#fedora-meeting: Security Team Meeting - Agenda:
Meeting started by Sparks at 14:00:38 UTC. The full logs are available
* Roll Call (Sparks, 14:00:52)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:10:26)
* Follow up on last week's tasks (Sparks, 14:10:59)
* ACTION: pjp to give a status update on security policy in the wiki
(carried over) (Sparks, 14:11:55)
* Not sure we can dynamically add FST to crtical and important CVEs
with the current tool set. (Sparks, 14:12:43)
* ACTION: Sparks to figure out how FST members can get access to
Fedora security bugs (Sparks, 14:12:55)
* Education and Training (Sparks, 14:14:45)
* LINK: https://fedoraproject.org/wiki/Information_Security_Training
* The Information Security Training page is available to provide
educational links to help people become more security literate.
* Apprenticeship (Sparks, 14:23:37)
* LINK: https://fedoraproject.org/wiki/Security_Team_Apprenticeship
* Outstanding BZ Tickets (Sparks, 14:34:54)
* Thursday's numbers: Critical 0 (-1), Important 36 (-5), Moderate 424
(-30), Low 145 (-33), Total 605 (Sparks, 14:35:07)
* Current tickets owned: 80 (Sparks, 14:35:19)
* Open floor discussion/questions/comments (Sparks, 14:45:05)
* IDEA: Host a FST DC Meet Up (Sparks, 14:52:23)
* ACTION: Sparks to create a FST 2016 FAD page and start collecting
info (Sparks, 14:59:43)
Meeting ended at 15:01:09 UTC.
* pjp to give a status update on security policy in the wiki (carried
* Sparks to figure out how FST members can get access to Fedora security
* Sparks to create a FST 2016 FAD page and start collecting info
Action Items, by person
* Sparks to figure out how FST members can get access to Fedora
* Sparks to create a FST 2016 FAD page and start collecting info
* pjp to give a status update on security policy in the wiki (carried
People Present (lines said)
* Sparks (125)
* d-caf (48)
* linuxmodder (35)
* mhayden (30)
* Astradeus (6)
* zodbot (6)
* zoglesby (5)
* jsmith (4)
* Southern_Gentlem (4)
14:00:38 <Sparks> #startmeeting Security Team Meeting - Agenda:
14:00:39 <zodbot> Meeting started Thu Dec 3 14:00:38 2015 UTC. The chair is
Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot
14:00:39 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link
14:00:39 <zodbot> The meeting name has been set to 'security_team_meeting_-
14:00:42 <Sparks> #meetingname Fedora Security Team
14:00:42 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:52 <Sparks> #topic Roll Call
14:00:54 * Sparks
14:01:38 * Astradeus (more or less)
14:02:21 <Sparks> Astradeus: I feel the same way
14:05:27 * d-caf
14:05:36 <Sparks> mhayden: Are you here?
14:05:48 <mhayden> aaah, yes
14:05:50 <mhayden> .hello mhayden
14:05:51 <zodbot> mhayden: mhayden 'Major Hayden' <major(a)mhtx.net>
14:06:06 * mhayden switched to evolution this week and is getting used to its
14:06:56 <Southern_Gentlem> mhayden, may gawd have mercy on you
14:07:47 <mhayden> Southern_Gentlem: thanks -- my work life is in MS Exchange
14:08:12 <d-caf> mhayden: oh, I'm so sorry
14:08:28 <Southern_Gentlem> mhayden, i am lucky that we have not had to do
that yet ( i have 5 secretaries that use exchange)
14:08:52 <mhayden> Southern_Gentlem: ah, for some reason i thought you worked
14:09:11 <mhayden> sorry for sending us wildly OT, Sparks ;)
14:09:16 <Southern_Gentlem> mhayden, i thought you came to Fudcon Blacksburg
14:09:32 <Southern_Gentlem> ops sorry
14:09:48 <mhayden> nah, i couldn't make that one
14:10:00 <mhayden> interested to hear where fudcon will be in 2016
14:10:01 * linuxmodder here
14:10:02 <Sparks> mhayden: What'd I do?
14:10:04 <Sparks> :)
14:10:09 <Sparks> Okay, lets get started
14:10:13 <mhayden> Sparks broke bugzilla
14:10:26 <Sparks> #info Participants are reminded to make liberal use of #info
#link #help in order to make the minutes "more better"
14:10:43 * Sparks did not broke bugzilla
14:10:45 <Sparks> mhayden: https://bugzilla.redhat.com/show_bug.cgi?id=1288076
14:10:59 <Sparks> #topic Follow up on last week's tasks
14:11:15 <Sparks> And by "last week" I mean a few weeks ago
14:11:21 <Sparks> Sparks to talk with mattdm regarding private security
tickets in BZ.
14:11:26 <Sparks> Yep, I did this (and more).
14:11:40 <Sparks> #link
14:11:47 <Sparks> We'll talk more about this later.
14:11:55 <Sparks> #action pjp to give a status update on security policy in
the wiki (carried over)
14:12:12 <Sparks> Sparks to work with PST to get our mailing list included on
BZ tickets for critical and important CVEs.
14:12:43 <Sparks> #info Not sure we can dynamically add FST to crtical and
important CVEs with the current tool set.
14:12:55 <Sparks> #action Sparks to figure out how FST members can get access
to Fedora security bugs
14:13:04 <Sparks> Did I miss anything else?
14:14:03 <mhayden> i think that's it
14:14:45 <Sparks> #topic Education and Training
14:14:58 <Sparks> #link
14:15:18 <Sparks> I don't think anyone has added any resources to this page,
yet, but please do.
14:15:31 <mhayden> can we add non-free stuff?
14:15:54 <Sparks> #info The Information Security Training page is available to
provide educational links to help people become more security literate.
14:16:08 <d-caf> Sparks: I had added some links regarding OWASP, but not much
more than that
14:16:23 <Sparks> mhayden: Ummm... I'd like to keep it all free if at all
possible. I want it to be easy access for people.
14:16:24 <linuxmodder> FST ?
14:16:43 <Sparks> mhayden: Books can be found at libraries but also can be
purchased so I think they are okay.
14:16:47 <d-caf> linuxmodder: FST = Fedora Security Team
14:17:14 <mhayden> Sparks: got it
14:17:22 <mhayden> i added a link for STIG's
14:17:32 <Sparks> mhayden: Perhaps we have a separate area for non-free stuff?
There are some good resources out there.
14:17:36 <Sparks> mhayden++
14:17:37 <zodbot> Sparks: Karma for mhayden changed to 3 (for the f23 release
14:17:39 <mhayden> that would be good
14:17:49 <mhayden> i'd like to put a relevant SANS course in there
14:17:54 <mhayden> not free, but good knowledge there
14:17:58 <Sparks> true
14:18:02 <d-caf> mhayden: was justing thinking about SANS
14:18:02 * mhayden chomps on his cookie
14:18:07 <jsmith> nom nom nom
14:18:15 <Sparks> Mmmm... cookies
14:18:16 <mhayden> also, what about RHT's relevant security course(s) as part
of the RHCA track?
14:18:20 <d-caf> mhayden: they do have free webinars, though often more
14:18:20 * Sparks still hasn't had breakfast
14:18:30 <mhayden> oh their webinars make me cry
14:18:36 <Sparks> mhayden: That would probably be good to add.
14:18:51 <Sparks> mhayden: And, really, any other Linux security training
14:18:56 <Sparks> jsmith: moin
14:19:08 <d-caf> mhayden: I've seen an occasional good one like webbreachers
14:19:55 <d-caf> Might consider adding regional/local group links/section for
in person resources?
14:20:09 <d-caf> Local security focused meetups and such
14:20:42 <linuxmodder> Linux foundation has a few
14:20:46 <Sparks> d-caf: Yeah, that's a good idea, too.
14:20:50 <linuxmodder> more sysadmin ish but good
14:21:04 <linuxmodder> +1 for meetup idea
14:21:33 <d-caf> I know my area around DC is littered with them, i'll get some
of the better ones listed
14:22:10 <linuxmodder> d-caf, we are both in the same locale (have you been
to the new one on Tuesday in Adams Morgan? )
14:22:38 <Sparks> d-caf: You are in DC?
14:22:49 <d-caf> linuxmodder: No, hadn't heard of anything in Adams Morgan
14:23:05 <d-caf> Sparks: Outside in the Northern Virginia area
14:23:14 <Sparks> d-caf: I'm in Maryland
14:23:21 <linuxmodder> Tysons /Falls Church
14:23:27 <Sparks> Okay, lets move on to other things...
14:23:32 <d-caf> Don't go into DC that much (prefer to keep my commute under
14:23:37 <Sparks> #topic Apprenticeship
14:23:46 <Sparks> And here's the really fun stuff
14:23:56 <linuxmodder> d-caf, indeed metro sucks but some good meets there
14:23:59 <Sparks> #link
14:24:20 <linuxmodder> will be looking to join
14:24:52 <linuxmodder> also anyone who has a minute this week looking to
finish a audit /review of security guide for -docs
14:25:01 <Sparks> linuxmodder: Sure
14:25:13 <Sparks> So, the Apprenticeship page has been established.
14:25:24 <Sparks> It needs to be fleshed out more, though.
14:25:35 <linuxmodder> mostly the deep dive selinux stuff while I've gotten
way better in the last few months some of it is still klingon to me
14:26:02 <Sparks> I'd like to have the Apprenticeship ready to go by 2016
14:26:14 <linuxmodder> can take a look this week Sparks wordpress and docs
work has got me in groove
14:26:33 <linuxmodder> what all still needs to be setup ?
14:27:07 <Sparks> Well, we need to figure out the framework, the work that
needs to be completed, and the certification process.
14:27:35 <d-caf> Are you going to setup formal "levls" of the FST?
14:27:53 <mhayden> level 9 dungeon master
14:28:04 <d-caf> mhayden: :-)
14:28:06 <Sparks> In the [U.S.] Navy we have PQSs that involve training and
OJT which is followed by some sort of certification board that meets to review
your paperwork and ask you questions. I think we should do something similar
14:28:09 <linuxmodder> lol
14:28:15 <mhayden> that's a bunch of acronyms ;)
14:28:18 <Sparks> mhayden: +1
14:28:29 <linuxmodder> +1
14:28:37 <mhayden> at my company, we use empty cups of coffee and grey hair to
figure out the levels of each security person :P
14:28:40 <d-caf> was thinking along the lines of apprentice/novice, normal
contributors, and then those that have gotten "certified" and handle embargo
14:28:56 <Sparks> PQS == personnel qualification standards
14:29:04 <Sparks> OJT = on the job training
14:29:05 <mhayden> this gets tricky because Fedora doesn't legally exist as an
14:29:11 <mhayden> thanks, Sparks
14:29:35 <linuxmodder> possible to have a tie in with sayt rhca i'm sure
14:30:00 <d-caf> Would prefer to keep a path that is free as in beer for
people to work there way up
14:30:11 <Sparks> d-caf: +1
14:30:45 <d-caf> Though that doesn't excluce rhca as a possible alternative
path to meet requirements
14:30:57 <d-caf> excluce/exclude
14:31:10 <Sparks> Well, that's more of a sysadmin thing. We're trying to
14:32:33 <linuxmodder> make it a training path FOR rhca and the like then
14:33:00 <d-caf> So we need to come up with core "skills/experience" that
candidate should have 1 or more of
14:33:06 <Sparks> Can I get some volunteers to help put the apprenticeship
14:33:12 <Sparks> d-caf: Yes
14:33:16 <linuxmodder> donations (time or money always welcome) -- we train
you to be secure / safe with option to get rhca and the like (you pay for
14:33:18 <d-caf> Sparks: more than willing to hel
14:33:25 <linuxmodder> Sparks, count me in
14:33:35 <d-caf> hel/help
14:33:36 <Astradeus> Sparks: I can try
14:33:47 <Sparks> Okay, lets talk more about this on the list, then.
14:34:00 <d-caf> I've gone through enough certification process to have an idea
of what does or doesn't work
14:34:51 <Sparks> Okay, moving on
14:34:54 <Sparks> #topic Outstanding BZ Tickets
14:35:07 <Sparks> #info Thursday's numbers: Critical 0 (-1), Important 36
(-5), Moderate 424 (-30), Low 145 (-33), Total 605
14:35:19 <Sparks> #info Current tickets owned: 80
14:35:29 <Sparks> +Tickets by Priority----+-------+---------+
14:35:29 <Sparks> | Priority | Tickets | Owned | Unowned |
14:35:29 <Sparks> +-------------+---------+-------+---------+
14:35:29 <Sparks> | medium | 424 | 45 | 379 |
14:35:29 <Sparks> | low | 145 | 13 | 132 |
14:35:31 <Sparks> | high | 36 | 22 | 14 |
14:35:34 <Sparks> | unspecified | 1 | 0 | 1 |
14:35:36 <Sparks> +-------------+---------+-------+---------+
14:35:52 <Astradeus> uh, somebody did quite much work o_O
14:36:03 <Sparks> Does anyone have any questions?
14:36:17 * Sparks needs to figure out the "unspecified" ticket.
14:36:25 <d-caf> noticed some old fedora tickets got aged out
14:36:27 <linuxmodder> what is the unspec one about?
14:36:43 <linuxmodder> with 21 going eol i assume?
14:36:47 <Sparks> linuxmodder: It's likely a community ticket that got started
without a CVE
14:36:48 <d-caf> Sparks: probably another severity set but priority not
14:36:50 <mhayden> i think the unspec was an epel one
14:36:57 <mhayden> something w/RHEL 6
14:36:59 <mhayden> IIRC
14:37:09 <Sparks> d-caf: I thought we were going off of severity and not
14:37:14 <linuxmodder> nice :(
14:37:22 <d-caf> Sparks: not sure if the scritps got updated
14:37:23 <Astradeus> oh. was thinking of the best, but yeah, i've seen the
14:37:26 <linuxmodder> c6.4 and c7.2 only none Fedora I use
14:37:30 <d-caf> and we didn't get a firm consnensus
14:37:47 <Sparks> Yeah, the drop in tickets are likely from where F21 got
14:38:02 * Sparks wonders how many of those tickets should have been moved
14:38:04 <linuxmodder> pardon the ignorance which scripts d-caf ?
14:38:25 <d-caf> The report scripts, and the links on the FST page
14:38:31 <linuxmodder> ah
14:39:03 <d-caf> at minimum I vote to have the scripts search on severity and
priority, or just move to severity only
14:39:10 <Sparks> linuxmodder:
14:39:44 <Sparks> d-caf: I think just severity as the priority might change
based on the priorities of the project but the severity shouldn't.
14:39:55 <Sparks> ...as that should be based off of the CVSS score.
14:40:01 <linuxmodder> what is the bar for priority ?
14:40:39 <d-caf> Sparks: true, but just in case someone miss used the tags (as
there seemed to be some confusion even in our group to usage) it might be good
to trigger on priority as well to catch edge cases
14:40:45 <d-caf> since security is all about edge cases
14:40:53 <Sparks> linuxmodder: The priority is usually set, by the tools, to
whatever the severity is
14:41:12 <linuxmodder> which I don't see changing until EOL dates and since
next is not for what 11 months that would be good idea in my book
14:41:40 <Sparks> d-caf: I'm just not sure how you would categorize a ticket
that has mis-matched values
14:42:01 <linuxmodder> although we still run issue of user defiuned priority /
real world with that dcmorton
14:42:03 <linuxmodder> d-caf,
14:42:11 * Sparks is a dolt
14:42:29 <Sparks> d-caf: Okay, that table is specifically "by Priority"
14:42:34 <Sparks> +Tickets by Severity-+-------+---------+
14:42:34 <Sparks> | Severity | Tickets | Owned | Unowned |
14:42:34 <Sparks> +----------+---------+-------+---------+
14:42:34 <Sparks> | medium | 424 | 45 | 379 |
14:42:34 <Sparks> | low | 145 | 13 | 132 |
14:42:36 <Sparks> | high | 37 | 22 | 15 |
14:42:39 <Sparks> +----------+---------+-------+---------+
14:42:41 <Sparks> There's the count by severity
14:42:44 <Sparks> Ugh
14:42:48 <linuxmodder> can we still flag for further info like other bugs in
that case tho ?
14:43:26 <d-caf> Yeah, so fine with both, but would update the search links on
FST page to also include something like:
14:43:31 * Sparks would like to see all unowned "high" cases picked up by next
14:44:21 <d-caf> Sparks: noticed a few QEMU dropped this week, was going to
pick those up but wasn't on a browser I could safely log into FAS with
14:44:34 <linuxmodder> will look today on the high pri
14:44:47 <Sparks> Okay, with only a few minutes left...
14:45:04 <d-caf> Would like to update our Bugzilla links on the FST page to
pick up both high severity and priority when clicking on the respective
14:45:05 <Sparks> #topic Open floor discussion/questions/comments
14:45:17 <Sparks> d-caf: Do it
14:45:28 <Sparks> Okay, does anyone have anything of general interest?
14:45:30 <d-caf> ok, willdo
14:45:50 * Sparks is thinking about a DC meet up since there are so many
people around the area that could come.
14:46:13 * Sparks also wonders if we have the budget to fly mhayden in for
14:46:16 <d-caf> Sparks: like the idea, good pgp signing time as well ;-)
14:46:23 <Sparks> d-caf: +1
14:47:09 <mhayden> i always love the free roller coaster ride into Reagan!
14:47:17 * mhayden tightens the seatbelt
14:47:49 <d-caf> Everyone one should get shmocon tickets and make it a meetup
and sec conference at the same time
14:47:57 <mhayden> that might not be a bad idea either
14:48:00 <d-caf> assuming they get there registration process up to speed
14:48:12 <d-caf> and we get enough lucky clicks
14:48:17 <Astradeus> did the online keysigning happen and i've just missed it?
14:48:37 * d-caf already got my shmocon ticket during first round, luckily...
14:48:42 <d-caf> Astradeus: nope
14:48:43 <Sparks> shmocon++
14:48:57 <Sparks> I'm never fast enough to get tickets
14:49:16 <Sparks> Astradeus: No one showed up for it.
14:49:17 <d-caf> I've been lucky and gotten tickets every years since year 2
14:49:23 <Sparks> d-caf: Nice
14:49:30 <linuxmodder> +1 to key signing
14:49:41 <Sparks> zoglesby: ^^^
14:49:54 <Sparks> jsmith: I'm assuming you could come up as well?
14:50:21 <jsmith> Sparks: ACK!
14:50:49 <linuxmodder> Sparks, if you set one up and I miss it mentioned
14:50:54 <jsmith> Sparks: (Assuming the timing and my employment situation
14:52:03 <Astradeus> Sparks: sorry for missing it :/
14:52:23 <Sparks> #idea Host a FST DC Meet Up
14:52:54 <Sparks> Okay, does anyone have anything else?
14:53:18 <Sparks> You know, we could probably use the DC library for a meeting
spot for a FAD.
14:53:28 <Sparks> They have space like that available.
14:54:10 <Sparks> Okay, does anyone have anything else?
14:54:46 <d-caf> Nope
14:55:00 <d-caf> will get on documentation the next few days and grab tickets
14:55:03 <zoglesby> reading...
14:55:55 <zoglesby> I am in!
14:56:24 <jsmith> Sparks: I might have a lead on another location to meet as
14:56:40 <zoglesby> We could also use my office
14:56:59 <zoglesby> They tend to be very nice about this kind of stuff
14:57:21 <d-caf> Ok, so apparently a lot more in this area than I knew...
14:57:37 <Sparks> d-caf: Yep, there are quite a few of us.
14:57:49 <Sparks> There's also the Red Hat space over in Tyson's
14:57:56 <d-caf> Sparks: I had assumed you were down in NC
14:58:02 <Sparks> d-caf: I used to be
14:58:12 <Sparks> d-caf: My heart still is.
14:58:14 <d-caf> Yeah, been by the Tyson's office
14:58:27 <d-caf> I used to live down there, still a TriLUG member
14:58:39 <zoglesby> My office is on 14th and New York, near lots of metro stops
14:59:15 <Sparks> d-caf: I do miss TriLUG
14:59:43 <Sparks> #action Sparks to create a FST 2016 FAD page and start
15:00:02 <Sparks> Okay, any last minute thoughts before we run out of time
15:00:03 <Sparks> ?
15:00:09 <Sparks> s/minute/second
15:00:51 <Sparks> Okay, hearing none, we'll adjourn to #fedora-security-team
and continue ranting there.
15:00:51 <linuxmodder> Sparks, the MLK one ?
15:00:54 <Sparks> Thanks everyone!
15:00:56 <Sparks> linuxmodder: yes
15:01:04 <Sparks> linuxmodder: The one with the 3D printer! :)
15:01:06 <linuxmodder> if so I CAN easily help with that
15:01:09 <Sparks> #endmeeting