Security Team Meeting Minutes for 2016-06-09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ======================================================================== ============================== #fedora-meeting: Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings ======================================================================== ============================== Meeting started by Sparks at 14:00:46 UTC. The full logs are available at https://meetbot.fedoraproject.org/fedora-meeting/2016-06-09/fedora_secur ity_team.2016-06-09-14.00.log.html . Meeting summary - --------------- * Roll Call (Sparks, 14:00:51) * Apprenticeship (Sparks, 14:10:28) * ACTION: linuxmodder and jtaylor90 to test the Fedora Security Apprenticeship training and report back next week (Sparks, 14:25:11) * Windows/OS X Tools in F25 (Sparks, 14:31:28) * LINK: https://fedorahosted.org/fedora-security-team/ticket/1 (Sparks, 14:31:43) * LINK: https://github.com/lmacken/liveusb-creator (zoglesby, 14:39:59) * LINK: https://bugzilla.redhat.com/show_bug.cgi?id=1310542 (zoglesby, 14:41:09) * Open floor discussion/questions/comments (Sparks, 14:47:10) Meeting ended at 14:51:35 UTC. Action Items - ------------ * linuxmodder and jtaylor90 to test the Fedora Security Apprenticeship training and report back next week Action Items, by person - ----------------------- * jtaylor90 * linuxmodder and jtaylor90 to test the Fedora Security Apprenticeship training and report back next week * linuxmodder * linuxmodder and jtaylor90 to test the Fedora Security Apprenticeship training and report back next week * **UNASSIGNED** * (none) People Present (lines said) - --------------------------- * Sparks (51) * zoglesby (36) * linuxmodder (20) * zodbot (10) * nb (5) * jtaylor90 (5) * Astradeus (3) * mhayden (3) 14:00:46 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:00:46 <zodbot> Meeting started Thu Jun 9 14:00:46 2016 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:46 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:00:46 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security _team_meetings' 14:00:49 <Sparks> #meetingname Fedora Security Team 14:00:49 <zodbot> The meeting name has been set to 'fedora_security_team ' 14:00:51 <Sparks> #topic Roll Call 14:00:52 * Sparks 14:02:41 <linuxmodder> .fas linuxmodder 14:02:41 <zodbot> linuxmodder: linuxmodder 'Corey W Sheldon' <sheldon.corey(a)openmailbox.org&gt; 14:02:52 <linuxmodder> laggy connect today fyi 14:03:30 * zoglesby is here 14:03:57 <mhayden> .hello mhayden 14:03:58 <zodbot> mhayden: mhayden 'Major Hayden' <major(a)mhtx.net&gt; 14:04:28 <jtaylor90> .fas jtaylor 14:04:29 <zodbot> jtaylor90: jraytay 'Jason Taylor' <jtaylor48(a)san.rr.com&gt; - jtaylor '' <jtfas90(a)gmail.com&gt; - jtaylor0175 'Jeffrey Scott Taylor' <jst293(a)yahoo.com&gt; 14:04:45 <jtaylor90> lol there is more than one of me 14:06:48 <Sparks> jtaylor90: That's just scary 14:06:53 <Sparks> zoglesby: You here today? 14:06:57 <Sparks> jsmith: ^^^ 14:07:04 <zoglesby> yes, I even said so 14:07:09 <Sparks> Yes, yes you did. 14:07:18 <Sparks> #chair linuxmodder mhayden jtaylor90 zoglesby 14:07:18 <zodbot> Current chairs: Sparks jtaylor90 linuxmodder mhayden zoglesby 14:07:24 <nb> I think I .hello nb 14:07:26 <nb> oops 14:07:29 <nb> .hello nb 14:07:30 <zodbot> nb: nb 'Nick Bebout' <nb(a)nb.zone&gt; 14:07:36 <mhayden> howdy nb 14:07:41 * mhayden just sent out this week's stats 14:08:04 * linuxmodder looks in tb for email 14:09:19 <linuxmodder> that's alot of unowned NEW 14:10:22 <Sparks> Okay, I want to skip over all the meeting stuff and go straight into the meat of the meeting. 14:10:28 <Sparks> #topic Apprenticeship 14:10:35 <Sparks> zoglesby: Where are we on this? 14:11:15 <zoglesby> We have a plan, it needs but into action, and I think we need to talk about how to do that. 14:11:30 <Sparks> Okay, lets talk 14:11:32 <zoglesby> It is my opinion that this has stalled because we did not have a clear next step 14:12:41 <Sparks> zoglesby: What do you propose? 14:13:12 <zoglesby> I don't have a good answer, or I would have just started to do it. 14:13:55 <zoglesby> maybe we need a ginnie pig 14:14:05 * Sparks eyes nb 14:14:13 <zoglesby> and by that I mean guinea pig 14:14:36 <jtaylor90> a guinea pig to test out the process? 14:14:41 <Sparks> yes 14:15:16 <nb> Sparks, hello 14:15:29 <nb> you were eying me? 14:15:38 <linuxmodder> missed that what we talking about atm? 14:15:52 <zoglesby> guinea pigs 14:16:07 <jtaylor90> I would be willing to be a guinea pig 14:16:07 <linuxmodder> GP for what exactly? 14:16:09 <zoglesby> they are cute, we want them. Not to eat 14:16:27 <zoglesby> For testing the Apprenticeship process out 14:16:33 <linuxmodder> c0mrad3, you around ? 14:16:37 <linuxmodder> skamath, same 14:16:47 <linuxmodder> I can be a GP then 14:17:46 <zoglesby> I am not saying no, but it would be best to have someone who was not a part of the setup of the process doing it. 14:17:58 <Astradeus> hi, sorry for being late 14:19:43 <Sparks> zoglesby: Okay, looks like we have a few takers here. 14:20:37 <zoglesby> sorry, trying to find the wiki page 14:21:18 <zoglesby> Okay, if you want to be a guinea pig, please start working on the items on https://fedoraproject.org/wiki/Security_Team_Apprenticeship 14:21:30 <zoglesby> At next weeks meeting we will talk about it. 14:21:41 <zoglesby> Can I now get a list of people who are going to do s o? 14:22:10 <jtaylor90> zoglesby: me 14:22:43 <linuxmodder> ! 14:22:50 <linuxmodder> zoglesby, I'm in 14:24:46 <Astradeus> i can look at it again, but it's not really something i can solve as a task - i've already looked at most of the linked documents 14:24:53 <Astradeus> but i'll do that until next meeting 14:25:11 <Sparks> #action linuxmodder and jtaylor90 to test the Fedora Security Apprenticeship training and report back next week 14:25:18 <zoglesby> beat me to it 14:25:27 <Sparks> zoglesby: Sorry, I can undo it so you can do it. 14:25:32 <zoglesby> no 14:27:15 <Sparks> zoglesby: Okay, anything else on this topic? 14:27:29 <zoglesby> Nope, I think that is it. 14:27:42 <Sparks> Great, thanks. 14:27:46 <Sparks> zoglesby++ 14:27:58 <Sparks> linuxmodder++ 14:27:58 <zodbot> Sparks: Karma for linuxmodder changed to 15 (for the f23 release cycle): https://badges.fedoraproject.org/tags/cookie/any 14:28:00 <linuxmodder> any specific metrics or feedback Sparks zoglesby on the Apprentice track? 14:28:05 <Sparks> jtaylor90++ 14:28:21 <Sparks> linuxmodder: Yes, does it make you feel prepared. 14:28:22 <Sparks> :) 14:28:28 <linuxmodder> beyond the obvious this has dead link or needs clarity 14:30:14 <Sparks> linuxmodder: Did you see my comment? 14:30:19 <linuxmodder> yes 14:30:29 <linuxmodder> about preparedness 14:31:22 <Sparks> Okay 14:31:25 <Sparks> Moving on 14:31:28 <Sparks> #topic Windows/OS X Tools in F25 14:31:40 <Sparks> #link https://fedorahosted.org/fedora-security-team/ticket/1 14:31:43 <Sparks> #link https://fedorahosted.org/fedora-security-team/ticket/1 14:31:48 <Sparks> I dropped the ball on this one... 14:31:59 <Sparks> I need some input from others on this. 14:34:23 <zoglesby> In the ticket? 14:35:18 <zoglesby> Not signing binaries for any platform is not acceptable in my book. 14:35:52 <zoglesby> If it costs a little money, Red Hat makes a lot of that. (and I am sure they have code signing keys already that could be used) 14:36:03 <Sparks> zoglesby: Right, and what about building them offsite (not in FP infrastructure)? 14:37:18 <zoglesby> I don't think doing it at someones desk is a good idea, but I am sure we can find a way to deal with it. 14:37:35 <Sparks> mattdm: You around? 14:37:39 <zoglesby> The issue is that it can't be built on Linux for windows correct? 14:37:46 <Sparks> I'm not sure. 14:38:53 <zoglesby> 14:35:26 <dgilmore> koji supports windows natively and it may be possible for to use mingw to cross somplie if they switch to c++ 14:39:18 <Sparks> Well, that sounds like a rewrite of the software. 14:39:59 <zoglesby> https://github.com/lmacken/liveusb-creator 14:40:16 <zoglesby> python and pyqt 14:41:03 <linuxmodder> is the old FedoraUSBCreator not still a go for Windows? 14:41:04 <linuxmodder> what infra you thinking Sparks ? 14:41:06 <linuxmodder> for offsite build 14:41:09 <zoglesby> https://bugzilla.redhat.com/show_bug.cgi?id=1310542 14:41:18 <Sparks> So I guess the overarching question for us is what should we enforce. Everything should be signed and for things to be signed it needs to be built in-house. That sound good? 14:41:33 <linuxmodder> cross compile is possible but security wise a utter pita and mess 14:41:47 <zoglesby> Sparks: no 14:41:48 <linuxmodder> its presently in py yes? 14:41:55 <Sparks> I don't think we have the resources for a code review. 14:42:13 <zoglesby> I am okay with using a 3rd party build infra for this item. I am not okay with using someones desktop pc for it 14:42:13 <Sparks> linuxmodder: I'm trying to think more generally than this specific piece of software. 14:42:47 <Sparks> I'm not sure we can validate the binary if we don't build it ourselves. 14:42:54 <Sparks> s/can/should 14:43:16 <zoglesby> As long as infra can have people checking in on the build system (or us) I think it is okay to use something else for this. Doing it on a PC at someones home/work means they are the gatekeeper. 14:43:48 <zoglesby> I would like to find out what the actual build process is. 14:44:10 <Sparks> zoglesby: Can you add these comments to the ticket? 14:44:39 <zoglesby> Its python and pyqt. I can't think you need to build on windows for that. My reading is that koji has no support for it . 14:45:07 <zoglesby> If that is the case I say they do it on a VM in fedora infra. 14:45:14 <zoglesby> Sparks: sure 14:46:41 <zoglesby> done 14:47:09 <Sparks> Okay, we're running a bit late... Lets just skip to the end. 14:47:10 <Sparks> #topic Open floor discussion/questions/comments 14:47:13 <Sparks> Anyone have anything? 14:48:13 <zoglesby> only that hour has gone by very slow 14:48:24 <Sparks> heh 14:49:25 <Sparks> Anyone else? 14:51:00 <Sparks> Okay, lets go ahead and secure the meeting, then. Everyone have a good day! 14:51:35 <Sparks> #endmeeting -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJXWYLZAAoJED4nr8JXHVrFqfkIAJh5NbrOLlgDXT+qjUpqRive 64BfOx4fMzgyx8Va/PWki9lSwB8zzLe89Bld6spaKbeuTJyCpI1t2X8wl3ZLgC8R ohrXaPQpCnzRFCIuWZsjG0V6DMFy8ST/xdmyzZEe8DoIuZzlEIEQ1VFbAYUlKph9 y6LC6ALcm7cbk2Nrszxmpo58XQnUut9FeQAcXNVBnTL36drd6jURrV7D9CQu1TUu P233gR0U7u9J/Y6MO+NaujsmQxs6fAlHUuxalLfgjTh5oBGVElt/H1sDhcrU6aCm rJKvWVc0SdFgiuWToJrtC1Q0uWezO1kE7hkwkV+qO+iDxqNqL+xdRGdCK3OKAfg= =YciJ -----END PGP SIGNATURE-----