======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:00:01 UTC. The full logs are available
at
https://meetbot.fedoraproject.org/fedora-meeting/2016-05-12/fedora_securi...
.
Meeting summary
---------------
* Roll Call (Sparks, 14:00:07)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:11:01)
* Follow up on last week's tasks (Sparks, 14:11:06)
* ACTION: pjp to give a status update on security policy in the wiki
(carried over) (Sparks, 14:11:16)
* ACTION: Sparks to figure out how FST members can get access to
Fedora security bugs (carried over) (Sparks, 14:11:26)
* ACTION: zoglesby to update the reading list for the Apprenticeship
(carried over) (Sparks, 14:11:36)
* zoglesby completed his update to the reading list for the
Apprenticeship (Sparks, 14:12:15)
* ACTION: Sparks to garden the Koji wiki pages to standardize the
pages and add a category or two. (carried over) (Sparks, 14:12:30)
* ACTION: d-caf to continue working on private builds in koji, bodhi,
and distgit. (carried over) (Sparks, 14:12:41)
* ACTION: Sparks to follow up on the shipping of non-Linux binaries of
the USB ISO tool. (Sparks, 14:12:53)
* In Progress (Sparks, 14:12:57)
* ACTION: Sparks to get stats on the number of vulns that were
embargoed that affected Fedora/EPEL. (carried over) (Sparks,
14:13:11)
* Apprenticeship (Sparks, 14:13:38)
* LINK:
https://fedoraproject.org/wiki/Security_Team_Apprenticeship#Training
(Sparks, 14:14:54)
* Windows/OS X Tools in F25 (Sparks, 14:15:55)
* LINK:
https://fedorahosted.org/fedora-security-team/ticket/1
(Sparks, 14:16:03)
* Outstanding BZ Tickets (Sparks, 14:26:39)
* No new numbers for this week. (Sparks, 14:26:48)
* Open floor discussion/questions/comments (Sparks, 14:29:50)
Meeting ended at 14:43:58 UTC.
Action Items
------------
* pjp to give a status update on security policy in the wiki (carried
over)
* Sparks to figure out how FST members can get access to Fedora security
bugs (carried over)
* zoglesby to update the reading list for the Apprenticeship (carried
over)
* Sparks to garden the Koji wiki pages to standardize the pages and add
a category or two. (carried over)
* d-caf to continue working on private builds in koji, bodhi, and
distgit. (carried over)
* Sparks to follow up on the shipping of non-Linux binaries of the USB
ISO tool.
* Sparks to get stats on the number of vulns that were embargoed that
affected Fedora/EPEL. (carried over)
Action Items, by person
-----------------------
* Sparks
* Sparks to figure out how FST members can get access to Fedora
security bugs (carried over)
* Sparks to garden the Koji wiki pages to standardize the pages and
add a category or two. (carried over)
* Sparks to follow up on the shipping of non-Linux binaries of the USB
ISO tool.
* Sparks to get stats on the number of vulns that were embargoed that
affected Fedora/EPEL. (carried over)
* zoglesby
* zoglesby to update the reading list for the Apprenticeship (carried
over)
* **UNASSIGNED**
* pjp to give a status update on security policy in the wiki (carried
over)
* d-caf to continue working on private builds in koji, bodhi, and
distgit. (carried over)
People Present (lines said)
---------------------------
* Sparks (62)
* linuxmodder (18)
* zoglesby (15)
* zodbot (11)
* mattdm (4)
* Astradeus (2)
14:00:01 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:00:02 <zodbot> Meeting started Thu May 12 14:00:01 2016 UTC. The
chair is Sparks. Information about MeetBot at
http://wiki.debian.org/MeetBot.
14:00:02 <zodbot> Useful Commands: #action #agreed #halp #info #idea
#link #topic.
14:00:02 <zodbot> The meeting name has been set to
'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:00:05 <Sparks> #meetingname Fedora Security Team
14:00:05 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:07 <Sparks> #topic Roll Call
14:00:08 * Sparks
14:01:46 <Astradeus> .fasinfo astra
14:01:47 <zodbot> Astradeus: User: astra, Name: David Kaufmann, email:
astra(a)ionic.at, Creation: 2013-11-27, IRC Nick: Astradeus, Timezone:
Europe/Vienna, Locale: en, GPG key ID: 5CBED71B23D2450E, Status: active
14:01:50 <zodbot> Astradeus: Approved Groups: fedorabugs security-team
cla_fpca cla_done
14:04:17 <linuxmodder> .fasinfo linuxmodder
14:04:52 <linuxmodder> .fas linuxmodder
14:05:18 * zoglesby is here
14:05:24 <zodbot> linuxmodder: User: linuxmodder, Name: Corey W Sheldon,
email: sheldon.corey(a)openmailbox.org, Creation: 2016-04-24, IRC Nick:
linuxmodder, Timezone: US/Eastern, Locale: en, GPG key ID:
8C5079D6C62BC78F 8B4E89435A88E539 59276298D2264944, Status: active
14:05:28 <zodbot> linuxmodder: Approved Groups: freemedia docs
fedora-join security-team magazine commops marketing ambassadors
fedorabugs qa fi-apprentice cla_done cla_fpca
14:05:31 <zodbot> linuxmodder: linuxmodder 'Corey W Sheldon'
<sheldon.corey(a)openmailbox.org>
14:06:14 * Sparks updates the agenda for today
14:06:20 <linuxmodder> damn zodbot is laggy today :(
14:07:35 * Sparks waves at zodbot
14:07:38 * Sparks waves at zoglesby
14:07:54 <Sparks> zoglesby: Welcome, nice that you could join us today. :)
14:08:17 <zoglesby> I was in jury duty last week. Judge tends to not
like people on phone
14:08:37 <linuxmodder> damn judge :)
14:08:47 <Sparks> zoglesby: That's why you bring a laptop
14:10:25 <linuxmodder> or tell the judge I can't do things for this 1
hr block cool?
14:10:26 <linuxmodder> :)
14:10:44 <Sparks> Okay, lets get started
14:10:53 <Sparks> #chair zoglesby linuxmodder Astradeus
14:10:53 <zodbot> Current chairs: Astradeus Sparks linuxmodder zoglesby
14:11:01 <Sparks> #info Participants are reminded to make liberal use of
#info #link #help in order to make the minutes "more better"
14:11:06 <Sparks> #topic Follow up on last week's tasks
14:11:16 <Sparks> #action pjp to give a status update on security policy
in the wiki (carried over)
14:11:26 <Sparks> #action Sparks to figure out how FST members can get
access to Fedora security bugs (carried over)
14:11:36 <Sparks> #action zoglesby to update the reading list for the
Apprenticeship (carried over)
14:11:43 <zoglesby> I did that!
14:11:46 <Sparks> Woot
14:11:51 <zoglesby>
https://fedoraproject.org/wiki/Security_Team_Apprenticeship#Training
14:11:51 <Sparks> #undo
14:11:51 <zodbot> Removing item from minutes: <MeetBot.items.Link object
at 0x7f34a6feba90>
14:12:15 <Sparks> #info zoglesby completed his update to the reading
list for the Apprenticeship
14:12:26 <linuxmodder> still need to do the securityguide rewrite
myself :(
14:12:30 <Sparks> #action Sparks to garden the Koji wiki pages to
standardize the pages and add a category or two. (carried over)
14:12:41 <Sparks> #action d-caf to continue working on private builds in
koji, bodhi, and distgit. (carried over)
14:12:53 <Sparks> #action Sparks to follow up on the shipping of
non-Linux binaries of the USB ISO tool.
14:12:57 <Sparks> #info In Progress
14:13:11 <Sparks> #action Sparks to get stats on the number of vulns
that were embargoed that affected Fedora/EPEL. (carried over)
14:13:19 <Sparks> Okay, I think that's all from last week.
14:13:38 <Sparks> #topic Apprenticeship
14:13:43 <Sparks> zoglesby: You have the floor
14:14:14 <zoglesby> Um, please check the link I posted above, and make
sure I did not miss anything.
14:14:39 <zoglesby> That is all that I have on that topic for today
14:14:54 <Sparks> #link
https://fedoraproject.org/wiki/Security_Team_Apprenticeship#Training
14:15:00 <Sparks> Well, that was anti-climatic.
14:15:28 <zoglesby> I try
14:15:43 <Sparks> heh
14:15:55 <Sparks> #topic Windows/OS X Tools in F25
14:16:03 <Sparks> #link
https://fedorahosted.org/fedora-security-team/ticket/1
14:16:11 <Sparks> mattdm: You around?
14:17:29 <Sparks> I've not had a chance to dive into this topic as much
as I wanted to...
14:18:25 <Sparks> Basically, there is a desire to ship a Windows and a
OS X binary. The question is what security rules need to apply to such
a binary.
14:19:02 <Sparks> I think at a minimum the binaries should be built in a
trusted environment (e.g. Koji) and be signed.
14:19:05 <Sparks> Anyone else?
14:20:31 <linuxmodder> windows will need 2 singing keys one from M$ and
ours
14:21:01 <linuxmodder> or we will need users to use 'test mode'
14:22:08 <Sparks> Right, and I don't think that's a good thing to do
14:23:22 <linuxmodder> same
14:23:56 <linuxmodder> how was the current liveUSBcreator legal then
don't remember it needing 'testmode'
14:24:08 <Sparks> Is it compiled for Windows?
14:25:26 * Sparks dodm
14:25:28 <Sparks> grrr
14:25:32 * Sparks didn't think it was
14:26:24 <Sparks> Okay, lets move on. I encourage everyone interested
in this to follow the ticket.
14:26:39 <Sparks> #topic Outstanding BZ Tickets
14:26:48 <Sparks> #info No new numbers for this week.
14:27:02 <Sparks> Does anyone have anything regarding tickets to discuss
this week?
14:29:04 <zoglesby> no
14:29:50 <Sparks> #topic Open floor discussion/questions/comments
14:29:59 <Sparks> Okay, anyone have anything they want to discuss?
14:30:03 <zoglesby> yes
14:30:25 <zoglesby> please don't spend much time on the security guide
<< linuxmodder
14:30:49 <Sparks> heh
14:30:56 <Sparks> zoglesby: And your reasoning is???
14:30:59 <zoglesby> The whole book needs to be redone, we are going to
move docs to asciidoc, and moving to a topical based format as well
14:31:30 <linuxmodder> mostly doing stuff for 24 release stuff I
remember all that
14:32:34 <Sparks> I think there's a tool to take DocBookXML and turn it
into asciidoc.
14:33:37 <zoglesby> Sparks: yes, but we are not going to be doing things
in the big read from front to back style any more.
14:33:43 <linuxmodder> zoglesby, re: trainign wiki attach or sign with ?
14:34:05 <Sparks> zoglesby: Got some information you can point us to?
14:34:18 <zoglesby> linuxmodder: don't know what you are asking
14:34:27 <zoglesby> Sparks: should be on the community blog today
14:34:37 <Sparks> okay
14:34:43 <linuxmodder> zoglesby, in intro here:
https://fedoraproject.org/wiki/Security_Team_Apprenticeship#Training
14:34:46 <mattdm> Sparks: sorry missed ping earlier (In another meeting)
14:34:54 <linuxmodder> attach gpg to email or sign email with said gpg key
14:35:16 <linuxmodder> I ask as I sign all but rarely attach a copy
14:35:57 <Sparks> mattdm: Just talking about the binaries for Windows
and OS X
14:36:09 <zoglesby> We are only talking about the Training section, that
other stuff was old, but the point was telling people what your GPG key
is. I don't care how you go about it
14:36:19 <linuxmodder> and what was needed for legalities
14:37:06 <mattdm> Sparks: yeah. Have you heard a plan from the team
working on that? They'd like to do something more lightweight than
getting full support set up in koji
14:37:33 <linuxmodder> I'd say we change that to say: upload gpg to
FAS profile / gpg keyserver(s) of choice,
keys.fedoraproject.org
preferred, and sign emails within team
14:37:37 <Sparks> mattdm: I've not heard anything. Perhaps someone
could update
https://fedorahosted.org/fedora-security-team/ticket/1?
14:37:59 <mattdm> Sparks: I'll check in with them
14:38:27 <Sparks> mattdm: I'd prefer to have a specific question asked.
14:38:59 <mattdm> Sparks: yep that's fair. I don't think we're
expecting
*you* to devise a plan
14:39:06 <Sparks> Right
14:39:37 <Sparks> FWIW, I added some information regarding signing.
14:40:54 <Sparks> Okay, anything else?
14:41:39 <Astradeus> nothing meeting specific
14:43:48 <Sparks> Okay, I guess we can adjourn here and move back to
#fedora-security-team for some light refreshments.
14:43:55 <Sparks> Thank, all, for coming out and joining us today!
14:43:58 <Sparks> #endmeeting