-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Meetbot was under the weather last week but I was able to get the transcript.

19:00:49 <Sparks_too> #meetingname Fedora Security Team 19:00:49 <zodbot> The meeting name has been set to 'fedora_security_team' 19:00:55 <Sparks_too> #endmeeting 19:01:13 <Sparks_too> #endmeeting 19:01:22 <zodbot> Sparks_too: Error: Can't start another meeting, one is in progress. 19:01:27 <Sparks_too> *sigh* 19:01:44 <bvincent> .mynameis bvincent 19:02:29 <Sparks_too> Okay, lets see if someone in admin can fix zodbot real quick. 19:02:54 <revskills> ok, don't worry 19:03:43 <Sparks_too> #endmeeting 19:04:24 <Sparks_too> Okay, I'm just going to pretend that zodbot is awake and doing what it should be doing in the off chance this can be saved. 19:04:33 <zodbot> Sparks_too: Error: Can't start another meeting, one is in progress. 19:04:36 <Sparks_too> #meetingname Fedora Security Team 19:04:36 <zodbot> The meeting name has been set to 'fedora_security_team' 19:04:39 <Sparks_too> #topic Roll Call 19:04:41 * Sparks_too 19:04:56 * jtaylor90 is here 19:05:02 <bojov> present 19:05:14 <jrusnack> here 19:05:18 <bvincent> here 19:05:32 <D-Caf> here (David) 19:05:45 <bvincent> .hellomynameis bvincent 19:05:46 <zodbot> bvincent: bvincent 'Brandon Vincent' Brandon.Vincent@asu.edu 19:05:48 <danofsatx-dt> I am present as an interested party. I am an IT security professional and curious about the Fedora Security Team. 19:07:15 <revskills> hi danofsatx-dt :) 19:07:18 <Sparks_too> Okay, good group. Lets get started. 19:07:25 <Sparks_too> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 19:07:31 <Sparks_too> #topic Follow up on last week's action items (10 minutes) 19:07:57 <Sparks_too> Okay, we're going to skip last week's actions items since I failed to fix the agenda. :/ 19:08:08 <Sparks_too> That will give us more time to discuss other things. 19:08:22 <Sparks_too> #topic Roster 19:08:54 <Sparks_too> #link https://fedoraproject.org/wiki/Security_Team_Roster 19:09:23 <Sparks_too> Looks like several people have added their info to the Security Team roster. I'll encourage everyone to go there and update their information. 19:10:12 <Sparks_too> #topic Rewards 19:10:14 * marcdeop is sorry he is late 19:10:35 <Sparks_too> I haven't had a chance to look at this stuff yet but I'll make it a priority for this week and we'll talk about it more next week. 19:10:41 <Sparks_too> #topic Outstanding BZ Tickets 19:10:58 <Sparks_too> Okay, here is what I really wanted to get to since this is the fun part. 19:11:07 <Sparks_too> #info Monday's numbers: Critical 2, Important 70, Moderate 372, Low 131, Total 575, Trend +9 19:11:11 <Sparks_too> #info Current tickets owned: 119 19:12:03 <Sparks_too> So right now it looks like we are currently working ~20% of all the open vulnerabilities in Fedora and EPEL. That's awesome. 19:12:26 <Sparks_too> Is anyone coming up with any problems they'd like to discuss? 19:12:37 <jrusnack> yup, pwgen and rubygems 19:12:53 <Sparks_too> #info We've already closed 8 tickets 19:13:00 <Sparks_too> jrusnack: The floor is yours 19:13:19 <jrusnack> #info sent patches to pwgen upstream that fix 2 CVEs, no response. Should I go ahead and push them just to fedora ? 19:14:06 <Sparks_too> jrusnack: Are we sure they fix the problems? 19:14:36 <revskills> Sparks_too, jrusnack is a good idea to discuss fixes in fedora mailing list 19:14:47 <revskills> second pair of eyes allways are wellcome 19:14:47 <jrusnack> I can send them to you and you can see yourself. Also, I assume I would work with packager 19:14:54 <jrusnack> yup 19:14:55 <Sparks_too> jrusnack: fedora-devel.. 19:15:04 <jrusnack> OK, so I`ll discuss on the list 19:15:52 <jrusnack> #info rubygems vulns - so there are these two guys, Michael Stahnke and Jeroen va Meeuwen, who own rails in EPEL and have ~25 unfixed vulnerabilities 19:16:00 <Sparks_too> jrusnack: plus the packager. Depending on how fluent they are with the code... :) 19:16:24 <Sparks_too> jrusnack: So, yeah, I'd say we should submit the patches to the packager for review and see where that goes. 19:16:25 <jrusnack> #info jsmith advised I should start unresponsive packagers policy - maybe would be useful for others to know it exists 19:16:44 <Sparks_too> Yeah, we have one of those. 19:17:02 <revskills> jrusnack: can you share/link this info wiki/mailing? 19:17:38 <jrusnack> #info http://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers 19:17:39 <jtaylor90> just fyi, on one of the lists or irc maybe Jeroen va Meeuwen aka kanarip is at flock. folks are reaching out to him about package maintenance 19:17:51 <revskills> +1 jrusnack ty! 19:18:28 <jrusnack> jtaylor90: yup, I asked on fedora devel, a good fellow might make him fix those for us :) 19:18:58 <jrusnack> that`s all, thanks ! 19:19:25 <Sparks_too> cool 19:19:46 <Sparks_too> Okay, so I'll talk about my adventures with EPEL real quick. 19:20:15 <Sparks_too> Today, I asked that two orphaned packages be removed from EPEL-5... and they were. That closed nine tickets in BZ. 19:20:27 <jrusnack> eucalyptus ? 19:20:52 <Sparks_too> I have another ~28 eyed for the same outcome. 19:21:03 <Sparks_too> This will close ~59 tickets 19:21:24 <Sparks_too> jrusnack: Euca is in Fedora only 19:22:00 <Sparks_too> So I'll be working on these orphaned packages and we'll see if we can get those taken care of. 19:22:03 <jtaylor90> Sparks_too: moin can be added to that outcome as well, releng retired and untagged all builds for moin in epel5 (releng ticket #5956) 19:22:13 <Sparks_too> jtaylor90: +1 19:22:38 <Sparks_too> jtaylor90: If you haven't done so already, go ahead and close all moin el5 bugs in BZ as CLOSED, WONTFIX. 19:22:48 <Sparks_too> jtaylor90: And put your fst_owner tag on them. 19:23:04 <jrusnack> so, what is process for getting them orphaned ? 19:23:04 <jtaylor90> excellent, that answers that question about how to close 19:24:12 <Sparks_too> jtaylor90: Yeah, I went through that earlier today. 19:24:33 <Sparks_too> jrusnack: So these packages are already orphaned. We want them retired. You must go through releng to do that. 19:24:54 <Sparks_too> jrusnack: So, you just open a ticket in releng's trac instance on fhosted and magic happens. 19:25:02 <jrusnack> Sparks_too: oh right, got it, thnaks ! 19:25:46 <Sparks_too> So, I sent the list of EPEL packages to epel-devel earlier today. I'll likely ask that those packages get retired tomorrow if no one speaks up about them. 19:26:58 <Sparks_too> WRT Eucalyptus, the package owner no longer wants to own this. I suspect most people using euca aren't using the Fedora package. We'll likely go through the retirement process with this package as well. 19:27:20 <Sparks_too> Does anyone have anything else they'd like to discuss ticket-wise? 19:27:36 <jtaylor90> yeah I have one 19:27:55 <Sparks_too> jtaylor90: go 19:28:13 <jtaylor90> well it's actually at least a couple tickets, it relates to the mingw32 packages in epel5 specifically mingw32-jasper and mingw32-openssl 19:28:25 <Sparks_too> okay 19:28:47 <jtaylor90> I emailed the original packager and then followed up with the minfw sig mailing list, the whole mingw32 package set has essentially been orphaned 19:28:57 <jtaylor90> I am waiting to hear a consense from the SIG on how they want to handle 19:29:16 <Sparks_too> handy 19:29:53 <jtaylor90> I haven't had a chance to see if there are other mingw32 package bz's out there so if anyone else comes across them, the issues with epel5 packages are being discussed 19:30:13 <jtaylor90> I will go through and see if there are any others related BZ's and grab them 19:30:26 <jtaylor90> that's it :) 19:31:40 <Sparks_too> jtaylor90: Yeah, just grab the tickets and you can figure it out as it goes on. 19:31:46 <Sparks_too> Anyone else? 19:33:01 <Sparks_too> #topic Open floor discussion 19:33:05 <danofsatx-dt> y'all were mentioned on the Linux Action Show: http://youtu.be/XKyeGe8EtOk?t=25m39s 19:33:19 <Sparks_too> danofsatx-dt: That's scary... I'll have to go watch. 19:34:41 <Sparks_too> danofsatx-dt: Even scarier... they used my email 19:34:58 <danofsatx-dt> uh oh....prepare for spam. 19:35:21 * danofsatx-dt missed that 19:35:22 <Sparks_too> danofsatx-dt: Too late... we were also featured on php today and some other geek news places. 19:35:34 <Sparks_too> Who'd a thought people would give a crap? 19:35:56 <marcdeop> why wouldn't they? security got relevant since the heartbeat bug 19:35:59 <bvincent> Take a look at the security issues with other distributions. 19:36:12 <danofsatx-dt> well, considering the world I work in, a lot. I'm slowly but surely converting my office from Windows to Fedora/CentOS 19:36:14 <Sparks_too> marcdeop: True, but we don't have a cool URL or icon. 19:36:24 <bvincent> In comparison, Fedora is not as bad as some other distributions. 19:36:26 <marcdeop> we can always get that, right? 19:37:02 <Sparks_too> heh 19:37:59 <Sparks_too> Oh 19:38:30 <Sparks_too> When you are looking for a case to work on, please look at the oldest ticket not taken. I want to make sure we can get rid of as many of the old things as possible. 19:40:01 <marcdeop> I am sorry I cannot participate much yet, I recently switch countries and it has been extremely difficult to handle all the paperwork and new job :S 19:40:19 <Sparks_too> marcdeop: No worries, we'll likely have work for you to do when you get the time. :) 19:40:22 <jrusnack> so, another process related question: how to push CVE from ON_QA state further ? E.g. https://bugzilla.redhat.com/show_bug.cgi?id=1020950 is in ON_QA state for ~9 months now 19:41:33 <Sparks_too> jrusnack: I'd ask on the ticket for the package to be moved to stable 19:42:03 <jrusnack> stable is what ? sorry not fluent in fedora process yet 19:42:48 <Sparks_too> jrusnack: Well, it's in testing. The packager just needs to push the button in bodhi that says "push to stable". 19:43:52 <jrusnack> thanks. And maybe related question - do we want to monitor ON_QA packages too ? 19:44:11 <Sparks_too> Yes, anything that isn't closed 19:44:34 <revskills> we need to follow the entire process 19:44:55 <revskills> we do the same in the SRT/rh 19:45:25 <Sparks_too> revskills: +1 19:45:41 <jrusnack> Sparks_too: then we need more bugzilla searches on our awesome wiki 19:45:51 <jrusnack> thanks for exaplanations ! 19:45:55 <Sparks_too> jrusnack: It's a wiki... be bold! 19:46:10 <jrusnack> Sparks_too: let`s do it ! :) 19:46:48 <jrusnack> #action jrusnack add more bugzilla searches to wiki to cover tickets in other states (we want to monitor entire process) 19:46:53 <Sparks_too> :) 19:46:58 <Sparks_too> Okay, anyone have anything else? 19:48:10 <D-Caf> No, just getting up to speed so I can eventually be helpful 19:48:13 <revskills> no, looks everything is going fine 19:48:30 <Sparks_too> Okay, I'm going to end the meeting and invite everyone back over to #fedora-security-team for refreshments. 19:48:37 <Sparks_too> Thanks for everyone coming and participating. 19:48:45 <revskills> +1 Sparks_too 19:49:03 <Sparks_too> D-Caf: Come over to #fedora-security-team for a better explaination. 19:49:09 <Sparks_too> #endmeeting

- -- Eric

- -------------------------------------------------- Eric "Sparks" Christensen Fedora Project

sparks@fedoraproject.org - sparks@redhat.com 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - --------------------------------------------------