-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Meetbot was under the weather last week but I was able to get the transcript.
19:00:49 <Sparks_too> #meetingname Fedora Security Team
19:00:49 <zodbot> The meeting name has been set to 'fedora_security_team'
19:00:55 <Sparks_too> #endmeeting
19:01:13 <Sparks_too> #endmeeting
19:01:22 <zodbot> Sparks_too: Error: Can't start another meeting, one is in
progress.
19:01:27 <Sparks_too> *sigh*
19:01:44 <bvincent> .mynameis bvincent
19:02:29 <Sparks_too> Okay, lets see if someone in admin can fix zodbot real quick.
19:02:54 <revskills> ok, don't worry
19:03:43 <Sparks_too> #endmeeting
19:04:24 <Sparks_too> Okay, I'm just going to pretend that zodbot is awake and
doing what it should be doing in the off chance this can be saved.
19:04:33 <zodbot> Sparks_too: Error: Can't start another meeting, one is in
progress.
19:04:36 <Sparks_too> #meetingname Fedora Security Team
19:04:36 <zodbot> The meeting name has been set to 'fedora_security_team'
19:04:39 <Sparks_too> #topic Roll Call
19:04:41 * Sparks_too
19:04:56 * jtaylor90 is here
19:05:02 <bojov> present
19:05:14 <jrusnack> here
19:05:18 <bvincent> here
19:05:32 <D-Caf> here (David)
19:05:45 <bvincent> .hellomynameis bvincent
19:05:46 <zodbot> bvincent: bvincent 'Brandon Vincent'
<Brandon.Vincent(a)asu.edu>
19:05:48 <danofsatx-dt> I am present as an interested party. I am an IT security
professional and curious about the Fedora Security Team.
19:07:15 <revskills> hi danofsatx-dt :)
19:07:18 <Sparks_too> Okay, good group. Lets get started.
19:07:25 <Sparks_too> #info Participants are reminded to make liberal use of #info
#link #help in order to make the minutes "more better"
19:07:31 <Sparks_too> #topic Follow up on last week's action items (10 minutes)
19:07:57 <Sparks_too> Okay, we're going to skip last week's actions items
since I failed to fix the agenda. :/
19:08:08 <Sparks_too> That will give us more time to discuss other things.
19:08:22 <Sparks_too> #topic Roster
19:08:54 <Sparks_too> #link
https://fedoraproject.org/wiki/Security_Team_Roster
19:09:23 <Sparks_too> Looks like several people have added their info to the
Security Team roster. I'll encourage everyone to go there and update their
information.
19:10:12 <Sparks_too> #topic Rewards
19:10:14 * marcdeop is sorry he is late
19:10:35 <Sparks_too> I haven't had a chance to look at this stuff yet but
I'll make it a priority for this week and we'll talk about it more next week.
19:10:41 <Sparks_too> #topic Outstanding BZ Tickets
19:10:58 <Sparks_too> Okay, here is what I really wanted to get to since this is the
fun part.
19:11:07 <Sparks_too> #info Monday's numbers: Critical 2, Important 70, Moderate
372, Low 131, Total 575, Trend +9
19:11:11 <Sparks_too> #info Current tickets owned: 119
19:12:03 <Sparks_too> So right now it looks like we are currently working ~20% of
all the open vulnerabilities in Fedora and EPEL. That's awesome.
19:12:26 <Sparks_too> Is anyone coming up with any problems they'd like to
discuss?
19:12:37 <jrusnack> yup, pwgen and rubygems
19:12:53 <Sparks_too> #info We've already closed 8 tickets
19:13:00 <Sparks_too> jrusnack: The floor is yours
19:13:19 <jrusnack> #info sent patches to pwgen upstream that fix 2 CVEs, no
response. Should I go ahead and push them just to fedora ?
19:14:06 <Sparks_too> jrusnack: Are we sure they fix the problems?
19:14:36 <revskills> Sparks_too, jrusnack is a good idea to discuss fixes in fedora
mailing list
19:14:47 <revskills> second pair of eyes allways are wellcome
19:14:47 <jrusnack> I can send them to you and you can see yourself. Also, I assume
I would work with packager
19:14:54 <jrusnack> yup
19:14:55 <Sparks_too> jrusnack: fedora-devel..
19:15:04 <jrusnack> OK, so I`ll discuss on the list
19:15:52 <jrusnack> #info rubygems vulns - so there are these two guys, Michael
Stahnke and Jeroen va Meeuwen, who own rails in EPEL and have ~25 unfixed vulnerabilities
19:16:00 <Sparks_too> jrusnack: plus the packager. Depending on how fluent they are
with the code... :)
19:16:24 <Sparks_too> jrusnack: So, yeah, I'd say we should submit the patches
to the packager for review and see where that goes.
19:16:25 <jrusnack> #info jsmith advised I should start unresponsive packagers
policy - maybe would be useful for others to know it exists
19:16:44 <Sparks_too> Yeah, we have one of those.
19:17:02 <revskills> jrusnack: can you share/link this info wiki/mailing?
19:17:38 <jrusnack> #info
http://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers
19:17:39 <jtaylor90> just fyi, on one of the lists or irc maybe Jeroen va Meeuwen
aka kanarip is at flock. folks are reaching out to him about package maintenance
19:17:51 <revskills> +1 jrusnack ty!
19:18:28 <jrusnack> jtaylor90: yup, I asked on fedora devel, a good fellow might
make him fix those for us :)
19:18:58 <jrusnack> that`s all, thanks !
19:19:25 <Sparks_too> cool
19:19:46 <Sparks_too> Okay, so I'll talk about my adventures with EPEL real
quick.
19:20:15 <Sparks_too> Today, I asked that two orphaned packages be removed from
EPEL-5... and they were. That closed nine tickets in BZ.
19:20:27 <jrusnack> eucalyptus ?
19:20:52 <Sparks_too> I have another ~28 eyed for the same outcome.
19:21:03 <Sparks_too> This will close ~59 tickets
19:21:24 <Sparks_too> jrusnack: Euca is in Fedora only
19:22:00 <Sparks_too> So I'll be working on these orphaned packages and
we'll see if we can get those taken care of.
19:22:03 <jtaylor90> Sparks_too: moin can be added to that outcome as well, releng
retired and untagged all builds for moin in epel5 (releng ticket #5956)
19:22:13 <Sparks_too> jtaylor90: +1
19:22:38 <Sparks_too> jtaylor90: If you haven't done so already, go ahead and
close all moin el5 bugs in BZ as CLOSED, WONTFIX.
19:22:48 <Sparks_too> jtaylor90: And put your fst_owner tag on them.
19:23:04 <jrusnack> so, what is process for getting them orphaned ?
19:23:04 <jtaylor90> excellent, that answers that question about how to close
19:24:12 <Sparks_too> jtaylor90: Yeah, I went through that earlier today.
19:24:33 <Sparks_too> jrusnack: So these packages are already orphaned. We want
them retired. You must go through releng to do that.
19:24:54 <Sparks_too> jrusnack: So, you just open a ticket in releng's trac
instance on fhosted and magic happens.
19:25:02 <jrusnack> Sparks_too: oh right, got it, thnaks !
19:25:46 <Sparks_too> So, I sent the list of EPEL packages to epel-devel earlier
today. I'll likely ask that those packages get retired tomorrow if no one speaks up
about them.
19:26:58 <Sparks_too> WRT Eucalyptus, the package owner no longer wants to own this.
I suspect most people using euca aren't using the Fedora package. We'll likely
go through the retirement process with this package as well.
19:27:20 <Sparks_too> Does anyone have anything else they'd like to discuss
ticket-wise?
19:27:36 <jtaylor90> yeah I have one
19:27:55 <Sparks_too> jtaylor90: go
19:28:13 <jtaylor90> well it's actually at least a couple tickets, it relates to
the mingw32 packages in epel5 specifically mingw32-jasper and mingw32-openssl
19:28:25 <Sparks_too> okay
19:28:47 <jtaylor90> I emailed the original packager and then followed up with the
minfw sig mailing list, the whole mingw32 package set has essentially been orphaned
19:28:57 <jtaylor90> I am waiting to hear a consense from the SIG on how they want
to handle
19:29:16 <Sparks_too> handy
19:29:53 <jtaylor90> I haven't had a chance to see if there are other mingw32
package bz's out there so if anyone else comes across them, the issues with epel5
packages are being discussed
19:30:13 <jtaylor90> I will go through and see if there are any others related
BZ's and grab them
19:30:26 <jtaylor90> that's it :)
19:31:40 <Sparks_too> jtaylor90: Yeah, just grab the tickets and you can figure it
out as it goes on.
19:31:46 <Sparks_too> Anyone else?
19:33:01 <Sparks_too> #topic Open floor discussion
19:33:05 <danofsatx-dt> y'all were mentioned on the Linux Action Show:
http://youtu.be/XKyeGe8EtOk?t=25m39s
19:33:19 <Sparks_too> danofsatx-dt: That's scary... I'll have to go watch.
19:34:41 <Sparks_too> danofsatx-dt: Even scarier... they used my email
19:34:58 <danofsatx-dt> uh oh....prepare for spam.
19:35:21 * danofsatx-dt missed that
19:35:22 <Sparks_too> danofsatx-dt: Too late... we were also featured on php today
and some other geek news places.
19:35:34 <Sparks_too> Who'd a thought people would give a crap?
19:35:56 <marcdeop> why wouldn't they? security got relevant since the heartbeat
bug
19:35:59 <bvincent> Take a look at the security issues with other distributions.
19:36:12 <danofsatx-dt> well, considering the world I work in, a lot. I'm slowly
but surely converting my office from Windows to Fedora/CentOS
19:36:14 <Sparks_too> marcdeop: True, but we don't have a cool URL or icon.
19:36:24 <bvincent> In comparison, Fedora is not as bad as some other
distributions.
19:36:26 <marcdeop> we can always get that, right?
19:37:02 <Sparks_too> heh
19:37:59 <Sparks_too> Oh
19:38:30 <Sparks_too> When you are looking for a case to work on, please look at the
oldest ticket not taken. I want to make sure we can get rid of as many of the old things
as possible.
19:40:01 <marcdeop> I am sorry I cannot participate much yet, I recently switch
countries and it has been extremely difficult to handle all the paperwork and new job :S
19:40:19 <Sparks_too> marcdeop: No worries, we'll likely have work for you to do
when you get the time. :)
19:40:22 <jrusnack> so, another process related question: how to push CVE from ON_QA
state further ? E.g.
https://bugzilla.redhat.com/show_bug.cgi?id=1020950 is in ON_QA state
for ~9 months now
19:41:33 <Sparks_too> jrusnack: I'd ask on the ticket for the package to be
moved to stable
19:42:03 <jrusnack> stable is what ? sorry not fluent in fedora process yet
19:42:48 <Sparks_too> jrusnack: Well, it's in testing. The packager just needs
to push the button in bodhi that says "push to stable".
19:43:52 <jrusnack> thanks. And maybe related question - do we want to monitor ON_QA
packages too ?
19:44:11 <Sparks_too> Yes, anything that isn't closed
19:44:34 <revskills> we need to follow the entire process
19:44:55 <revskills> we do the same in the SRT/rh
19:45:25 <Sparks_too> revskills: +1
19:45:41 <jrusnack> Sparks_too: then we need more bugzilla searches on our awesome
wiki
19:45:51 <jrusnack> thanks for exaplanations !
19:45:55 <Sparks_too> jrusnack: It's a wiki... be bold!
19:46:10 <jrusnack> Sparks_too: let`s do it ! :)
19:46:48 <jrusnack> #action jrusnack add more bugzilla searches to wiki to cover
tickets in other states (we want to monitor entire process)
19:46:53 <Sparks_too> :)
19:46:58 <Sparks_too> Okay, anyone have anything else?
19:48:10 <D-Caf> No, just getting up to speed so I can eventually be helpful
19:48:13 <revskills> no, looks everything is going fine
19:48:30 <Sparks_too> Okay, I'm going to end the meeting and invite everyone
back over to #fedora-security-team for refreshments.
19:48:37 <Sparks_too> Thanks for everyone coming and participating.
19:48:45 <revskills> +1 Sparks_too
19:49:03 <Sparks_too> D-Caf: Come over to #fedora-security-team for a better
explaination.
19:49:09 <Sparks_too> #endmeeting
- -- Eric
- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project
sparks(a)fedoraproject.org - sparks(a)redhat.com
097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCgAGBQJT64FSAAoJEB/kgVGp2CYv9fgL+wWULOFx0KcpoTfsT03J8ogN
Yx1kIGumobHqohpwD/pth6qEUj1gjEMHj4eKKt2iMpTXwzK8Q7KfH4QRkI/biJVE
Lm44+RvfuS58b1pj8csgQ5gfJHxQ5Y2wLovzB+y/uLSkvt7EF0N01MRKXU0UQ8uu
yy4QeMxw51gZx6awu1220jYhrmSkNCCIMVWdNPHnIbOOM9yzMnnJ9WF+5J/2Ux7I
Zb4qpQt7fuRhp2MhmjJ5sUnxP/CASbqfXt2vm/lZldAQuM1F/dhaqQlt90YQp6U3
1TRRYWNhRpkveTheGYVwe0EEgbTfJd4GPTOKfupKw+RS6JEjJjuwgPKPW2iQvD0E
MvIgZNSbprv8U2V1tZQcgP0ALM1s7e5trtPCOwWT56aybef78gKJKzzLjATtyJAd
ciwHG1FzN80ETNL8xVVepbpiBsISlpLxfMskUUFEWziX4UghfJm9h19FM7+4mx6G
wp2+riluVOqNogLLX1LAhniQO8XE2ndsZ2oB/iPkoQ==
=eNWG
-----END PGP SIGNATURE-----