Meeting started by Sparks at 14:00:21 UTC. The full logs are available
at
http://meetbot.fedoraproject.org/fedora-meeting/2015-11-05/fedora_securit...
.
Meeting summary
---------------
* Roll Call (Sparks, 14:00:26)
* LINK:
https://lists.fedoraproject.org/pipermail/security-team/2015-November/000...
(mhayden, 14:05:21)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:14:32)
* Follow up on last week's tasks (Sparks, 14:15:03)
* ACTION: Sparks to talk with mattdm regarding private security
tickets in BZ. (Sparks, 14:15:26)
* This was started but hasn't really moved forward. (Sparks,
14:15:42)
* ACTION: Sparks to discuss using Bluejeans for an online GPG key
signing event (Sparks, 14:15:50)
* This isn't mandatory so if you don't feel comfortable participating
or don't feel comfortable with not holding an ID in your hands then
you don't have to participate. (Sparks, 14:18:05)
* ACTION: mhayden to get Astradeus' changes to the stats script into
the fedora-security-team git repo (Sparks, 14:22:29)
* ACTION: pjp to give a status update on security policy in the wiki
(carried over) (Sparks, 14:23:37)
* Education and Training (Sparks, 14:23:42)
* LINK:
https://fedoraproject.org/wiki/Information_Security_Training
(Sparks, 14:23:49)
* LINK:
https://benchmarks.cisecurity.org/downloads/multiform/index.cfm -
should it be there? (fenrus02, 14:25:27)
* LINK:
https://wiki.mozilla.org/Security/Server_Side_TLS .. and ..
https://mozilla.github.io/server-side-tls/ssl-config-generator/ ?
or too much detail ? (fenrus02, 14:27:53)
* Astradeus' changes for the script are now merged ;) (mhayden,
14:27:59)
* Outstanding BZ Tickets (Sparks, 14:31:29)
* Thursday's numbers: Critical 1 (0), Important 40 (0), Moderate 457
(+11), Low 170 (+8), Total 668 (Sparks, 14:31:36)
* Current tickets owned: 85 (Sparks, 14:31:42)
* IDEA: FST gets copied on critical and important CVEs that come to
Fedora/EPEL. (Sparks, 14:34:49)
* ACTION: Sparks to work with PST to get our mailling list included on
BZ tickets for critical and important CVEs. (Sparks, 14:39:03)
* Apparently FST members can't look at security bugs. This is likely
a problem if we're supposed to be fixing such things. (Sparks,
14:40:32)
* ACTION: Sparks to figure out how FST members can get access to
Fedora security bugs (Sparks, 14:40:47)
* Anyone finding a security bug in Fedora that doesn't have a CVE
should let PST know so we can get a CVE issued. secalert(a)redhat.com
(Sparks, 14:41:32)
* Open floor discussion/questions/comments (Sparks, 14:43:34)
Meeting ended at 14:46:52 UTC.
Action Items
------------
* Sparks to talk with mattdm regarding private security tickets in BZ.
* Sparks to discuss using Bluejeans for an online GPG key signing event
* pjp to give a status update on security policy in the wiki (carried
over)
* Sparks to work with PST to get our mailling list included on BZ
tickets for critical and important CVEs.
* Sparks to figure out how FST members can get access to Fedora security
bugs
Action Items, by person
-----------------------
* Astradeus
* mhayden to get Astradeus' changes to the stats script into the
fedora-security-team git repo
* mattdm
* Sparks to talk with mattdm regarding private security tickets in BZ.
* mhayden
* mhayden to get Astradeus' changes to the stats script into the
fedora-security-team git repo
* Sparks
* Sparks to talk with mattdm regarding private security tickets in BZ.
* Sparks to discuss using Bluejeans for an online GPG key signing
event
* Sparks to work with PST to get our mailling list included on BZ
tickets for critical and important CVEs.
* Sparks to figure out how FST members can get access to Fedora
security bugs
* **UNASSIGNED**
* pjp to give a status update on security policy in the wiki (carried
over)
People Present (lines said)
---------------------------
* Sparks (72)
* mhayden (17)
* fenrus02 (6)
* Astradeus (6)
* zodbot (4)
* mattdm (3)
* rishi (2)
* jsmith (1)
14:00:21 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:00:21 <zodbot> Meeting started Thu Nov 5 14:00:21 2015 UTC. The chair is
Sparks. Information about MeetBot at
http://wiki.debian.org/MeetBot.
14:00:21 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link
#topic.
14:00:24 <Sparks> #meetingname Fedora Security Team
14:00:24 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:26 <Sparks> #topic Roll Call
14:00:29 * Sparks
14:01:50 * Astradeus
14:03:11 <Sparks> mhayden: ping
14:03:11 <zodbot> Sparks: Ping with data, please:
https://fedoraproject.org/wiki/No_naked_pings
14:03:22 <mhayden> Sparks: aaaaack, DST
14:03:28 <mhayden> :P
14:03:35 <Sparks> mhayden: We're on zulu time!
14:03:42 * mhayden scurries over to his calendar to adjust the invitation
14:03:48 <Sparks> mhayden: Could you run your script for numbers, please?
14:03:51 <mhayden> on it
14:03:56 <Sparks> TU
14:04:01 <Sparks> mattdm: You around?
14:05:21 <mhayden> #link
https://lists.fedoraproject.org/pipermail/security-team/2015-November/000...
14:05:23 <mhayden> ^^ stats
14:08:01 <Sparks> Hmmm, I thought I took care of that Critical last week.
14:09:04 <rishi> fg
14:09:07 <rishi> sorry
14:10:56 <Sparks> Sorry for the delay, I'm still tweeking the minutes.
14:11:01 * Sparks is running behind this morning
14:13:15 <mhayden> DSt made all of my meetings scoot up
14:14:32 <Sparks> #info Participants are reminded to make liberal use of #info
#link #help in order to make the minutes "more better"
14:14:48 <Sparks> mhayden: Just put the TZ for this meeting as UTC and it'll
always be correct. :)
14:14:53 <Sparks> Okay, lets get started.
14:15:03 <Sparks> #topic Follow up on last week's tasks
14:15:13 <mhayden> figured out how to do that in android -- makes up for
Exchange's shortcomings :P
14:15:26 <Sparks> #action Sparks to talk with mattdm regarding private
security tickets in BZ.
14:15:42 <Sparks> #info This was started but hasn't really moved forward.
14:15:50 <Sparks> #action Sparks to discuss using Bluejeans for an online GPG
key signing event
14:16:04 <Sparks> I haven't done this but does anyone have a problem with
doing this?
14:16:12 <mhayden> i did my first gpg key signing at the last flock, it was fun!
14:16:45 <mhayden> i'm not sure how some folks might feel about their
identification cards/passports/licenses being on screen
14:16:52 <mhayden> someone could screenshot it and do nefarious things
14:17:17 <Sparks> Well, lots of people could do lots of things... I'm not
sure that it requires a screenshot.
14:17:26 <mhayden> haha
14:18:05 <Sparks> #info This isn't mandatory so if you don't feel
comfortable
participating or don't feel comfortable with not holding an ID in your hands
then you don't have to participate.
14:18:18 <mattdm> Sparks: I'm around for, like, 11 minutes
14:18:51 <Sparks> mattdm: Can I get on your calendar for later today to
discuss furthering the mission of the FST?
14:19:05 <Astradeus> i think in that case hiding the passport number should be
enough to make it a little bit protected - the rest of the security features
is the same on all other identification-things
14:19:51 <Astradeus> e.g. the hologram and the name needs to be visible i
think, the passport number does not need to be
14:20:04 <Sparks> Okay, I'll try to send something to the list just after the
meeting while it's fresh on my mind.
14:20:15 <Sparks> Astradeus: True
14:20:24 <mhayden> i think sgallagh arranged the last signing at flock
14:20:42 <Sparks> Astradeus: I suspect that most Customs folks are using the
RFID chip for auth now anyway.
14:20:59 * mhayden is one of the few without a chipped passport at the moment
:P
14:21:09 <mattdm> Sparks: -- yes... maybe 3pm (US/Eastern)?
14:21:15 <Sparks> mhayden: Yeah, likely. I've usually done them at events
around here.
14:21:41 <Sparks> mattdm: 3pm ET works for me. I'll send you info. Thanks!
14:22:20 <Sparks> mhayden: What?!? How can you survive without the little
chip thingy? :)
14:22:25 <Sparks> Okay, moving on...
14:22:29 <Sparks> #action mhayden to get Astradeus' changes to the stats
script into the fedora-security-team git repo
14:22:38 <Sparks> mhayden: ^^^ did this happen?
14:23:15 <mattdm> Sparks: cool
14:23:20 <mhayden> nah, but i am going to look at it right now ;)
14:23:37 <Sparks> #action pjp to give a status update on security policy in
the wiki (carried over)
14:23:42 <Sparks> #topic Education and Training
14:23:49 <Sparks> #link
https://fedoraproject.org/wiki/Information_Security_Training
14:23:57 <Sparks> (From last week...)
14:24:31 <Sparks> I've started compiling training aids for learning about
information security. I've created the above wiki page to list them.
14:25:08 <Astradeus> i've been skipping over a few entries already - nice page
:)
14:25:27 <fenrus02>
https://benchmarks.cisecurity.org/downloads/multiform/index.cfm - should it be
there?
14:26:29 <Sparks> fenrus02: IDK. Is that educational or just benchmark
information?
14:26:43 <fenrus02> how / why to make alterations
14:27:05 <Sparks> It could be. Feel free to add it.
14:27:21 <fenrus02> ditto for
https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ ?
14:27:53 <fenrus02>
https://wiki.mozilla.org/Security/Server_Side_TLS .. and
..
https://mozilla.github.io/server-side-tls/ssl-config-generator/ ? or too
much detail ?
14:27:59 <mhayden> #info Astradeus' changes for the script are now merged ;)
14:28:30 <Sparks> fenrus02: Yes, but use a WorldCat URL for books.
https://www.worldcat.org/title/bulletproof-ssl-and-tls/oclc/889874499
14:28:47 <fenrus02> ok. why worldcat instead of the publisher page?
14:29:09 <Sparks> Worldcat shows where to get the book (and not just from
Amazon) like libraries
14:29:27 <Sparks> I want to make it easier for folks to find the materials.
14:29:37 <Sparks> Especially if they can get them for free.
14:31:29 <Sparks> #topic Outstanding BZ Tickets
14:31:36 <Sparks> #info Thursday's numbers: Critical 1 (0), Important 40 (0),
Moderate 457 (+11), Low 170 (+8), Total 668
14:31:42 <Sparks> #info Current tickets owned: 85
14:31:55 <Sparks> +Tickets by Priority--+-------+---------+
14:31:55 <Sparks> | Priority | Count | Owned | Unowned |
14:31:55 <Sparks> +-------------+-------+-------+---------+
14:31:55 <Sparks> | medium | 457 | 45 | 412 |
14:31:56 <Sparks> | low | 170 | 14 | 156 |
14:31:58 <Sparks> | high | 40 | 26 | 14 |
14:32:00 <Sparks> | unspecified | 4 | 0 | 4 |
14:32:03 <Sparks> | urgent | 1 | 0 | 1 |
14:32:05 <Sparks> +-------------+-------+-------+---------+
14:32:09 <Astradeus> i didn't have the time to look at tickets unfortunately
:/
14:32:16 <Sparks> Anyone have anything ticket-wise to discuss?
14:34:26 <Sparks> Oh, I have something.
14:34:49 <Sparks> #idea FST gets copied on critical and important CVEs that
come to Fedora/EPEL.
14:35:03 <fenrus02> +1
14:35:43 <Sparks> I figure that way we will get notified immediately instead of
finding out something has been there after a few days/weeks.
14:37:01 <Sparks> mhayden: ^^^
14:37:17 <mhayden> that'd be nifty
14:39:03 <Sparks> #action Sparks to work with PST to get our mailling list
included on BZ tickets for critical and important CVEs.
14:40:32 <Sparks> #info Apparently FST members can't look at security bugs.
This is likely a problem if we're supposed to be fixing such things.
14:40:47 <Sparks> #action Sparks to figure out how FST members can get access
to Fedora security bugs
14:41:32 <Sparks> #info Anyone finding a security bug in Fedora that doesn't
have a CVE should let PST know so we can get a CVE issued.
secalert(a)redhat.com
14:42:08 <Sparks> Anyone have anything else?
14:42:14 * jsmith shows up late, and has nothing :-(
14:42:27 <Sparks> jsmith: Welcome!
14:43:34 <Sparks> #topic Open floor discussion/questions/comments
14:43:45 <Sparks> Okay, does anyone have anything before we close for the day?
14:45:16 <Sparks> Nothing?
14:45:52 <Sparks> Okay, I'm going to go ahead and close the meeting and try to
update next week's agenda now (for a change) and start working on my action
items.
14:45:57 <Sparks> Thanks, all, for coming out!
14:46:11 <Astradeus> thank you for managing the meeting :)
14:46:52 <Sparks> #endmeeting