Fedora Security Team Report - 2016-06-23
by Major Hayden
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2016-06-23 07:47:26.504776
|_| \___|\__,_|\___/|_| \__,_| Data from: 2016-06-23
- -------------------------------------------------------------------------------
+Tickets by Priority----+-------+---------+
| Priority | Tickets | Owned | Unowned |
+-------------+---------+-------+---------+
| medium | 579 | 40 | 539 |
| low | 193 | 13 | 180 |
| high | 84 | 25 | 59 |
| unspecified | 3 | 2 | 1 |
+-------------+---------+-------+---------+
+Tickets by Status---+-------+---------+
| Status | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| NEW | 768 | 70 | 698 |
| ON_QA | 58 | 4 | 54 |
| ASSIGNED | 22 | 6 | 16 |
| MODIFIED | 11 | 0 | 11 |
+----------+---------+-------+---------+
+Tickets by Severity-+-------+---------+
| Severity | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| medium | 579 | 40 | 539 |
| low | 193 | 13 | 180 |
| high | 87 | 27 | 60 |
+----------+---------+-------+---------+
+Tickets by Component-----+-------+---------+
| Component | Tickets | Owned | Unowned |
+---------------+---------+-------+---------+
| qemu | 18 | 4 | 14 |
| mingw-libxml2 | 14 | 0 | 14 |
| bugzilla | 13 | 1 | 12 |
| ImageMagick | 12 | 0 | 12 |
| imlib2 | 12 | 0 | 12 |
| mingw-jasper | 12 | 0 | 12 |
| jasper | 12 | 0 | 12 |
| libxml2 | 11 | 0 | 11 |
| glib2 | 10 | 0 | 10 |
| mingw-libtiff | 10 | 0 | 10 |
+---------------+---------+-------+---------+
+Tickets by Distro Version-+-------+---------+
| Distro Version | Tickets | Owned | Unowned |
+----------------+---------+-------+---------+
| 23 | 304 | 15 | 289 |
| el6 | 280 | 39 | 241 |
| 22 | 96 | 1 | 95 |
| el5 | 93 | 22 | 71 |
| epel7 | 76 | 3 | 73 |
| 24 | 7 | 0 | 7 |
| rawhide | 3 | 0 | 3 |
+----------------+---------+-------+---------+
- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXa9sKAAoJEHNwUeDBAR+xLWYP/AmP8BvIFJFLzXzx2LwYmq2T
e997N2M+Etiv0Wew8sQU9P40FymtpLmbhFG5L0T5CLXZxuNwsVkhAKFME99tOWBG
0MY8tdSfCmIa20Pkqk0CdUuO9uVlP7Jo6MbADv6cvISRBtsUZ3FE4lo1m7ZHd+iP
7JEu8uJS6GfXdflOCYG5yhgmE/tKrsgb9aCpHKeJrJAGgKozd5SPcz1ynHRGQjWm
+aWZiw1Eqp2QJssBHv0L51sklSh3j1CU62SsyvpzqxFyazLm0sXIMm4Cpr279YKF
N1bG2rp1CaN+3JcWASnL2q3TyfaRUEHfHoR9y3Ex5mRVqb41V1tJc93c1vHUEeYy
cgLKt99suH5oa8Bs5sp6W4UpjCgpDHOMNpwg4+/E11r5SFtzjNBp5e170z/GQkiZ
a7ep9mjSk5uK5+oX+nBC4tn81NOnDqius2MzmBmebNrcZsmgrAkadxW3r+uDKC3s
hZZkYXvORMlLAErytsf+iVU2KC3ElM7IAXKtcfr7Qwfslnrx2Dzk1MFF42a1ZcAy
ZXE8A1nr0HEUk0s53x32ayjVzM/DGrO85RIOpJkNuyhTxhpjvASZwRYnCh15PegM
6Zby8C3pHolcL/E4oqoOXSwWt9oECYA+G25fBIn90qhPVFbwCkjDih1ueFzJg77a
82GocV7E3XPMrPLvzOt0
=ekKC
-----END PGP SIGNATURE-----
7 years, 5 months
Security Team meeting minutes for 2016-06-16
by Eric Christensen
======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:00:18 UTC. The full logs are available
at
https://meetbot.fedoraproject.org/fedora-meeting/2016-06-16/fedora_securi...
.
Meeting summary
---------------
* Roll Call (Sparks, 14:00:26)
* Apprenticeship (Sparks, 14:09:28)
* ACTION: Sparks to document the goals for the team on the wiki
(Sparks, 14:14:59)
* Windows/OS X Tools in F25 (Sparks, 14:20:13)
* LINK: https://fedorahosted.org/fedora-security-team/ticket/1
(Sparks, 14:20:19)
* zoglesby commented on the ticket but hasn't had any feedback yet.
(Sparks, 14:21:11)
* LINK: https://bugzilla.redhat.com/show_bug.cgi?id=1310542#c16
(Astradeus, 14:28:45)
* ACTION: zoglesby to follow up on progress of the Windows Live USB
program (Sparks, 14:34:02)
* Outstanding BZ Tickets (Sparks, 14:34:18)
* Open floor discussion/questions/comments (Sparks, 14:38:39)
Meeting ended at 14:41:05 UTC.
Action Items
------------
* Sparks to document the goals for the team on the wiki
* zoglesby to follow up on progress of the Windows Live USB program
Action Items, by person
-----------------------
* Sparks
* Sparks to document the goals for the team on the wiki
* zoglesby
* zoglesby to follow up on progress of the Windows Live USB program
* **UNASSIGNED**
* (none)
People Present (lines said)
---------------------------
* Sparks (34)
* Astradeus (12)
* zoglesby (5)
* zodbot (4)
* mhayden (2)
14:00:18 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:00:19 <zodbot> Meeting started Thu Jun 16 14:00:18 2016 UTC. The
chair is Sparks. Information about MeetBot at
http://wiki.debian.org/MeetBot.
14:00:19 <zodbot> Useful Commands: #action #agreed #halp #info #idea
#link #topic.
14:00:19 <zodbot> The meeting name has been set to
'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_t...'
14:00:22 <Sparks> #meetingname Fedora Security Team
14:00:22 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:26 <Sparks> #topic Roll Call
14:00:27 * Sparks
14:03:37 * Astradeus
14:04:27 <Astradeus> but no specific topics to discuss. and i didn't
read what i promised to read :/
14:05:03 <Sparks> Astradeus: You shall be shunned appropriately
14:05:22 <Sparks> jsmith` zoglesby linuxmodder: You around?
14:05:40 <zoglesby> around but dealing with an issue at work
14:06:08 <Astradeus> Sparks: poor me ;)
14:06:27 <Sparks> zoglesby: Aren't we always?
14:09:13 <Sparks> Okay, lets get started as I have a hard stop a little
before the top of the hour
14:09:28 <Sparks> #topic Apprenticeship
14:10:03 * mhayden stumbles in
14:10:25 <Sparks> I'll share what jtaylor90 had to say (he's in another
meeting this morning)
14:10:28 <Sparks> 13:53 < jtaylor90> regarding the apprentice readings
and such, I did have a couple comments, the first is, the finding a
mentor could be fleshed out a little
14:10:31 <Sparks> 13:53 < jtaylor90> for the mentor and mentoree (if
that's a word)
14:10:33 <Sparks> 13:55 < jtaylor90> and also do we have the sec team
goals documented somewhere besides the wiki, the linked page on the wiki
is empty
14:10:48 <Sparks> comments?
14:13:31 <Sparks> no?
14:13:51 <zoglesby> you should fix that second oen
14:14:03 <zoglesby> the first one is a much harder issue to figure out
14:14:04 <Astradeus> not from me, i don't feel ready to define stuff for
the security team
14:14:59 <Sparks> #action Sparks to document the goals for the team on
the wiki
14:15:17 <Astradeus> i've been reading (and sometimes talking) in
meetings, but i don't think i can really contribute yet - still have to
learn more about the fedora-ecosystem
14:17:18 <Sparks> zoglesby: I didn't see but I thought linuxmodder was
going to add his comments to a post to the ML.
14:17:54 <zoglesby> I don't think he actually did so
14:18:54 <Sparks> Okay
14:19:31 <Sparks> Anyone have anything else on the topic?
14:20:09 <Astradeus> not me
14:20:13 <Sparks> #topic Windows/OS X Tools in F25
14:20:19 <Sparks> #link
https://fedorahosted.org/fedora-security-team/ticket/1
14:21:11 <Sparks> #info zoglesby commented on the ticket but hasn't had
any feedback yet.
14:21:14 <Sparks> zoglesby++
14:21:29 <Sparks> Anyone have anything else on the topic?
14:21:40 <Astradeus> wasn't there some discussion about running this on
a virtual machine in fedora infrastructure somewhere?
14:21:49 <Sparks> I don't know
14:22:12 * mhayden is looking at what tools we're talking about
14:27:17 <Astradeus> it looks like the last update was sometime in
april, so it seems they are either waiting for a statement from us or
nobody currently is working on it
14:28:40 <Astradeus> maybe this is the current state?
14:28:45 <Astradeus> #link
https://bugzilla.redhat.com/show_bug.cgi?id=1310542#c16
14:31:05 <Sparks> zoglesby: Can you follow up and see if anything else
is needed?
14:32:43 <zoglesby> um, sure
14:34:02 <Sparks> #action zoglesby to follow up on progress of the
Windows Live USB program
14:34:18 <Sparks> #topic Outstanding BZ Tickets
14:34:26 <Sparks> Anyone have anything ticket related?
14:35:54 <Astradeus> no
14:38:39 <Sparks> #topic Open floor discussion/questions/comments
14:38:45 <Sparks> Anyone have anything?
14:40:12 <Sparks> Okay, not hearing anything.
14:40:55 <Sparks> Thanks for everyone coming out this morning.
14:41:02 <Astradeus> thanks for doing the meeting
14:41:05 <Sparks> #endmeeting
7 years, 5 months
Fedora Security Team Report - 2016-06-16
by Major Hayden
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2016-06-16 08:31:36.182368
|_| \___|\__,_|\___/|_| \__,_| Data from: 2016-06-16
- -------------------------------------------------------------------------------
+Tickets by Priority----+-------+---------+
| Priority | Tickets | Owned | Unowned |
+-------------+---------+-------+---------+
| medium | 583 | 40 | 543 |
| low | 197 | 13 | 184 |
| high | 81 | 25 | 56 |
| unspecified | 3 | 2 | 1 |
+-------------+---------+-------+---------+
+Tickets by Status---+-------+---------+
| Status | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| NEW | 774 | 70 | 704 |
| ON_QA | 58 | 4 | 54 |
| ASSIGNED | 24 | 6 | 18 |
| MODIFIED | 8 | 0 | 8 |
+----------+---------+-------+---------+
+Tickets by Severity-+-------+---------+
| Severity | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| medium | 583 | 40 | 543 |
| low | 197 | 13 | 184 |
| high | 84 | 27 | 57 |
+----------+---------+-------+---------+
+Tickets by Component-----+-------+---------+
| Component | Tickets | Owned | Unowned |
+---------------+---------+-------+---------+
| qemu | 19 | 4 | 15 |
| mingw-libxml2 | 14 | 0 | 14 |
| bugzilla | 13 | 1 | 12 |
| imlib2 | 12 | 0 | 12 |
| mingw-jasper | 12 | 0 | 12 |
| jasper | 12 | 0 | 12 |
| ImageMagick | 11 | 0 | 11 |
| libxml2 | 11 | 0 | 11 |
| glib2 | 10 | 0 | 10 |
| mingw-libtiff | 10 | 0 | 10 |
+---------------+---------+-------+---------+
+Tickets by Distro Version-+-------+---------+
| Distro Version | Tickets | Owned | Unowned |
+----------------+---------+-------+---------+
| 23 | 316 | 15 | 301 |
| el6 | 279 | 39 | 240 |
| 22 | 96 | 1 | 95 |
| el5 | 93 | 22 | 71 |
| epel7 | 73 | 3 | 70 |
| 24 | 4 | 0 | 4 |
| rawhide | 3 | 0 | 3 |
+----------------+---------+-------+---------+
- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXYqtNAAoJEHNwUeDBAR+xk+wP+wfQo19R8ZyPHsEJW8F8CtA5
/WEEVMKkvm5I5l2U7qfjljPhHCooWxxnhBZ+OwOVQNrnWdW8BnZ0vIODQlGOcroF
nw/5kVx3pgdTIv3k2qi6y0QMPKlQJV99twv8efed0ShS1PEwqmBmUR4g3HmRTePq
iZFhXPaVu4j8e8dToKzIg49IWmTXJ49zMdzOUtBM0guNsLw0C847SQHf9z25WyBl
3xIRkjVmEQI8dqBDaN/dclmKhuWIvGWKh6pJJFkFUbvmrxHCSR+oF3looCo7j/7+
LSNUAe6YRh9xJ4E22zXxZRn4eB5AVb5JShm5y9Uzt//isP/06pGDZqg/C+vFl8fU
Xzj+hct1it8Cd5VPs95QNrbmnpc1rcPcZjq/Ip88vbMS57sBbYidRq9l9PDfwH1M
UGlYqfwHC5ubTYNAEqQRns7lg5LerwzAXqFYxfodtjdV2Vzpt8uk3BvgkF+7b0NY
NeH6//3YLEfMLUdpZOawGjR6HR2CZTmbgqfEq5sLWMlLnSPFT7ZasJHCQfJENMXI
i0A7WZEjiiaF+Rzlz65LsdPDkqA3LLJcRf+LuynA4s1ZLvGJXujgtfIy2baT5J8o
eYTHTfq2sqro6s9EgvPCKPTYbrp8+t47QYibe7B10LtDBCKGyEgVc/7De0Yuqc2x
/23lhHjy5fsoxSEVXq4I
=4GXM
-----END PGP SIGNATURE-----
7 years, 5 months
Opinions about boinc reads on /dev/input/event9
by Germano Massullo
Good day. I am one of the boinc-client maintainers, and I am writing
to you to ask an opinion about bugreport
<<SELinux is preventing boinc_client from 'getattr' accesses on the
chr_file /dev/input/event9>> [1]
In a few words, boinc-client to check user inactivity time, reads
keyboard events from /dev/input/event9
SELinux maintainers said that boinc-client maintainers have to take a
decision about denying or allowing such behaviour.
I tried to ask in boinc's forum (in the mailing list very often you do
not get an answer), so I opened forum topic [2]. They confirmed that
boinc uses /dev/input/event9 to check user inactivity time.
Since boinc-client source code is open, but source code of boinc
working units is not available, I don't know if boinc-client should be
allowed to make such readings...
What is your opinion?
Have a nice day and thank you for your time.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1337607
[2]: https://boinc.berkeley.edu/dev/forum_thread.php?id=11041
P.S. By my mistake I have already unsuccessfully sent an email to
security(a)lists.fedoraproject.org but I wanted to sent an e-mail to
security-team(a)lists.fedoraproject.org so please apologize me if there
will be two discussions
7 years, 5 months
Security Team Meeting Minutes for 2016-06-09
by Eric Christensen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
========================================================================
==============================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
========================================================================
==============================
Meeting started by Sparks at 14:00:46 UTC. The full logs are available
at
https://meetbot.fedoraproject.org/fedora-meeting/2016-06-09/fedora_secur
ity_team.2016-06-09-14.00.log.html
.
Meeting summary
- ---------------
* Roll Call (Sparks, 14:00:51)
* Apprenticeship (Sparks, 14:10:28)
* ACTION: linuxmodder and jtaylor90 to test the Fedora Security
Apprenticeship training and report back next week (Sparks,
14:25:11)
* Windows/OS X Tools in F25 (Sparks, 14:31:28)
* LINK: https://fedorahosted.org/fedora-security-team/ticket/1
(Sparks, 14:31:43)
* LINK: https://github.com/lmacken/liveusb-creator (zoglesby,
14:39:59)
* LINK: https://bugzilla.redhat.com/show_bug.cgi?id=1310542
(zoglesby, 14:41:09)
* Open floor discussion/questions/comments (Sparks, 14:47:10)
Meeting ended at 14:51:35 UTC.
Action Items
- ------------
* linuxmodder and jtaylor90 to test the Fedora Security Apprenticeship
training and report back next week
Action Items, by person
- -----------------------
* jtaylor90
* linuxmodder and jtaylor90 to test the Fedora Security Apprenticeship
training and report back next week
* linuxmodder
* linuxmodder and jtaylor90 to test the Fedora Security Apprenticeship
training and report back next week
* **UNASSIGNED**
* (none)
People Present (lines said)
- ---------------------------
* Sparks (51)
* zoglesby (36)
* linuxmodder (20)
* zodbot (10)
* nb (5)
* jtaylor90 (5)
* Astradeus (3)
* mhayden (3)
14:00:46 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:00:46 <zodbot> Meeting started Thu Jun 9 14:00:46 2016 UTC. The
chair is Sparks. Information about MeetBot at
http://wiki.debian.org/MeetBot.
14:00:46 <zodbot> Useful Commands: #action #agreed #halp #info #idea
#link #topic.
14:00:46 <zodbot> The meeting name has been set to
'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security
_team_meetings'
14:00:49 <Sparks> #meetingname Fedora Security Team
14:00:49 <zodbot> The meeting name has been set to 'fedora_security_team
'
14:00:51 <Sparks> #topic Roll Call
14:00:52 * Sparks
14:02:41 <linuxmodder> .fas linuxmodder
14:02:41 <zodbot> linuxmodder: linuxmodder 'Corey W Sheldon'
<sheldon.corey(a)openmailbox.org>
14:02:52 <linuxmodder> laggy connect today fyi
14:03:30 * zoglesby is here
14:03:57 <mhayden> .hello mhayden
14:03:58 <zodbot> mhayden: mhayden 'Major Hayden' <major(a)mhtx.net>
14:04:28 <jtaylor90> .fas jtaylor
14:04:29 <zodbot> jtaylor90: jraytay 'Jason Taylor'
<jtaylor48(a)san.rr.com> - jtaylor '' <jtfas90(a)gmail.com> - jtaylor0175
'Jeffrey Scott Taylor' <jst293(a)yahoo.com>
14:04:45 <jtaylor90> lol there is more than one of me
14:06:48 <Sparks> jtaylor90: That's just scary
14:06:53 <Sparks> zoglesby: You here today?
14:06:57 <Sparks> jsmith: ^^^
14:07:04 <zoglesby> yes, I even said so
14:07:09 <Sparks> Yes, yes you did.
14:07:18 <Sparks> #chair linuxmodder mhayden jtaylor90 zoglesby
14:07:18 <zodbot> Current chairs: Sparks jtaylor90 linuxmodder mhayden
zoglesby
14:07:24 <nb> I think I .hello nb
14:07:26 <nb> oops
14:07:29 <nb> .hello nb
14:07:30 <zodbot> nb: nb 'Nick Bebout' <nb(a)nb.zone>
14:07:36 <mhayden> howdy nb
14:07:41 * mhayden just sent out this week's stats
14:08:04 * linuxmodder looks in tb for email
14:09:19 <linuxmodder> that's alot of unowned NEW
14:10:22 <Sparks> Okay, I want to skip over all the meeting stuff and
go straight into the meat of the meeting.
14:10:28 <Sparks> #topic Apprenticeship
14:10:35 <Sparks> zoglesby: Where are we on this?
14:11:15 <zoglesby> We have a plan, it needs but into action, and I
think we need to talk about how to do that.
14:11:30 <Sparks> Okay, lets talk
14:11:32 <zoglesby> It is my opinion that this has stalled because we
did not have a clear next step
14:12:41 <Sparks> zoglesby: What do you propose?
14:13:12 <zoglesby> I don't have a good answer, or I would have just
started to do it.
14:13:55 <zoglesby> maybe we need a ginnie pig
14:14:05 * Sparks eyes nb
14:14:13 <zoglesby> and by that I mean guinea pig
14:14:36 <jtaylor90> a guinea pig to test out the process?
14:14:41 <Sparks> yes
14:15:16 <nb> Sparks, hello
14:15:29 <nb> you were eying me?
14:15:38 <linuxmodder> missed that what we talking about atm?
14:15:52 <zoglesby> guinea pigs
14:16:07 <jtaylor90> I would be willing to be a guinea pig
14:16:07 <linuxmodder> GP for what exactly?
14:16:09 <zoglesby> they are cute, we want them. Not to eat
14:16:27 <zoglesby> For testing the Apprenticeship process out
14:16:33 <linuxmodder> c0mrad3, you around ?
14:16:37 <linuxmodder> skamath, same
14:16:47 <linuxmodder> I can be a GP then
14:17:46 <zoglesby> I am not saying no, but it would be best to have
someone who was not a part of the setup of the process doing it.
14:17:58 <Astradeus> hi, sorry for being late
14:19:43 <Sparks> zoglesby: Okay, looks like we have a few takers here.
14:20:37 <zoglesby> sorry, trying to find the wiki page
14:21:18 <zoglesby> Okay, if you want to be a guinea pig, please start
working on the items on
https://fedoraproject.org/wiki/Security_Team_Apprenticeship
14:21:30 <zoglesby> At next weeks meeting we will talk about it.
14:21:41 <zoglesby> Can I now get a list of people who are going to do s
o?
14:22:10 <jtaylor90> zoglesby: me
14:22:43 <linuxmodder> !
14:22:50 <linuxmodder> zoglesby, I'm in
14:24:46 <Astradeus> i can look at it again, but it's not really
something i can solve as a task - i've already looked at most of the
linked documents
14:24:53 <Astradeus> but i'll do that until next meeting
14:25:11 <Sparks> #action linuxmodder and jtaylor90 to test the Fedora
Security Apprenticeship training and report back next week
14:25:18 <zoglesby> beat me to it
14:25:27 <Sparks> zoglesby: Sorry, I can undo it so you can do it.
14:25:32 <zoglesby> no
14:27:15 <Sparks> zoglesby: Okay, anything else on this topic?
14:27:29 <zoglesby> Nope, I think that is it.
14:27:42 <Sparks> Great, thanks.
14:27:46 <Sparks> zoglesby++
14:27:58 <Sparks> linuxmodder++
14:27:58 <zodbot> Sparks: Karma for linuxmodder changed to 15 (for the
f23 release cycle): https://badges.fedoraproject.org/tags/cookie/any
14:28:00 <linuxmodder> any specific metrics or feedback Sparks
zoglesby on the Apprentice track?
14:28:05 <Sparks> jtaylor90++
14:28:21 <Sparks> linuxmodder: Yes, does it make you feel prepared.
14:28:22 <Sparks> :)
14:28:28 <linuxmodder> beyond the obvious this has dead link or
needs clarity
14:30:14 <Sparks> linuxmodder: Did you see my comment?
14:30:19 <linuxmodder> yes
14:30:29 <linuxmodder> about preparedness
14:31:22 <Sparks> Okay
14:31:25 <Sparks> Moving on
14:31:28 <Sparks> #topic Windows/OS X Tools in F25
14:31:40 <Sparks> #link
https://fedorahosted.org/fedora-security-team/ticket/1
14:31:43 <Sparks> #link
https://fedorahosted.org/fedora-security-team/ticket/1
14:31:48 <Sparks> I dropped the ball on this one...
14:31:59 <Sparks> I need some input from others on this.
14:34:23 <zoglesby> In the ticket?
14:35:18 <zoglesby> Not signing binaries for any platform is not
acceptable in my book.
14:35:52 <zoglesby> If it costs a little money, Red Hat makes a lot of
that. (and I am sure they have code signing keys already that could be
used)
14:36:03 <Sparks> zoglesby: Right, and what about building them
offsite (not in FP infrastructure)?
14:37:18 <zoglesby> I don't think doing it at someones desk is a good
idea, but I am sure we can find a way to deal with it.
14:37:35 <Sparks> mattdm: You around?
14:37:39 <zoglesby> The issue is that it can't be built on Linux for
windows correct?
14:37:46 <Sparks> I'm not sure.
14:38:53 <zoglesby> 14:35:26 <dgilmore> koji supports windows natively
and it may be possible for to use mingw to cross somplie if they
switch to c++
14:39:18 <Sparks> Well, that sounds like a rewrite of the software.
14:39:59 <zoglesby> https://github.com/lmacken/liveusb-creator
14:40:16 <zoglesby> python and pyqt
14:41:03 <linuxmodder> is the old FedoraUSBCreator not still a go for
Windows?
14:41:04 <linuxmodder> what infra you thinking Sparks ?
14:41:06 <linuxmodder> for offsite build
14:41:09 <zoglesby> https://bugzilla.redhat.com/show_bug.cgi?id=1310542
14:41:18 <Sparks> So I guess the overarching question for us is what
should we enforce. Everything should be signed and for things to be
signed it needs to be built in-house. That sound good?
14:41:33 <linuxmodder> cross compile is possible but security wise a
utter pita and mess
14:41:47 <zoglesby> Sparks: no
14:41:48 <linuxmodder> its presently in py yes?
14:41:55 <Sparks> I don't think we have the resources for a code review.
14:42:13 <zoglesby> I am okay with using a 3rd party build infra for
this item. I am not okay with using someones desktop pc for it
14:42:13 <Sparks> linuxmodder: I'm trying to think more generally than
this specific piece of software.
14:42:47 <Sparks> I'm not sure we can validate the binary if we don't
build it ourselves.
14:42:54 <Sparks> s/can/should
14:43:16 <zoglesby> As long as infra can have people checking in on
the build system (or us) I think it is okay to use something else for
this. Doing it on a PC at someones home/work means they are the
gatekeeper.
14:43:48 <zoglesby> I would like to find out what the actual build
process is.
14:44:10 <Sparks> zoglesby: Can you add these comments to the ticket?
14:44:39 <zoglesby> Its python and pyqt. I can't think you need to
build on windows for that. My reading is that koji has no support for it
.
14:45:07 <zoglesby> If that is the case I say they do it on a VM in
fedora infra.
14:45:14 <zoglesby> Sparks: sure
14:46:41 <zoglesby> done
14:47:09 <Sparks> Okay, we're running a bit late... Lets just skip to
the end.
14:47:10 <Sparks> #topic Open floor discussion/questions/comments
14:47:13 <Sparks> Anyone have anything?
14:48:13 <zoglesby> only that hour has gone by very slow
14:48:24 <Sparks> heh
14:49:25 <Sparks> Anyone else?
14:51:00 <Sparks> Okay, lets go ahead and secure the meeting, then.
Everyone have a good day!
14:51:35 <Sparks> #endmeeting
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCgAGBQJXWYLZAAoJED4nr8JXHVrFqfkIAJh5NbrOLlgDXT+qjUpqRive
64BfOx4fMzgyx8Va/PWki9lSwB8zzLe89Bld6spaKbeuTJyCpI1t2X8wl3ZLgC8R
ohrXaPQpCnzRFCIuWZsjG0V6DMFy8ST/xdmyzZEe8DoIuZzlEIEQ1VFbAYUlKph9
y6LC6ALcm7cbk2Nrszxmpo58XQnUut9FeQAcXNVBnTL36drd6jURrV7D9CQu1TUu
P233gR0U7u9J/Y6MO+NaujsmQxs6fAlHUuxalLfgjTh5oBGVElt/H1sDhcrU6aCm
rJKvWVc0SdFgiuWToJrtC1Q0uWezO1kE7hkwkV+qO+iDxqNqL+xdRGdCK3OKAfg=
=YciJ
-----END PGP SIGNATURE-----
7 years, 5 months
Fedora Security Team Report - 2016-06-09
by Major Hayden
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2016-06-09 08:58:08.761959
|_| \___|\__,_|\___/|_| \__,_| Data from: 2016-06-09
- -------------------------------------------------------------------------------
+Tickets by Priority----+-------+---------+
| Priority | Tickets | Owned | Unowned |
+-------------+---------+-------+---------+
| medium | 576 | 40 | 536 |
| low | 182 | 13 | 169 |
| high | 77 | 25 | 52 |
| unspecified | 3 | 2 | 1 |
+-------------+---------+-------+---------+
+Tickets by Status---+-------+---------+
| Status | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| NEW | 759 | 70 | 689 |
| ON_QA | 50 | 4 | 46 |
| ASSIGNED | 23 | 6 | 17 |
| MODIFIED | 6 | 0 | 6 |
+----------+---------+-------+---------+
+Tickets by Severity-+-------+---------+
| Severity | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| medium | 576 | 40 | 536 |
| low | 182 | 13 | 169 |
| high | 80 | 27 | 53 |
+----------+---------+-------+---------+
+Tickets by Component-----+-------+---------+
| Component | Tickets | Owned | Unowned |
+---------------+---------+-------+---------+
| qemu | 19 | 4 | 15 |
| mingw-libxml2 | 14 | 0 | 14 |
| bugzilla | 13 | 1 | 12 |
| imlib2 | 12 | 0 | 12 |
| mingw-jasper | 12 | 0 | 12 |
| jasper | 12 | 0 | 12 |
| ImageMagick | 11 | 0 | 11 |
| libxml2 | 11 | 0 | 11 |
| glib2 | 10 | 0 | 10 |
| moodle | 9 | 1 | 8 |
+---------------+---------+-------+---------+
+Tickets by Distro Version-+-------+---------+
| Distro Version | Tickets | Owned | Unowned |
+----------------+---------+-------+---------+
| 23 | 296 | 15 | 281 |
| el6 | 277 | 39 | 238 |
| 22 | 97 | 1 | 96 |
| el5 | 89 | 22 | 67 |
| epel7 | 73 | 3 | 70 |
| 24 | 3 | 0 | 3 |
| rawhide | 3 | 0 | 3 |
+----------------+---------+-------+---------+
- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXWXZJAAoJEHNwUeDBAR+x2AQQAIPM/gE0viGQxVpmJjBwZoKI
haYecfFFGErjKmbIcuQjWroniLISW/per0/iVliR7mRPSA/CEWTRE0A4ucdM5Ly6
KDioiB5mmt1qsvkXhmACHFVAK4KUDIsK0Fgrw6goHl1fKepuYGyQa6EFtFcNADsB
VezyGn8cJQuPCCkTbwTdMeRRaUK7tI2ta0Do1q5krAPcel2eE81mtYku7c5u8Awq
aq4N+/xtvmJAJ5MeTTvKgaUJDZIpQ4VT0kPaMK9aWy4cXPSN1OvRDsfsRYimuont
qLJtdfofBp8crD2ePbNh+FhHR4i6lteaMyExhUbS/6UQsvKHYAZW9mFKDQ7zAA8C
C++teuKi2ojUurMjSId/D0CznM9geR4nvfMaMAScAvIWqKsrPfezP+NvW6trB4VG
4e6nbTDDAX0jXSIJP6vA2fIA8ky2rfqqV+bdV7hg6cvld7eVk59Y3CnxuZnDprXO
5962FRskJz5jpLbIC6CxbZUd9DuBL/w7HiH3GjeEEF5WHEEf+IWPiHvU0nf/omSr
d4AcXJ3dQygxqqiLcegmf7pFP4j/VurQXrwR2Ejmp8asNirDU9JjJHZAJ6q/4ivN
COmykkYM685Nf3VjrCqClhVFOwqvgh/sJMlNt+bmJ+lcECVOnrJqgBZBeamHjdUP
9/ySWvXP5hGJOdygPQQq
=PbJS
-----END PGP SIGNATURE-----
7 years, 5 months
