------------------ 原始邮件 ------------------
发件人: "security-team-request";<security-team-request@lists.fedoraproject.org>;
发送时间: 2016年4月7日(星期四) 晚上11:18
收件人: "security-team"<security-team@lists.fedoraproject.org>;
主题: security-team Digest, Vol 21, Issue 6
Send security-team mailing list submissions to
security-team@lists.fedoraproject.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.fedoraproject.org/admin/lists/security-team@lists.fedoraproject.org
or, via email, send a message with subject or body 'help' to
security-team-request@lists.fedoraproject.org
You can reach the person managing the list at
security-team-owner@lists.fedoraproject.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of security-team digest..."
Today's Topics:
1. Security Team meeting minutes for 2016-03-31 (Eric Christensen)
2. [Fedocal] Reminder meeting : Security Team Meeting
(nobody@fedoraproject.org)
3. Fedora Security Team Report - 2016-04-07 (Major Hayden)
4. Security Team meeting minutes for 2016-04-07 (Tummala Dhanvi)
----------------------------------------------------------------------
Date: Thu, 31 Mar 2016 14:35:50 -0000
From: "Eric Christensen" <sparks@redhat.com>
Subject: Security Team meeting minutes for 2016-03-31
To: security-team@lists.fedoraproject.org
Message-ID:
<20160331143550.19209.14314@mailman01.phx2.fedoraproject.org>
Content-Type: text/plain; charset="utf-8"
======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:00:03 UTC. The full logs are available
at
https://meetbot.fedoraproject.org/fedora-meeting/2016-03-31/fedora_security_team.2016-03-31-14.00.log.html
.
Meeting summary
---------------
* Roll Call (Sparks, 14:00:09)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:08:12)
* Follow up on last week's tasks (Sparks, 14:08:38)
* ACTION: pjp to give a status update on security policy in the wiki
(carried over) (Sparks, 14:09:01)
* ACTION: Sparks to figure out how FST members can get access to
Fedora security bugs (carried over) (Sparks, 14:09:11)
* ACTION: pjp and d-caf to work on the feature requests for Koji and
Bodhi for private builds for embargoed vulnerabilities. (Sparks,
14:10:05)
* ACTION: Sparks to contact gd to see if he is working on a patch for
samba in Fedora. (Sparks, 14:10:14)
* Apprenticeship (Sparks, 14:10:38)
* zoglesby sent a message to the list regarding Apprenticeship
training (Sparks, 14:10:58)
* LINK:
https://lists.fedoraproject.org/archives/list/security-team@lists.fedoraproject.org/thread/NCCG4ZFQ4IWA62OV4FVAIOMJQPE6Y7NR/
(Sparks, 14:11:05)
* Tummala Dhanvi UTC+5:30, CommOps,Docs,Security,* (c0mrad3,
14:12:55)
* ACTION: everyone read the security docs (zoglesby, 14:14:11)
* Outstanding BZ Tickets (Sparks, 14:17:27)
* Thursday's numbers: Critical 0 (0), Important 67 (0), Moderate 485
(0), Low 171 (+2), Total 723 (Sparks, 14:17:34)
* Open floor discussion/questions/comments (Sparks, 14:26:06)
* d-caf will mentor c0mrad3 (Sparks, 14:30:34)
* zoglesby will mentor Astradeus (Sparks, 14:31:08)
Meeting ended at 14:34:08 UTC.
Action Items
------------
* pjp to give a status update on security policy in the wiki (carried
over)
* Sparks to figure out how FST members can get access to Fedora security
bugs (carried over)
* pjp and d-caf to work on the feature requests for Koji and Bodhi for
private builds for embargoed vulnerabilities.
* Sparks to contact gd to see if he is working on a patch for samba in
Fedora.
* everyone read the security docs
Action Items, by person
-----------------------
* d-caf
* pjp and d-caf to work on the feature requests for Koji and Bodhi for
private builds for embargoed vulnerabilities.
* Sparks
* Sparks to figure out how FST members can get access to Fedora
security bugs (carried over)
* Sparks to contact gd to see if he is working on a patch for samba in
Fedora.
* **UNASSIGNED**
* pjp to give a status update on security policy in the wiki (carried
over)
* everyone read the security docs
People Present (lines said)
---------------------------
* Sparks (60)
* d-caf (19)
* c0mrad3 (16)
* zoglesby (13)
* zodbot (6)
* Astradeus (4)
* mhayden (3)
14:00:03 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:03 <zodbot> Meeting started Thu Mar 31 14:00:03 2016 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:03 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:00:03 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:00:06 <Sparks> #meetingname Fedora Security Team
14:00:06 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:09 <Sparks> #topic Roll Call
14:00:10 * Sparks
14:00:20 * d-caf
14:01:10 * mhayden woots
14:03:06 <Sparks> zoglesby jsmith: Good morning!
14:03:42 <zoglesby> yeah, yeah. I am here
14:06:08 * Sparks gives everyone a few more minutes to arrive
14:06:13 <Astradeus> hi :)
14:06:43 <d-caf> Astradeus: HI!!
14:07:58 <Sparks> Astradeus: Welcome
14:08:06 <Sparks> Okay, lets get started
14:08:12 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:08:29 <Sparks> #chair d-caf mhayden zoglesby Astradeus
14:08:29 <zodbot> Current chairs: Astradeus Sparks d-caf mhayden zoglesby
14:08:38 <Sparks> #topic Follow up on last week's tasks
14:08:50 * Sparks notes pjp isn't here today
14:09:01 <Sparks> #action pjp to give a status update on security policy in the wiki (carried over)
14:09:11 <Sparks> #action Sparks to figure out how FST members can get access to Fedora security bugs (carried over)
14:09:28 <Sparks> d-caf: Did you work on the Koji and Bodhi private builds topic?
14:09:47 <d-caf> Sparks: No was out traveling all last week, so getting ramped back up this week, sorry
14:09:56 <Sparks> no problem
14:10:05 <Sparks> #action pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities.
14:10:14 <Sparks> #action Sparks to contact gd to see if he is working on a patch for samba in Fedora.
14:10:33 <Sparks> Okay, that's all from last week... I think we got one things marked off.
14:10:38 <Sparks> #topic Apprenticeship
14:10:58 <Sparks> #info zoglesby sent a message to the list regarding Apprenticeship training
14:11:05 <Sparks> #link https://lists.fedoraproject.org/archives/list/security-team@lists.fedoraproject.org/thread/NCCG4ZFQ4IWA62OV4FVAIOMJQPE6Y7NR/
14:11:06 <zoglesby> I did that!
14:11:14 <Sparks> zoglesby: Would you like to lead this discussion?
14:11:38 <zoglesby> no, I think I said in the email we don't need to talk about it here :)
14:11:40 <d-caf> zoglesby: thanks, helped prod me to remember to add two more training links I found (adde this morning)
14:11:57 * c0mrad3 hi guys
14:12:01 <zoglesby> but really, please read the docs and reply to the list what you think are good for entry level security folks
14:12:53 <zoglesby> We don't want to make the list to large, so once we have a list of stuff we may need to make it shorter, but we need to start with something before we can do that
14:12:55 <c0mrad3> #info Tummala Dhanvi UTC+5:30, CommOps,Docs,Security,*
14:12:56 <d-caf> speaking of apprentiship, welcome c0mrad3 who mentioned wanting to join the apprentiship
14:13:12 <c0mrad3> yes :)
14:13:41 <zoglesby> Sparks: that is all I have for this topic
14:13:53 <Sparks> zoglesby: I actually had a dream that we finished doing this.
14:14:11 <zoglesby> #action everyone read the security docs
14:14:15 <mhayden> the list there in the wiki is quite comprehensive
14:14:24 <c0mrad3> what about the reading material for apprentiship
14:14:24 <Sparks> Okay, so I'll reply to the list and lets see if we can get this done before the next meeting
14:14:43 <c0mrad3> I think I have seen an email about the same
14:15:00 <zoglesby> mhayden: yep, that is the issue. We need a smaller list. We don't want to cause information overload
14:15:10 <Sparks> c0mrad3: Yeah, that's what we're talking about... the email. :)
14:15:17 <mhayden> perhaps we break it up into experience/maturity level?
14:15:39 <zoglesby> that is the plan, but we wanted to start with lowest level first
14:15:40 <d-caf> c0mrad3: There is a page here #link
14:15:45 <Sparks> mhayden: Yeah, we need to pull from that list what we think would be important for an apprentise to know
14:15:52 <d-caf> c0mrad3: There is a page here #link https://fedoraproject.org/wiki/Security_Team_Apprenticeship#Reading
14:16:17 <d-caf> that we are building for apprentiship, feel free to take a look and add any commentes to the email list on your take comming in fresh
14:16:30 <c0mrad3> sure d-caf
14:16:54 <Sparks> Okay, lets move on
14:16:59 <d-caf> but mostly we need to find some focused security training from this page that's good for new people in security (there is a lot there) #link https://fedoraproject.org/wiki/Information_Security_Training
14:17:20 * Sparks skips the discussion regarding handling embargoed vulnerabilities for now
14:17:27 <Sparks> #topic Outstanding BZ Tickets
14:17:34 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 67 (0), Moderate 485 (0), Low 171 (+2), Total 723
14:17:41 <Sparks> +Tickets by Severity-+-------+---------+
14:17:41 <Sparks> | Severity | Tickets | Owned | Unowned |
14:17:42 <Sparks> +----------+---------+-------+---------+
14:17:42 <Sparks> | medium | 485 | 40 | 445 |
14:17:42 <Sparks> | low | 171 | 13 | 158 |
14:17:43 <Sparks> | high | 67 | 30 | 37 |
14:17:46 <Sparks> +----------+---------+-------+---------+
14:18:11 <Sparks> Would someone like to start poking through the highs and see if we can mark any of them an easy fix?
14:18:22 <Sparks> easy fix == upstream has already released a fix
14:18:41 <d-caf> I've been working a few tickets the last two weeks, finally have movement and resolution on git and latex2rtf
14:19:09 <Sparks> woot!
14:19:12 <Sparks> d-caf++
14:19:13 <c0mrad3> I think git 1.8 have fixed a vuln
14:19:23 <Sparks> grr
14:19:46 <d-caf> d-caf vs dcafaro... I have to many handles...
14:20:20 <d-caf> Git is now 2.5.5 in fc23
14:20:21 <c0mrad3> dcafaro++
14:20:21 <zodbot> c0mrad3: Karma for dcafaro changed to 2 (for the f23 release cycle): https://badges.fedoraproject.org/tags/cookie/any
14:20:33 <Sparks> Yeah, that one.
14:20:35 <d-caf> fc22 also got an update
14:20:46 <Sparks> d-caf: You should really put your IRC nick into FAS. :)
14:21:20 <c0mrad3> correction git 2.8! had fixed a vuln which is introduced in 2.7
14:21:20 <d-caf> Oh, yeah, that's probably a good idea :-)
14:21:45 <d-caf> v2.8 is FC24 and rawhide
14:22:00 <c0mrad3> or Sparks you can type his old handle like me :)
14:22:03 <d-caf> but patches are back ported to older versions for stability purposes when security
14:22:17 * c0mrad3 new to all these
14:25:27 <Sparks> Anything else regarding vulnerabilities?
14:26:06 <Sparks> #topic Open floor discussion/questions/comments
14:26:16 <Sparks> Anyone have anything?
14:27:01 <c0mrad3> !
14:27:12 <Sparks> c0mrad3: Go
14:27:37 <c0mrad3> Can some one mentor me for the first few bugs so that I get used to the work cycle of the team ?
14:27:54 <Astradeus> same request here :)
14:28:31 <Sparks> zoglesby: I believe you were the one that figured out what a mentor is...
14:29:19 <d-caf> I am willing to help try and mentor through a but or to, hit me up on email. But i've got to head off to another meeting now
14:29:21 <Astradeus> i'd just like to follow the path one takes to close a bug - i think i can manage my own way from there
14:29:26 <d-caf> but/bug...
14:29:56 <Sparks> d-caf: Why don't you take c0mrad3
14:30:07 <Sparks> Astradeus: Either zoglesby or I will help you.
14:30:14 <Astradeus> thanks :)
14:30:24 <c0mrad3> cool
14:30:28 <d-caf> Sparks: sure c0mrad3 email me
14:30:34 <Sparks> #info d-caf will mentor c0mrad3
14:30:36 <zoglesby> sorry, was talking to someone else.
14:30:43 <zoglesby> That works for me
14:30:50 <Sparks> zoglesby: Do you want to mentor Astradeus?
14:31:04 <zoglesby> Sure, why not
14:31:08 <Sparks> #info zoglesby will mentor Astradeus
14:31:10 <Sparks> Great!
14:31:20 <Sparks> Okay, anyone have anything else?
14:31:46 <c0mrad3> zoglesby: I will ping you also if I am struck somewhere
14:32:34 <zoglesby> c0mrad3: talk to d-caf first. He is going to mentor you, but feel free to reach out to me, or anyone else if he can't help for any reason
14:33:05 <c0mrad3> sure zoglesby, I will make sure I will ping d-caf first
14:33:08 <Sparks> If no one has anything else they wish to discuss, we'll close for the day (and I'll have a few minutes to catch up before my next meeting)
14:34:05 <Sparks> Okay, thanks everyone for coming out today.
14:34:08 <Sparks> #endmeeting
------------------------------
Date: Wed, 6 Apr 2016 14:00:03 +0000 (UTC)
From: nobody@fedoraproject.org
Subject: [Fedocal] Reminder meeting : Security Team Meeting
To: security-team@lists.fedoraproject.org
Message-ID:
<20160406140003.93BF860795CC@fedocal02.phx2.fedoraproject.org>
Content-Type: text/plain; charset="utf-8"
Dear all,
You are kindly invited to the meeting:
Security Team Meeting on 2016-04-07 from 14:00:00 to 15:00:00 UTC
At fedora-meeting@irc.freenode.net
The meeting will be about:
More information available at:
[https://fedoraproject.org/wiki/Security_Team_meetings](https://fedoraproject.org/wiki/Security_Team_meetings)
Source: https://apps.fedoraproject.org/calendar/meeting/2849/
------------------------------
Date: Thu, 7 Apr 2016 08:51:31 -0500
From: Major Hayden <major@mhtx.net>
Subject: Fedora Security Team Report - 2016-04-07
To: Fedora Security Team <security-team@lists.fedoraproject.org>
Message-ID: <570665E3.4070601@mhtx.net>
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="p7XsWQxqAqb8Lks9HLGE2BtIaPBnCTwUc"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--p7XsWQxqAqb8Lks9HLGE2BtIaPBnCTwUc
Content-Type: multipart/mixed; boundary="Hw2OV668Au473d8Lk8IVR4LLxlddcuV2H"
From: Major Hayden <major@mhtx.net>
To: Fedora Security Team <security-team@lists.fedoraproject.org>
Message-ID: <570665E3.4070601@mhtx.net>
Subject: Fedora Security Team Report - 2016-04-07
--Hw2OV668Au473d8Lk8IVR4LLxlddcuV2H
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
__ _
/ _| ___ __| | ___ _ __ __ _
| |_ / _ \/ _` |/ _ \| '__/ _` | Fedora Security Team Report
| _| __/ (_| | (_) | | | (_| | Report date: 2016-04-07 08:50:26.050488=
|_| \___|\__,_|\___/|_| \__,_| Data from: 2016-04-07
-------------------------------------------------------------------------=
------
+Tickets by Priority----+-------+---------+
| Priority | Tickets | Owned | Unowned |
+-------------+---------+-------+---------+
| medium | 495 | 40 | 455 |
| low | 167 | 13 | 154 |
| high | 70 | 27 | 43 |
| unspecified | 3 | 2 | 1 |
+-------------+---------+-------+---------+
+Tickets by Status---+-------+---------+
| Status | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| NEW | 650 | 71 | 579 |
| ON_QA | 49 | 5 | 44 |
| ASSIGNED | 23 | 6 | 17 |
| MODIFIED | 13 | 0 | 13 |
+----------+---------+-------+---------+
+Tickets by Severity-+-------+---------+
| Severity | Tickets | Owned | Unowned |
+----------+---------+-------+---------+
| medium | 495 | 40 | 455 |
| low | 167 | 13 | 154 |
| high | 73 | 29 | 44 |
+----------+---------+-------+---------+
+Tickets by Component-----+-------+---------+
| Component | Tickets | Owned | Unowned |
+---------------+---------+-------+---------+
| cacti | 14 | 0 | 14 |
| imlib2 | 13 | 0 | 13 |
| mingw-jasper | 12 | 0 | 12 |
| jasper | 12 | 0 | 12 |
| bugzilla | 11 | 1 | 10 |
| glib2 | 11 | 0 | 11 |
| mingw-libxml2 | 10 | 0 | 10 |
| qemu | 9 | 4 | 5 |
| libxml2 | 9 | 0 | 9 |
| optipng | 8 | 0 | 8 |
+---------------+---------+-------+---------+
+Tickets by Distro Version-+-------+---------+
| Distro Version | Tickets | Owned | Unowned |
+----------------+---------+-------+---------+
| el6 | 263 | 40 | 223 |
| 23 | 219 | 15 | 204 |
| 22 | 106 | 1 | 105 |
| el5 | 85 | 23 | 62 |
| epel7 | 55 | 3 | 52 |
| 24 | 3 | 0 | 3 |
| rawhide | 3 | 0 | 3 |
| 21 | 1 | 0 | 1 |
+----------------+---------+-------+---------+
--
Major Hayden
--Hw2OV668Au473d8Lk8IVR4LLxlddcuV2H--
--p7XsWQxqAqb8Lks9HLGE2BtIaPBnCTwUc
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXBmXmAAoJEHNwUeDBAR+xwqwP/3rQLBs2iHKpJht+rBH2DWGk
aSfWGOny5FNXvJrm6vRu3t3I9X0Sz7HFStaLRyhe/KFBJbVAJ9ZO8yFY0uJrpENS
1WO4gBTABzFJh1noW4LG7VAVleeH/CDP87Ffp2OAnP5q61gokZJrMWhj4M4fTl9S
H4YOyUX1sTxWLmA9tD5pGXxYZ2R9/LliNljmSGtbeBCNUsaR9JgV73e6QH6N0euX
P5Wqcsbg1NjZns44T7emiMxc4x4XOdo010ge6zYjYkcZDnnsbEuxGRVKyAJw787P
HFGyHdohn63E1PDHT8Aqci0+ET2iaMth+lMytdp4uyM7INKWP2uTlFsC36CFOxPn
FzCKLd//yTvlQA5aziVtSP1oKV2LanMKlJuM4i+ydeDm7YgfyB4jOxC8A5kSc8zF
7sNbiS1WMA6siyuBkOIcpeNbtPSpQikLW/HHc0ZFheHp6MkQfF/KVEnJFxuGGReM
p2Hpza40wrTkRkl6P5oizxMEkzlXqJp4P9SWWGRvZaWMeoSzTExShjPz9VWH2tQ/
40Si8yiKCkyYQjLD0nuxgotPgADes+gEOhhllAq14gID+o22eMIBT6aOgTVFeKL+
EgZk0h2i1RyJQf7vom63UNJksgNiXNNrFNcxenycHEG4Iu7l5iDuCqOkrbHe9fUC
8qyj0/mewDccdlsszrky
=2zU2
-----END PGP SIGNATURE-----
--p7XsWQxqAqb8Lks9HLGE2BtIaPBnCTwUc--
------------------------------
Date: Thu, 7 Apr 2016 20:47:49 +0530
From: Tummala Dhanvi <dhanvi@fedoraproject.org>
Subject: Security Team meeting minutes for 2016-04-07
To: security-team@lists.fedoraproject.org
Message-ID: <CAMOUyJ-
qvB3gqEUx7U6L7MW5cWVmMXygivN75aOM+LZXVxxfSQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by c0mrad3 at 14:25:50 UTC. The full logs are available
at
https://meetbot.fedoraproject.org/fedora-meeting/2016-04-07/fedora_security_team.2016-04-07-14.25.log.html
.
Meeting summary
---------------
* Follow up on last week's tasks (Astradeus, 14:27:36)
* LINK:
https://git.fedorahosted.org/cgit/fedora-security-team.git/tree/report_generator.py
(Astradeus, 14:32:03)
* Outstanding BZ Tickets (Astradeus, 14:33:08)
* Open floor discussion/questions/comments (c0mrad3, 14:40:21)
Meeting ended at 14:56:09 UTC.
Action Items
------------
Action Items, by person
-----------------------
* **UNASSIGNED**
* (none)
People Present (lines said)
---------------------------
* Astradeus (38)
* c0mrad3 (23)
* zodbot (5)
14:25:50 <c0mrad3> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:25:50 <zodbot> Meeting started Thu Apr 7 14:25:50 2016 UTC. The
chair is c0mrad3. Information about MeetBot at
http://wiki.debian.org/MeetBot.
14:25:50 <zodbot> Useful Commands: #action #agreed #halp #info #idea
#link #topic.
14:25:50 <zodbot> The meeting name has been set to
'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:26:25 <c0mrad3> #chair Astradeus
14:26:25 <zodbot> Current chairs: Astradeus c0mrad3
14:27:14 <Astradeus> i think we can skip roll call ;)
14:27:36 <Astradeus> #topic Follow up on last week's tasks
14:28:38 <c0mrad3> #meetingname Fedora Security Team
14:28:38 <zodbot> The meeting name has been set to 'fedora_security_team'
14:29:22 <Astradeus> neither of d-caf, Sparks, pjp or zoglesby are in
the channel, so we do not have any updates from any tasks
14:30:18 <c0mrad3> yes I am not sure where to get the Outstanding BZ
Tickets Astradeus
14:30:37 <Astradeus> ah, mhayden sent them out via email
14:30:57 <Astradeus> there is a script somewhere querying the bugzilla
and compiling a report
14:32:03 <Astradeus> #link
https://git.fedorahosted.org/cgit/fedora-security-team.git/tree/report_generator.py
14:32:03 <c0mrad3> Astradeus: let's hit the open floor and discuss
something else
14:32:42 <Astradeus> lets do the numbers first
14:32:50 <c0mrad3> Astradeus: I will try running the script and post it here
14:32:57 <c0mrad3> ack
14:33:08 <Astradeus> #topic Outstanding BZ Tickets
14:33:22 <Astradeus> +Tickets by Severity-+-------+---------+
14:33:23 <Astradeus> | Severity | Tickets | Owned | Unowned |
14:33:23 <Astradeus> +----------+---------+-------+---------+
14:33:23 <Astradeus> | medium | 495 | 40 | 455 |
14:33:23 <Astradeus> | low | 167 | 13 | 154 |
14:33:25 <Astradeus> | high | 73 | 29 | 44 |
14:33:27 <Astradeus> +----------+---------+-------+---------+
14:34:17 <c0mrad3> Astradeus: cool!
14:35:04 <c0mrad3> tickets are increasing since the last week
14:35:12 <Astradeus> c0mrad3: are you already on the mailinglist? you
should have received the mail from mhayden.
14:35:52 <Astradeus> yes, medium and high have increased, and low
tickets have decreased
14:35:53 <c0mrad3> Astradeus: just now looked at them it's like 43 min ago
14:38:17 <Astradeus> Critical 0 (0), Important 73 (+6), Moderate 495
(+10), Low 167 (-4), Total 735 (+12)
14:39:45 <Astradeus> i do have one ticket i probably can close this
week without additional support, but I still hope the mentoring thing
works out sometime this week :)
14:39:49 <Astradeus> next topic?
14:40:21 <c0mrad3> #topic Open floor discussion/questions/comments
14:40:53 <c0mrad3> Astradeus: did you contact your mentor on fixing
your first bug ?
14:41:50 <Astradeus> no, we did not write this week - it also has been
quite busy from my dayjob, so i did not have too much time myself.
14:43:09 <Astradeus> how about you?
14:43:29 <c0mrad3> me too did not email him I was attending a
hackthon, I will email him after this meeting
14:43:58 <Astradeus> so busy too :)
14:44:57 <c0mrad3> Also need to read a lot of wiki and get used to the
work cycle, and I have many doubts in my mind to clear
14:45:24 <Astradeus> any questions which might be quick to answer?
14:46:25 <c0mrad3> like what should we do if the vuln is fixed
upstream in a newer version, should be package the newer one and send
it as security update ?
14:47:17 <Astradeus> first contact the maintainer, usually the
maintainer then builds a new update
14:47:36 <c0mrad3> what if they won't patch for the current version of
the software ?
14:47:49 <Astradeus> it is sent as a regular update currently, because
there ist no special treatment for security patches currently
14:48:16 <Astradeus> we give them some timeframe we wait for a response
14:48:55 <c0mrad3> so all we do is look for security bugs and make
sure that the maintainer updates the new package without the vuln ?
14:49:04 <Astradeus> if there is no answer and the vulnerability is
serious, people from the proven-packagers-group can also package
software and push it to the mirrors
14:49:12 <Astradeus> primarily, yes
14:49:35 <c0mrad3> okay! any other things that we do ?
14:51:03 <Astradeus> currently thinking about ways how to push
security patches faster through the mirrors
14:51:28 <c0mrad3> ack, let end the meeting
14:51:46 <Astradeus> as the fedora security team is still building up
- how to establish trust
14:52:24 <Astradeus> because e.g. the redhat security people or the
debian security people do get information way earlier (embargoed
vulns)
14:52:48 <c0mrad3> yes I get it the vulns shouldn't be shown to every one
14:53:20 <Astradeus> so fedora could be faster to push patches if we
have a group which is trusted to see embargoed vulns
14:53:55 <Astradeus> (at least for some time - i'm definitely on the
side that vulns should be public after some reasonable timeframe)
14:54:18 <Astradeus> i think those two things are currently the main issues
14:54:31 <c0mrad3> only after they are fixed / updates are available
14:54:43 <c0mrad3> they should be made public
14:55:08 <Astradeus> ah, and maybe to try to be advisors for security
questsions other fedora-groups might have
14:55:39 <Astradeus> *questions
14:56:07 <Astradeus> or questions regular fedora-users might have
14:56:09 <c0mrad3> #endmeeting
--
Regards
Tummala Dhanvi
https://www.dhanvi.org
"Only thing that can never be 'RE-CYCLED' is 'WASTED TIME' ".
------------------------------
Subject: Digest Footer
_______________________________________________
security-team mailing list
security-team@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/security-team@lists.fedoraproject.org
------------------------------
End of security-team Digest, Vol 21, Issue 6
********************************************