------------------ 原始邮件 ------------------
发件人: "security-team-request";<security-team-request@lists.fedoraproject.org>;
发送时间: 2016年5月5日(星期四) 晚上11:05
收件人: "security-team"<security-team@lists.fedoraproject.org>;
主题: security-team Digest, Vol 22, Issue 6
Send security-team mailing list submissions to
security-team@lists.fedoraproject.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.fedoraproject.org/admin/lists/security-team@lists.fedoraproject.org
or, via email, send a message with subject or body 'help' to
security-team-request@lists.fedoraproject.org
You can reach the person managing the list at
security-team-owner@lists.fedoraproject.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of security-team digest..."
Today's Topics:
1. Security Team meeting minutes for 2016-04-28 (Eric Christensen)
2. [Fedocal] Reminder meeting : Security Team Meeting
(nobody@fedoraproject.org)
3. Re: Requirements for shipping Windows / OSX tools in F25
(Amanda Carter)
4. Fedora Security Team Report - 2016-05-05 (Major Hayden)
5. Security Team meeting minutes for 2016-05-05 (Eric Christensen)
----------------------------------------------------------------------
Date: Thu, 28 Apr 2016 10:33:22 -0400
From: Eric Christensen <echriste@redhat.com>
Subject: Security Team meeting minutes for 2016-04-28
To: Fedora Security Team <security-team@lists.fedoraproject.org>
Message-ID: <57221F32.7090106@redhat.com>
Content-Type: text/plain; charset=utf-8
======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:02:05 UTC. The full logs are available
at
https://meetbot.fedoraproject.org/fedora-meeting/2016-04-28/fedora_security_team.2016-04-28-14.02.log.html
.
Meeting summary
---------------
* Roll Call (Sparks, 14:02:12)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:07:29)
* Follow up on last week's tasks (Sparks, 14:07:44)
* ACTION: pjp to give a status update on security policy in the wiki
(carried over) (Sparks, 14:07:50)
* ACTION: Sparks to figure out how FST members can get access to
Fedora security bugs (carried over) (Sparks, 14:08:00)
* ACTION: pjp and d-caf to work on the feature requests for distgit,
Koji, and Bodhi for private builds for embargoed vulnerabilities.
(carried over) (Sparks, 14:09:35)
* Apprenticeship (Sparks, 14:09:45)
* LINK: https://fedoraproject.org/wiki/Security_Team_Apprenticeship
(Sparks, 14:15:15)
* ACTION: zoglesby to update the reading list for the Apprenticeship
(Sparks, 14:17:28)
* Open floor discussion/questions/comments (Sparks, 14:17:53)
* Outstanding BZ Tickets (Sparks, 14:22:07)
* Thursday's numbers: Critical 0 (0), Important 80 (+8), Moderate 520
(+10), Low 180 (+11), Total 780 (+29) (Sparks, 14:22:13)
* Open floor discussion/questions/comments (Sparks, 14:26:58)
Meeting ended at 14:28:57 UTC.
Action Items
------------
* pjp to give a status update on security policy in the wiki (carried
over)
* Sparks to figure out how FST members can get access to Fedora security
bugs (carried over)
* pjp and d-caf to work on the feature requests for distgit, Koji, and
Bodhi for private builds for embargoed vulnerabilities. (carried over)
* zoglesby to update the reading list for the Apprenticeship
Action Items, by person
-----------------------
* d-caf
* pjp and d-caf to work on the feature requests for distgit, Koji, and
Bodhi for private builds for embargoed vulnerabilities. (carried
over)
* Sparks
* Sparks to figure out how FST members can get access to Fedora
security bugs (carried over)
* zoglesby
* zoglesby to update the reading list for the Apprenticeship
* **UNASSIGNED**
* pjp to give a status update on security policy in the wiki (carried
over)
People Present (lines said)
---------------------------
* Sparks (51)
* d-caf (10)
* Astradeus (10)
* zodbot (10)
* zoglesby (6)
* c0mrad3 (3)
* linuxmodder (3)
* nb (1)
* dgilmore (1)
14:02:05 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:02:06 <zodbot> Meeting started Thu Apr 28 14:02:05 2016 UTC. The
chair is Sparks. Information about MeetBot at
http://wiki.debian.org/MeetBot.
14:02:06 <zodbot> Useful Commands: #action #agreed #halp #info #idea
#link #topic.
14:02:06 <zodbot> The meeting name has been set to
'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:02:09 <Sparks> #meetingname Fedora Security Team
14:02:09 <zodbot> The meeting name has been set to 'fedora_security_team'
14:02:12 <Sparks> #topic Roll Call
14:02:15 * Sparks
14:02:17 * d-caf
14:02:23 * Astradeus
14:02:49 <Sparks> #chair d-caf Astradeus
14:02:49 <zodbot> Current chairs: Astradeus Sparks d-caf
14:02:56 * linuxmodder
14:03:11 <linuxmodder> morning everyone
14:03:20 <Sparks> #chair linuxmodder
14:03:20 <zodbot> Current chairs: Astradeus Sparks d-caf linuxmodder
14:04:19 * zoglesby is here
14:04:50 <Sparks> zoglesby: Welcome
14:07:24 <Sparks> Okay, lets get started.
14:07:29 <Sparks> #info Participants are reminded to make liberal use of
#info #link #help in order to make the minutes "more better"
14:07:32 <Sparks> #chair zoglesby
14:07:32 <zodbot> Current chairs: Astradeus Sparks d-caf linuxmodder
zoglesby
14:07:37 * d-caf will have to bail at 10:30
14:07:44 <Sparks> #topic Follow up on last week's tasks
14:07:50 <Sparks> #action pjp to give a status update on security policy
in the wiki (carried over)
14:08:00 <Sparks> #action Sparks to figure out how FST members can get
access to Fedora security bugs (carried over)
14:08:02 <nb> .hello nb
14:08:03 <zodbot> nb: nb 'Nick Bebout' <nb@nb.zone>
14:08:21 <Sparks> d-caf: Did you get a chance to start investigating
private builds in Koji and Bodhi?
14:08:54 <dgilmore> Sparks: do not forget the distgit side of that
14:09:01 <d-caf> Sparks: unfortunately not, last few weeks have been
messed up, WILL do this week
14:09:13 <Sparks> dgilmore++
14:09:13 <zodbot> Sparks: Karma for ausil changed to 27 (for the f23
release cycle): https://badges.fedoraproject.org/tags/cookie/any
14:09:35 <Sparks> #action pjp and d-caf to work on the feature requests
for distgit, Koji, and Bodhi for private builds for embargoed
vulnerabilities. (carried over)
14:09:45 <Sparks> #topic Apprenticeship
14:10:02 <Sparks> zoglesby: You ran the meeting last week where we
discussed this. What say you?
14:12:05 <linuxmodder> distgit ?
14:13:10 <d-caf> linuxmodder: I assume it references this #link
https://fedoraproject.org/wiki/Dist_Git_Project
14:13:54 <Sparks> zoglesby: ???
14:15:15 <Sparks> #link
https://fedoraproject.org/wiki/Security_Team_Apprenticeship
14:15:28 <Sparks> Okay, not sure where zoglesby went...
14:15:36 <zoglesby> sorry
14:15:43 <Sparks> Oh there you are.
14:15:47 <Sparks> You have the floor.
14:16:16 <zoglesby> So I did not update the reading list yet, but I will
do that as soon as the meeting ends
14:16:35 <zoglesby> Nothing else to report for last week
14:17:08 <Sparks> Okay
14:17:15 <Sparks> #action zoglesby to update the reading list
14:17:19 <Sparks> #undo
14:17:19 <zodbot> Removing item from minutes: ACTION by Sparks at
14:17:15 : zoglesby to update the reading list
14:17:28 <Sparks> #action zoglesby to update the reading list for the
Apprenticeship
14:17:53 <Sparks> #topic Open floor discussion/questions/comments
14:18:02 * c0mrad3 waves
14:18:06 <Sparks> Sorry, I don't have numbers of tickets for this week.
14:18:09 <Sparks> Does anyone have anything?
14:18:16 <Astradeus> Sparks: mhayden just sent them
14:18:24 <Astradeus> and yes :)
14:18:38 <Sparks> Astradeus: Go ahead and I'll come back to the numbers.
14:18:42 <d-caf> c0mrad3: Have you had a chance to tackle any tickets,
did you still want some help with that?
14:19:07 <Astradeus> today there is the Go/NoGo-meeting for
(beta)release - someone requested that every team has a representative
there - does that include us?
14:19:29 <Astradeus> and if yes: do we have any issues there?
14:19:44 <zoglesby> I don't think Security has been in that meeting before
14:19:44 <c0mrad3> d-caf: stilll working on it, I got selected to GSoC
in Fedora https://summerofcode.withgoogle.com/projects/#4738558669619200
14:20:36 <d-caf> c0mrad3: Congrats! That's great!
14:20:48 <Astradeus> c0mrad3: cool :)
14:21:04 <Sparks> Astradeus: Yeah, we're not on the list so...
14:21:53 <Sparks> c0mrad3++
14:22:07 <Sparks> #topic Outstanding BZ Tickets
14:22:13 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 80
(+8), Moderate 520 (+10), Low 180 (+11), Total 780 (+29)
14:22:20 <Sparks> +Tickets by Severity-+-------+---------+
14:22:20 <Sparks> | Severity | Tickets | Owned | Unowned |
14:22:20 <Sparks> +----------+---------+-------+---------+
14:22:20 <Sparks> | medium | 520 | 40 | 480 |
14:22:20 <Sparks> | low | 180 | 13 | 167 |
14:22:22 <Sparks> | high | 80 | 28 | 52 |
14:22:24 <Sparks> +----------+---------+-------+---------+
14:22:28 <Sparks> Does anyone have anything ticket related?
14:22:33 <Sparks> ...to discuss?
14:22:41 <d-caf> No, besides needing to work them more
14:22:50 <Astradeus> did they go up much?
14:22:55 <d-caf> We need to own more of those high
14:24:13 <Astradeus> ah, they did.. 8 more high, 10 more medium, 11 more low
14:24:33 <Astradeus> d-caf: definitely
14:24:35 <d-caf> We need to push to get that trend back into negative
14:24:50 <Sparks> d-caf: Yep
14:26:58 <Sparks> #topic Open floor discussion/questions/comments
14:27:05 <Sparks> Does anyone have anything else?
14:27:16 <c0mrad3> no
14:27:18 <Astradeus> not me
14:27:19 <d-caf> nope
14:27:32 * Sparks eyes zoglesby
14:27:45 <zoglesby> I do not
14:28:48 <Sparks> Okay, that's a wrap, then.
14:28:55 <Sparks> See you all on the Intertubez!
14:28:57 <Sparks> #endmeeting
------------------------------
Date: Wed, 4 May 2016 14:00:03 +0000 (UTC)
From: nobody@fedoraproject.org
Subject: [Fedocal] Reminder meeting : Security Team Meeting
To: security-team@lists.fedoraproject.org
Message-ID:
<20160504140003.04027611B625@fedocal02.phx2.fedoraproject.org>
Content-Type: text/plain; charset="utf-8"
Dear all,
You are kindly invited to the meeting:
Security Team Meeting on 2016-05-05 from 14:00:00 to 15:00:00 UTC
At fedora-meeting@irc.freenode.net
The meeting will be about:
More information available at:
[https://fedoraproject.org/wiki/Security_Team_meetings](https://fedoraproject.org/wiki/Security_Team_meetings)
Source: https://apps.fedoraproject.org/calendar/meeting/2849/
------------------------------
Date: Wed, 4 May 2016 12:04:26 -0400 (EDT)
From: Amanda Carter <acarter@redhat.com>
Subject: Re: Requirements for shipping Windows / OSX tools in F25
To: Matthew Miller <mattdm@redhat.com>, security-
team@lists.fedoraproject.org
Cc: Peter Robinson <pbrobinson@redhat.com>, Dennis Gilmore
<dgilmore@redhat.com>, Stephen Smoogen <ssmoogen@redhat.com>,
Christian Schaller <cschalle@redhat.com>, Jiri Eischmann
<eischmann@redhat.com>
Message-ID:
<983499006.70849222.1462377866416.JavaMail.zimbra@redhat.com>
Content-Type: text/plain; charset=utf-8
OK, I've added the FST list here. At this point I'm noting that there is no plan for Releng to ship these deliverables in F25 and in order for them to be shipped outside of this process, it's blocked on signoff from FST. If they need to confirm with the internal team, I'll let them facilitate that discussion.
If this was already filed with the FST folks, please let the group know so we can follow the ticket and close out the dupe if needed.
If it hasn't, I'll ask Christian to outline in the ticket the proposal for further comment in review.
Anyone uncomfortable with that?
----- Original Message -----
> From: "Matthew Miller" <mattdm@redhat.com>
> To: "Peter Robinson" <pbrobinson@redhat.com>
> Cc: "Christian Schaller" <cschalle@redhat.com>, "Jiri Eischmann" <eischmann@redhat.com>, "Amanda Carter"
> <acarter@redhat.com>, "Dennis Gilmore" <dgilmore@redhat.com>, "Stephen Smoogen" <ssmoogen@redhat.com>
> Sent: Wednesday, May 4, 2016 11:56:30 AM
> Subject: Re: Requirements for shipping Windows / OSX tools in F25
>
> On Wed, May 4, 2016 at 11:23 AM, Peter Robinson <pbrobinson@redhat.com>
> wrote:
> > How are we going to deal with security updates for this then to ensure
> > we don't get into that situation, how will we notify users of new
> > versions etc.
>
> I'd be happy with a signoff directly from the Fedora Security Team
> (https://fedoraproject.org/wiki/Security_Team) or with a message from
> someone on Red Hat's internal security team to the FST saying that
> they've looked at the plan and are okay with it.
>
>
> --
> Matthew Miller • Fedora Project Leader
>
--
Amanda Carter
------------------------------
Date: Thu, 5 May 2016 08:54:41 -0500
From: Major Hayden <major@mhtx.net>
Subject: Fedora Security Team Report - 2016-05-05
To: Fedora Security Team <security-team@lists.fedoraproject.org>
Message-ID: <545919ed-0af7-3959-89eb-43005cd77244@mhtx.net>
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="fPmRC6GVKOdcH43t8J9Bvs4NPgrQg7UMP"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fPmRC6GVKOdcH43t8J9Bvs4NPgrQg7UMP
Content-Type: multipart/mixed; boundary="fMWbroAtxPEiLbN09uXJQNdcfqV7xMEBA"
From: Major Hayden <major@mhtx.net>
To: Fedora Security Team <security-team@lists.fedoraproject.org>
Message-ID: <545919ed-0af7-3959-89eb-43005cd77244@mhtx.net>
Subject: Fedora Security Team Report - 2016-05-05
--fMWbroAtxPEiLbN09uXJQNdcfqV7xMEBA
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Happy Cinco de Mayo! :)
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2016-05-05 08:54:07.528311=
|_| \___|\__,_|\___/|_| \__,_| Data from: 2016-05-05
-------------------------------------------------------------------------=
------
+Tickets by Priority----+-------+---------+
| Priority | Tickets | Owned | Unowned |
+-------------+---------+-------+---------+
| medium | 531 | 40 | 491 |
| low | 182 | 13 | 169 |
| high | 85 | 26 | 59 |
| unspecified | 3 | 2 | 1 |
+-------------+---------+-------+---------+
+Tickets by Status---+-------+---------+
| Status | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| NEW | 689 | 70 | 619 |
| ON_QA | 67 | 5 | 62 |
| ASSIGNED | 33 | 6 | 27 |
| MODIFIED | 12 | 0 | 12 |
+----------+---------+-------+---------+
+Tickets by Severity-+-------+---------+
| Severity | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| medium | 531 | 40 | 491 |
| low | 182 | 13 | 169 |
| high | 88 | 28 | 60 |
+----------+---------+-------+---------+
+Tickets by Component-----+-------+---------+
| Component | Tickets | Owned | Unowned |
+---------------+---------+-------+---------+
| mingw-libxml2 | 14 | 0 | 14 |
| imlib2 | 14 | 0 | 14 |
| mingw-jasper | 12 | 0 | 12 |
| jasper | 12 | 0 | 12 |
| cacti | 12 | 0 | 12 |
| libxml2 | 11 | 0 | 11 |
| bugzilla | 11 | 1 | 10 |
| qemu | 10 | 4 | 6 |
| glibc | 10 | 0 | 10 |
| glib2 | 10 | 0 | 10 |
+---------------+---------+-------+---------+
+Tickets by Distro Version-+-------+---------+
| Distro Version | Tickets | Owned | Unowned |
+----------------+---------+-------+---------+
| el6 | 273 | 39 | 234 |
| 23 | 259 | 15 | 244 |
| 22 | 105 | 1 | 104 |
| el5 | 88 | 23 | 65 |
| epel7 | 69 | 3 | 66 |
| 24 | 3 | 0 | 3 |
| rawhide | 3 | 0 | 3 |
| 21 | 1 | 0 | 1 |
+----------------+---------+-------+---------+
--
Major Hayden
--fMWbroAtxPEiLbN09uXJQNdcfqV7xMEBA--
--fPmRC6GVKOdcH43t8J9Bvs4NPgrQg7UMP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXK1CkAAoJEHNwUeDBAR+xe6UQAIyL62KB/i8IMx8/VSw+0jYw
Z2RgQSiX9oXKO/UUiiVgWEL/KEkGCQSwodT5yOvphQfANxc+uC3bZ9YEAtFbEO/J
5JAATrdcxo2UQUsL4xBvs5etY+VWlehb50vmLtn0w+LG7PKveJxJ764dWn0KbUn1
8ESBhsZ8g6dwQJTXBn6MikhoON7VEyPRKgkXKEhObCS7YQ9oBRKAkGDzNMQYWrmo
gIBwj7tGREigxqZuOqBXQURuIS//joM/aQQK7xhrtYXKkRlj2Jx+DZBa9+smXzKs
WKEpIJEmCkCuZHi2HaVrW6rRbF/ayOxE93Z3l7V4JmBzc0JKHJYWegPSo2YHl8UV
KW2V2Dk0Xhd5r03K4esvXMbCtO5K+lsYJdKQrl8hUijowx9f+ih7+aJiS/xJCHDx
C5j4BM6dYfxooOkuJEd1ZSqxGTzcW6x4kIb87Eu95OgGZHPC0JhpH0i2e6vXutBw
HYcANTRoUGfY6uOfMMCwixS2d3Wg6oli9UTRGLM2ACXXIp+5S2jv++QX8G6tCmyY
g2/DxuzV16TJyqUt0NprkuwYBy1LwqvFiPbkiE4uOJU3Pq/Z0efctENguh1i2eyu
1VhZ7jMaWqZSiIbBkSU51y80mx5L6QAPNT9bnzwLjjTCj/szw0AtvCS/bG5GUMrN
4EiURAwimb27WYO4oCwU
=yF3n
-----END PGP SIGNATURE-----
--fPmRC6GVKOdcH43t8J9Bvs4NPgrQg7UMP--
------------------------------
Date: Thu, 5 May 2016 11:03:16 -0400
From: Eric Christensen <echriste@redhat.com>
Subject: Security Team meeting minutes for 2016-05-05
To: Fedora Security Team <security-team@lists.fedoraproject.org>
Message-ID: <572B60B4.8060400@redhat.com>
Content-Type: text/plain; charset=utf-8
======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:00:27 UTC. The full logs are available
at
https://meetbot.fedoraproject.org/fedora-meeting/2016-05-05/fedora_security_team.2016-05-05-14.00.log.html
.
Meeting summary
---------------
* Roll Call (Sparks, 14:00:41)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:06:02)
* Follow up on last week's tasks (Sparks, 14:07:51)
* ACTION: pjp to give a status update on security policy in the wiki
(carried over) (Sparks, 14:08:18)
* ACTION: Sparks to figure out how FST members can get access to
Fedora security bugs (carried over) (Sparks, 14:08:29)
* ACTION: zoglesby to update the reading list for the Apprenticeship
(Sparks, 14:10:03)
* Private builds in infrastructure for embargoed bits (Sparks,
14:10:23)
* LINK: https://fedoraproject.org/wiki/Koji/Policies (d-caf,
14:15:22)
* LINK: https://fedoraproject.org/wiki/Koji/Policies (Sparks,
14:16:14)
* ACTION: Sparks to garden the Koji wiki pages to standardize the
pages and add a category or two. (Sparks, 14:21:08)
* LINK: https://fedoraproject.org/wiki/Koji#Tags_and_Targets (d-caf,
14:21:30)
* ACTION: d-caf to continue working on private builds in koji, bodhi,
and distgit. (Sparks, 14:24:29)
* Windows/OS X Tools in F25 (Sparks, 14:27:27)
* LINK:
https://lists.fedoraproject.org/archives/list/security-team@lists.fedoraproject.org/thread/I7JESRGWRWDXFDGODBUPTUL3KWTXAGVP/
(Sparks, 14:28:05)
* ACTION: Sparks to follow up on the shipping of non-Linux binaries of
the USB ISO tool. (Sparks, 14:38:01)
* ACTION: Sparks to create a ticket for the request (Sparks,
14:38:11)
* LINK:
https://fedoraproject.org/wiki/Changes/LUCasPrimaryDownloadable
(dgilmore, 14:38:55)
* LINK:
https://fedoraproject.org/wiki/Changes/LUCasPrimaryDownloadable
(Sparks, 14:39:19)
* Outstanding BZ Tickets (Sparks, 14:39:39)
* Thursday's numbers: Critical 0 (0), Important 88 (+8), Moderate 531
(+11), Low 182 (+2), Total 801 (+21) (Sparks, 14:39:54)
* Private builds in infrastructure for embargoed bits (Sparks,
14:42:54)
* ACTION: Sparks to get stats on the number of vulns that were
embargoed that affected Fedora/EPEL. (Sparks, 14:55:17)
Meeting ended at 15:01:56 UTC.
Action Items
------------
* pjp to give a status update on security policy in the wiki (carried
over)
* Sparks to figure out how FST members can get access to Fedora security
bugs (carried over)
* zoglesby to update the reading list for the Apprenticeship
* Sparks to garden the Koji wiki pages to standardize the pages and add
a category or two.
* d-caf to continue working on private builds in koji, bodhi, and
distgit.
* Sparks to follow up on the shipping of non-Linux binaries of the USB
ISO tool.
* Sparks to create a ticket for the request
* Sparks to get stats on the number of vulns that were embargoed that
affected Fedora/EPEL.
Action Items, by person
-----------------------
* d-caf
* d-caf to continue working on private builds in koji, bodhi, and
distgit.
* Sparks
* Sparks to figure out how FST members can get access to Fedora
security bugs (carried over)
* Sparks to garden the Koji wiki pages to standardize the pages and
add a category or two.
* Sparks to follow up on the shipping of non-Linux binaries of the USB
ISO tool.
* Sparks to create a ticket for the request
* Sparks to get stats on the number of vulns that were embargoed that
affected Fedora/EPEL.
* **UNASSIGNED**
* pjp to give a status update on security policy in the wiki (carried
over)
* zoglesby to update the reading list for the Apprenticeship
People Present (lines said)
---------------------------
* Sparks (91)
* dgilmore (77)
* d-caf (34)
* linuxmodder (21)
* zodbot (11)
* mhayden (3)
* sct (2)
* Astradeus (1)
* skamath (1)
14:00:27 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:00:27 <zodbot> Meeting started Thu May 5 14:00:27 2016 UTC. The
chair is Sparks. Information about MeetBot at
http://wiki.debian.org/MeetBot.
14:00:27 <zodbot> Useful Commands: #action #agreed #halp #info #idea
#link #topic.
14:00:27 <zodbot> The meeting name has been set to
'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:00:29 <Sparks> #meetingname Fedora Security Team
14:00:29 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:41 <Sparks> #topic Roll Call
14:00:42 * Sparks
14:00:51 <linuxmodder> .hello linuxmodder
14:00:52 <zodbot> linuxmodder: linuxmodder 'Corey W Sheldon'
<sheldon.corey@openmailbox.org>
14:01:10 <skamath> .hello skamath
14:01:11 <zodbot> skamath: skamath 'Sachin S Kamath ' <sskamath96@gmail.com>
14:01:57 <linuxmodder> I may drop out fyi I'm on a sketchy connect
14:02:23 <mhayden> .hello mhayden
14:02:24 <zodbot> mhayden: mhayden 'Major Hayden' <major@mhtx.net>
14:03:16 * d-caf
14:03:32 <d-caf> .hello d-daf
14:03:33 <zodbot> d-caf: Sorry, but you don't exist
14:03:38 <d-caf> LOL
14:03:55 <d-caf> .hello d-caf
14:03:56 <zodbot> d-caf: Sorry, but you don't exist
14:04:01 <linuxmodder> no ghosts or illegals allowed :)
14:04:08 <d-caf> LOL
14:04:17 <d-caf> I'm so broken...
14:04:18 <linuxmodder> damn stowaways :)
14:04:52 <Astradeus> .hello astra
14:04:53 <zodbot> Astradeus: astra 'David Kaufmann' <astra@ionic.at>
14:04:56 * Sparks cleans up the queue for the FST FAS group
14:05:51 <Sparks> Okay, lets get started...
14:06:02 <Sparks> #info Participants are reminded to make liberal use of
#info #link #help in order to make the minutes "more better"
14:06:19 <linuxmodder> sidenote: finishing up edits on install-guide
for pagure and hitting security-guide today (may have questions for
the more seasoned folks later )
14:06:31 <Sparks> linuxmodder: Awesome
14:06:51 <Sparks> #chair mhayden d-caf Astradeus linuxmodder
14:06:51 <zodbot> Current chairs: Astradeus Sparks d-caf linuxmodder mhayden
14:06:53 <d-caf> linuxmodder: cool!
14:06:59 <linuxmodder> planning to pull out the selinux guide
shoehorned stuff and update/ validate selinux-guide as well
14:07:13 <linuxmodder> that later part is likely to be a pita
14:07:25 <d-caf> yeah linuxmodder! yeah SELinux!
14:07:25 <Sparks> linuxmodder: You might just be able to revert the
import in git.
14:07:51 <Sparks> #topic Follow up on last week's tasks
14:07:54 * d-caf currently dealing with crond_t domain transitions to
customer policies....
14:08:04 * Sparks notes pjp isn't here.
14:08:18 <Sparks> #action pjp to give a status update on security policy
in the wiki (carried over)
14:08:29 <Sparks> #action Sparks to figure out how FST members can get
access to Fedora security bugs (carried over)
14:08:29 <linuxmodder> Sparks, will tag up later with you for that then
14:08:43 <linuxmodder> for the 3rd week now :)
14:09:05 <Sparks> d-caf: Have you had a chance to look at the feature
requests for private builds?
14:09:12 <d-caf> I have :-)
14:09:31 <linuxmodder> private builds were the embargoed build thing yes?
14:09:41 <Sparks> d-caf: Nice! Okay, I'll set a topic for this meeting
to talk about it, then.
14:09:47 <Sparks> linuxmodder: Yes
14:09:48 <d-caf> I spent several hours digging through Koji and Bodhi
documentation and open tickets seeing what was/wan't there for our goals
14:10:03 <Sparks> #action zoglesby to update the reading list for the
Apprenticeship
14:10:22 <dgilmore> d-caf: nothing is there for your goals :(
14:10:23 <Sparks> #topic Private builds in infrastructure for embargoed bits
14:10:34 <Sparks> d-caf: Tell us what you've found out.
14:10:53 <d-caf> So, koji is actually a little closer to our goals than
I thought
14:11:12 <dgilmore> d-caf: how?
14:11:22 <linuxmodder> buildoverrides ?
14:11:30 <dgilmore> d-caf: there is nothing in koji that is close to
doing what you want
14:11:32 <dgilmore> or neeed
14:11:34 <dgilmore> need
14:11:37 <d-caf> Still probably needs a few things added, but looking
over the policy language it seems that you can specify a lot of specific
permissions per user
14:11:54 <dgilmore> d-caf: not really
14:12:27 <dgilmore> d-caf: and any build is visible, you are going to
have to write a lot of code to hide a build until an embargo is lifted
14:12:30 <d-caf> So the policy language allows restricting what
tags/tasks can be accessed
14:13:01 <dgilmore> d-caf: it does not
14:13:26 <d-caf> dgilmore: fine, I'll stop talking then
14:13:49 <d-caf> dgilmore: you are telling me no before i even finish
writing anything
14:14:01 <Sparks> d-caf: Please continue
14:14:07 <dgilmore> d-caf: I will shut up
14:14:36 <Sparks> d-caf: And point to docs so we can clear up any
confusion if what you are saying is, in fact, incorrect.
14:15:04 <d-caf> I will be a moment, I have to go find what I was
reading over as I'm on a different computer
14:15:22 <d-caf> https://fedoraproject.org/wiki/Koji/Policies
14:16:14 <d-caf> So, in this policy there is the ability to confine
things. based on tags
14:16:14 <Sparks> #link https://fedoraproject.org/wiki/Koji/Policies
14:17:20 <d-caf> Though we would need to get the policy expanded to
better handle user perms (vs admin vs everyone else) there is potential
there to restrict the builds.
14:17:50 <d-caf> not saying there isn't more work needed, but their is
some framework to start from.
14:18:31 <d-caf> additionally there is teh ability to restrict via
list-targets and tags which could also be leveraged into this
14:18:58 <d-caf> but it would reguire some changes in the normal
path/tagging for these special embargo instances
14:19:22 <d-caf> Bodhi on the other hand, well, that has next to nothing
14:19:40 <d-caf> I don't even really see much of a framework to start from
14:19:40 <Sparks> And then there's distgit
14:19:55 <d-caf> I didn't get to distgit, completey forgot about that.
14:20:28 <Sparks> dgilmore: Okay, your turn. Are we confusing what's
being said in the docs?
14:20:41 <d-caf> Koji needs work, but there is framework there to work
with, bodhi will need a ton of work. didn't check distgit
14:21:08 <Sparks> #action Sparks to garden the Koji wiki pages to
standardize the pages and add a category or two.
14:21:30 <d-caf> #link https://fedoraproject.org/wiki/Koji#Tags_and_Targets
14:22:07 <d-caf> Policy work with tags and targets, need to addes better
user support and likely interaction with outside repos
14:22:47 <d-caf> Will also need to consider what access of admins on
this system (who "can" see all) with regard to embargos
14:24:29 <Sparks> #action d-caf to continue working on private builds in
koji, bodhi, and distgit.
14:24:30 <d-caf> Need to work with people (like dgilmore or pjp ) to
help come up with a plan and layout a series of tickets to create to
help guide the work
14:24:37 <Sparks> Anything else?
14:25:14 <d-caf> dgilmore: I want your opinions and help, just need to
give me a chance to layout my mind :-) (no matter how insane it is
sometimes)
14:27:13 <Sparks> Okay, moving on
14:27:27 <Sparks> #topic Windows/OS X Tools in F25
14:27:36 <Sparks> #link
https://lists.fedoraproject.org/archives/list/security-team@lists.fedoraproject.org/thread/I7JESRGWRWDXFDGODBUPTUL3KWTXAGVP/
14:27:43 <Sparks> grrr
14:28:02 <dgilmore> d-caf: sorry was looking at something else
14:28:05 <Sparks> #link
https://lists.fedoraproject.org/archives/list/security-team@lists.fedoraproject.org/thread/I7JESRGWRWDXFDGODBUPTUL3KWTXAGVP/
14:28:23 <Sparks> I just released this message to the list right before
the meeting.
14:28:56 <Sparks> It appears that mattdm has asked that we sign off on
some tools for Window/OS X users.
14:29:51 <Sparks> The email isn't incredibly detailed as to what the
question is. Does someone want to follow up on this?
14:30:26 <d-caf> Sparks: unfortunately I'm going to have to drop out now
as I have a realworld meeting. I am very interested in what this
windows/osx tool thing is, but can't take lead on it
14:30:31 <d-caf> catch you later.
14:30:37 <Sparks> d-caf: Okay, have a good day.
14:30:49 <Sparks> Anyone else?
14:31:04 <dgilmore> Sparks: the tool is suppopsed to download Fedora
isos and install them only a usb stick or disk
14:31:31 <Sparks> Okay, so it's the USB installer thingy that we
currently have in Fedora but for Windows and OS X users?
14:31:48 <dgilmore> yeah
14:32:16 <Sparks> dgilmore: Is there a wiki page for this project or is
it just living in email right now?
14:32:45 * Sparks isn't sure if we're being asked to review the code or
the idea of making Windows/OS X software available.
14:32:50 <dgilmore> it was a accepted f24 change that has been postponed
14:33:25 <dgilmore> Sparks: some people want to build it on computers
under their desks
14:33:31 <dgilmore> and ship those binaries
14:33:36 <Sparks> ewww
14:34:12 <dgilmore> I believe what has been asked is that the security
team sign off on what level of risk is accepted in how we build and ship it
14:34:14 <Sparks> Do we have the means of compiling the software for
non-Linux OSs within our infrastructure?
14:34:33 <dgilmore> Sparks: sounds like you guys need to ask more
questions first
14:34:45 <Sparks> dgilmore: Yes
14:35:18 <Sparks> This conversation seems to be not happening on a list.
Is there a proper public place to have this discussion?
14:35:26 <dgilmore> koji supports windows natively and it may be
possible for to use mingw to cross somplie if they switch to c++
14:35:59 <dgilmore> Sparks: there is probably a few places it could be
happening
14:36:21 <Sparks> dgilmore: Name one and I'll take it there.
14:36:33 <dgilmore> Sparks: Christian is supposed to follow up with a
proposal
14:36:33 <Sparks> dgilmore: Otherwise, I'll just try to follow up the
best I can.
14:37:34 <dgilmore> Sparks: I think a ticket is needed for the security
team side of the discussion
14:37:42 <dgilmore> that is what Matthew asked for
14:38:01 <Sparks> #action Sparks to follow up on the shipping of
non-Linux binaries of the USB ISO tool.
14:38:11 <Sparks> #action Sparks to create a ticket for the request
14:38:21 <Sparks> dgilmore: Okay, I'll take care of that, then. Thanks.
14:38:55 <dgilmore>
https://fedoraproject.org/wiki/Changes/LUCasPrimaryDownloadable
14:39:03 <dgilmore> thanks Sparks
14:39:19 <Sparks> #link
https://fedoraproject.org/wiki/Changes/LUCasPrimaryDownloadable
14:39:33 <Sparks> Okay, moving along
14:39:39 <Sparks> #topic Outstanding BZ Tickets
14:39:40 <dgilmore> Sparks: if you have nothing else on your agenda I
would like to give some follow up info on koji
14:39:47 <dgilmore> or at the end
14:39:54 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 88
(+8), Moderate 531 (+11), Low 182 (+2), Total 801 (+21)
14:40:06 <Sparks> dgilmore: Okay, I'll get you some time in just a moment
14:40:12 <Sparks> +Tickets by Severity-+-------+---------+
14:40:12 <Sparks> | Severity | Tickets | Owned | Unowned |
14:40:12 <Sparks> +----------+---------+-------+---------+
14:40:12 <Sparks> | medium | 531 | 40 | 491 |
14:40:12 <Sparks> | low | 182 | 13 | 169 |
14:40:14 <Sparks> | high | 88 | 28 | 60 |
14:40:17 <Sparks> +----------+---------+-------+---------+
14:40:36 <Sparks> I suspect another bug round up would be nice to get
these highs down a bit.
14:41:08 <Sparks> mhayden: You know, it would be nice to get some better
statistics on these tickets. Where does this code live, again?
14:41:27 <mhayden> the fedora-security-team repo
14:41:32 * Sparks is thinking he might be able to make some additions.
14:41:37 <Sparks> okay
14:41:43 <Sparks> mhayden: I'll send you some patches
14:41:55 <Sparks> Anyone have anything ticket-related to discuss?
14:42:00 <mhayden> hah okay
14:42:54 <Sparks> #topic Private builds in infrastructure for embargoed bits
14:43:02 <Sparks> dgilmore: Okay, go. :)
14:43:29 <dgilmore> Sparks: thanks
14:43:47 <dgilmore> so koji's policys only have effect when doing builds
and tagging
14:44:00 <dgilmore> and even then they are not very good
14:44:35 <dgilmore> for instance we can not stop someone doing kernel
etc build that is not have the secure-boot permission
14:44:51 <dgilmore> we can only stop that build being tagged anywhere
14:44:56 * linuxmodder back will catch up the interim from minutes
14:45:11 <dgilmore> all read items do not have any policy on them
14:45:45 <dgilmore> setting the policy is very fragile and covers a
small subset of things
14:46:20 <Sparks> so far from bullet-proof
14:46:30 <dgilmore> right
14:46:37 <dgilmore> and it does not really confine anything
14:46:47 <dgilmore> it just redirects things
14:47:09 <Sparks> I may be imagining this but didn't you say that this
was a feature request that was being investigated already?
14:47:18 <dgilmore> it may be possible to extend it to cover everything
needed, but that will be a lot of work
14:47:38 <dgilmore> Sparks: its something that has been asked for since
we moved to koji
14:47:48 <Sparks> Okay
14:48:03 <Sparks> A lot of work? What else do you have going on over there?
14:48:05 * Sparks ducks
14:48:10 <dgilmore> and everytime it has been the conculsion has been
its too much work, too low a priority for something that will be rarely used
14:48:38 <dgilmore> there is maybe 3 or 4 times a year it wuld be useful
14:48:38 <Sparks> define "rarely"
14:48:44 <Sparks> true
14:48:50 <dgilmore> at least that we know of
14:48:57 <dgilmore> maybe if it was there it would be used more
14:49:06 <dgilmore> openjdk is the big one that would use it
14:49:09 <Sparks> dgilmore: Perhaps I can get more better numbers
14:49:19 <Sparks> dgilmore: Not saying that your numbers are inaccurate
14:49:23 <dgilmore> openssl maybe
14:49:34 <dgilmore> Sparks: there is a lot of unkowns
14:49:39 <dgilmore> that was our guess
14:50:26 <Sparks> dgilmore: I think I can pull out all the critical and
important vulns that were embargoed prior to release for last year.
14:50:38 <dgilmore> Sparks: one area that is difficult
14:51:09 <dgilmore> take
http://koji.fedoraproject.org/koji/buildinfo?buildID=760088
14:51:20 <dgilmore> it is a java-1.8.0-openjdk build
14:51:27 <dgilmore> say it was embargoed
14:51:44 <dgilmore> and we could hide all evidence of it from koji web
14:52:09 <dgilmore> the rpms and logs all exist
https://kojipkgs.fedoraproject.org//packages/java-1.8.0-openjdk/1.8.0.91/5.b14.fc25/
14:52:26 <dgilmore> you would have to go searching for it
14:52:30 <dgilmore> but it could be found
14:52:35 <Sparks> hmmm
14:52:55 <dgilmore> we likely would have to do something in koji to make
that hidden
14:53:10 <dgilmore> but allow people who need to test it have access
14:53:23 <Sparks> correct
14:53:40 <dgilmore> maybe hiding from koji-web is enough
14:53:56 <dgilmore> but allowing the api to expose it and kojipkgs access
14:54:18 <dgilmore> I am not 100% sure how far we have to go in order to
ensure that it is not leaked
14:54:34 <dgilmore> so I err on the side of we need to limit all access
14:54:38 <Sparks> Well... I suspect having something out there is too much
14:54:42 <Sparks> yes
14:54:55 <Sparks> Okay, we'll continue to work on this and gather
information
14:55:11 <dgilmore> kojipkgs is just apache running serving up data
14:55:17 <Sparks> #action Sparks to get stats on the number of vulns
that were embargoed that affected Fedora/EPEL.
14:55:18 <linuxmodder> so kijipkgs access would be what proven
packagers?
14:55:24 <dgilmore> there is no application or logic controlling it
14:55:33 <dgilmore> linuxmodder: today its everyone
14:55:59 <dgilmore> something would need to be changed
14:56:19 <dgilmore> maybe instead of /packages they go in /embargo
14:56:23 <linuxmodder> and there is no 'current' way to use fas or
kerberos to restrict that ?
14:56:31 <dgilmore> and we have ssl cert auth or something on it
14:56:40 <dgilmore> linuxmodder: not currently
14:57:08 <linuxmodder> so a second Fedora CA cert like koji login
needs now ? but only for embargoes?
14:57:10 <dgilmore> putting the output into a different namespace would
be invasive in koji
14:57:15 <dgilmore> but would be doable
14:57:32 <linuxmodder> invasive how?
14:57:32 <dgilmore> linuxmodder: perhaps, or maybe just oauth
14:57:55 <linuxmodder> openid == oauth isn't it
14:57:57 <dgilmore> linuxmodder: invasive in that we would need pretty
significant code changes in koji to do it
14:58:06 <linuxmodder> ah
14:58:17 <dgilmore> and we would need to then have a way to make it
unembargoed that put it in the regular location
14:58:41 <dgilmore> as thats where the tooling that makes repos would
need it
14:59:10 <Sparks> Moar tools!
14:59:16 <linuxmodder> dgilmore, couldn't we just make the /embargo
RO to 'world' users til some expiry date?
14:59:18 <Sparks> Okay, we're getting to the end of our hour
14:59:28 <linuxmodder> or would that still require more code / tools
14:59:50 <dgilmore> so in summary what d-caf looked at is just a small
part of how it could be implemented
15:00:14 <dgilmore> but I guess that is more than dist-git and bodhi have
15:00:31 * linuxmodder still doesn't get dist-git fully
15:01:00 <dgilmore> linuxmodder: dist-git is a few seperate things
15:01:10 <dgilmore> cgit just reads whats on disk
15:01:36 <sct> Time for modularity WG meeting, is the previous meeting
still running?
15:01:38 <Sparks> Okay, lets take this to the list or #fedora-security-team.
15:01:52 <sct> Thanks!
15:01:53 <Sparks> Thanks everyone for coming. Catch you all on the tubez!
15:01:56 <Sparks> #endmeeting
------------------------------
Subject: Digest Footer
_______________________________________________
security-team mailing list
security-team@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/security-team@lists.fedoraproject.org
------------------------------
End of security-team Digest, Vol 22, Issue 6
********************************************