Apprenticeship discussion to the list for further development * **UNASSIGNED** * (none) People Present (lines said) --------------------------- * Sparks (69) * Astradeus (14) * d-caf (13) * zodbot (10) * dgilmore (10) * pjp (7) * zoglesby (6) 14:05:58 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:05:58 <zodbot> Meeting started Thu Mar 17 14:05:58 2016 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:05:58 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:05:58 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_t...' 14:06:01 <Sparks> #meetingname Fedora Security Team 14:06:01 <zodbot> The meeting name has been set to 'fedora_security_team' 14:06:06 <Sparks> #topic Roll Call 14:06:09 * Sparks 14:06:10 * d-caf 14:06:18 * zoglesby 14:06:57 <pjp> .hellomynameis pjp 14:06:59 <zodbot> pjp: pjp 'None' <pj.pandit(a)yahoo.co.in> 14:07:15 * Astradeus 14:10:07 <Sparks> Okay, lets get started 14:10:17 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:10:23 <Sparks> #topic Fedora Security Team FAD 14:10:44 <Sparks> #info Sparks wrote up zoglesby's notes on the FAD 14:10:49 <Sparks> #link https://sparkslinux.wordpress.com/2016/03/16/security-team-post-fad-notes/ 14:11:03 <Sparks> Feel free to comment as necessary. 14:11:03 <pjp> Sparks: Thanks much for a nice write-up! 14:11:15 <d-caf> thanks, haven't had a chance to read it just got the email 14:11:28 <d-caf> zoglesby: thanks for the notes! 14:13:49 <Astradeus> nice writeup 14:14:02 <Sparks> I was the photographer of the lovely board pictures. 14:14:04 <Sparks> *sigh* 14:14:15 * Sparks didn't notice the glare when he was taking the photos 14:14:45 <d-caf> Sparks: I took a few pictures, I can send them your way if you want to compare 14:14:51 <Sparks> Sure 14:15:05 <d-caf> be later today 14:15:34 <Sparks> That's fine 14:16:09 <Sparks> From the notes, I think we need someone to work with Rel Eng to see what's possible. 14:16:31 <Sparks> #info We'd like private builds in Koji and private staging in Bodhi 14:17:02 <Sparks> #info Sparks would like to see some fail-safe in Bodhi that wouldn't allow the package to be shipped before the embargo has expired. 14:17:22 <dgilmore> Sparks: supporting embargo builds? 14:17:34 <Sparks> dgilmore: Yes, we'd like to 14:17:46 <dgilmore> Sparks: we need ways to hide the build in koji and bodhi, we need to be able to hide the commits to git 14:18:01 <dgilmore> Sparks: its a lot of work on tools with almost no resources 14:18:11 <Sparks> dgilmore: Yes and I hadn't considered the git portion. 14:18:27 <dgilmore> So in order to do it people will need to step up and work on things 14:18:29 <Sparks> dgilmore: Do you need person resources? 14:18:35 <Sparks> okay 14:18:38 <dgilmore> a request for the feature will not be sufficient 14:18:54 <Sparks> dgilmore: Are these feature requests possible? 14:19:13 <dgilmore> Sparks: they are possible. we have had tickets for some of them for years 14:19:18 <dgilmore> there is no one to work on them 14:19:23 <Sparks> okay 14:19:36 <dgilmore> so if you actually want it you will need to provide humans 14:19:51 <Sparks> #info dgilmore notes that the feature requests are possible but it'll take human resources that currently haven't stepped up. 14:20:42 <zoglesby> sorry I was afk, lots of work stuff going on... 14:21:06 <Sparks> zoglesby: Pfft... it's FST time, everything else can wait! 14:21:20 <Sparks> dgilmore: Do you happen to have bug numbers for the existing feature requests? 14:22:50 <dgilmore> Sparks: sorry I do not 14:23:04 <dgilmore> I have not looked at tehm in years 14:23:54 <Sparks> dgilmore: That's fine. 14:24:56 <Sparks> Does anyone want to take on documenting and recruiting for this project? 14:26:07 <Sparks> anyone? 14:26:16 * Sparks eyes d-caf 14:26:22 <pjp> Sparks: recruiting? 14:26:38 <Sparks> pjp: Yeah, trying to get the humans necessary to move this forwared 14:26:43 <d-caf> Sorry, work distraction 14:26:45 <d-caf> back 14:26:52 <Sparks> s/forwared/forward 14:26:58 <pjp> Sparks: I could look for someone, 14:27:37 <d-caf> pjp: Sparks: I can try and sure out these old tickets as well 14:27:44 <Sparks> pjp: Okay, can you document the feature request, as well? 14:27:51 <d-caf> search/sure 14:27:53 <pjp> Sparks: Okay, 14:28:15 <Sparks> Okay, pjp and d-caf, both of you work together on this. 14:28:24 <Sparks> pjp++ d-caf++ 14:28:24 <zodbot> Sparks: Karma for pjp changed to 2 (for the f23 release cycle): https://badges.fedoraproject.org/tags/cookie/any 14:28:27 <pjp> Sparks: Okay 14:28:29 <Sparks> d-caf++ 14:28:46 <d-caf> I don't think I'm part of the karma system :-( 14:28:58 <Sparks> d-caf: What's your FAS ID? 14:29:07 <d-caf> dcafaro 14:29:12 <Sparks> dcafaro++ 14:29:13 <zodbot> Sparks: Karma for dcafaro changed to 1 (for the f23 release cycle): https://badges.fedoraproject.org/tags/cookie/any 14:29:20 <Sparks> There you go 14:29:32 <d-caf> Ah 14:29:45 <d-caf> I've got to go to a quick meeting be back in 15 14:30:33 <Sparks> #action pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. 14:30:44 <Sparks> Okay, anything else before we move on? 14:30:54 * pjp noted 14:31:48 <Sparks> #topic Outstanding BZ Tickets 14:31:58 <Sparks> mhayden: Did you run your magic script today? 14:35:35 <Sparks> Okay, well I don't have numbers for today so we'll move on. 14:35:47 <Sparks> #topic Apprenticeship 14:35:49 <Astradeus> i'd have numbers 14:36:00 <Sparks> #undo 14:36:00 <zodbot> Removing item from minutes: <MeetBot.items.Topic object at 0x2b612b90> 14:36:07 <Astradeus> +Tickets by Severity-+-------+---------+ 14:36:08 <Astradeus> | Severity | Tickets | Owned | Unowned | 14:36:08 <Astradeus> +----------+---------+-------+---------+ 14:36:08 <Astradeus> | medium | 475 | 40 | 435 | 14:36:08 <Astradeus> | low | 182 | 13 | 169 | 14:36:10 <Astradeus> | high | 69 | 31 | 38 | 14:36:13 <Astradeus> +----------+---------+-------+---------+ 14:36:22 <Sparks> Astradeus++ 14:36:22 <zodbot> Sparks: Karma for astra changed to 1 (for the f23 release cycle): https://badges.fedoraproject.org/tags/cookie/any 14:36:42 <zoglesby> cookies for everyone! 14:36:43 <Astradeus> shall i also email the whole output? 14:36:47 <Sparks> zoglesby++ 14:36:48 <zodbot> Sparks: Karma for zoglesby changed to 2 (for the f23 release cycle): https://badges.fedoraproject.org/tags/cookie/any 14:36:56 <Sparks> Astradeus: Yes please 14:37:09 <Sparks> Still no criticals... excellent. 14:37:17 <Sparks> Too many highs... not excellent 14:39:49 <Astradeus> anyone want's to take me through a sec-bug-squashing process? ;) 14:40:47 <Sparks> Astradeus: Sure, can we do that after the meeting in #fedora-security-team? 14:40:57 <Astradeus> Sparks: yey, sounds great :) 14:41:04 <Sparks> #topic Apprenticeship 14:41:24 <Sparks> #link https://fedoraproject.org/wiki/Security_Team_Apprenticeship 14:41:48 <Sparks> If you haven't looked at this page since Friday afternoon take a look at it now. 14:42:01 <Sparks> I removed everything that was there and started anew 14:42:41 <Sparks> #info There are documentation opportunities if someone wants to do something 14:42:49 <Sparks> (look for the red links) 14:43:28 <Sparks> We also need to go through the existing training resources and figure out what kind of training we should be suggesting 14:44:43 <zoglesby> that should be a topic for the list, as it will take time. 14:44:59 <Sparks> Agreed 14:45:05 <Sparks> zoglesby: Can you take it to the list? 14:45:11 <zoglesby> sure thing 14:45:25 <zoglesby> action me up! 14:45:46 <Sparks> #action zoglesby to take the Apprenticeship discussion to the list for further development 14:46:12 <Sparks> #topic Open floor discussion/questions/comments 14:46:14 <Sparks> Anyone have anything? 14:48:11 <Sparks> no? 14:48:35 <Astradeus> not me 14:48:38 <Sparks> Okay, well, thanks to all who came and participated! Special thanks to our guest dgilmore! 14:48:51 <Sparks> Everyone have a good day! 14:48:56 <Sparks> #endmeeting

7 years, 6 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

security-team March 2016