======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:00:53 UTC. The full logs are available
at
https://meetbot.fedoraproject.org/fedora-meeting/2016-03-10/fedora_securi...
.
Meeting summary
---------------
* Roll Call (Sparks, 14:00:57)
* Fedora Security Team FAD (Sparks, 14:08:56)
* LINK:
https://fedoraproject.org/wiki/Security_Team_FAD_2016
(Sparks, 14:09:05)
* It appears that we have five people coming to the FAD, physically,
and a few more remotely. (Sparks, 14:09:44)
* LINK:
http://paste.fedoraproject.org/336715/45761897/raw/
(mhayden, 14:09:52)
* We'll be monitoring #fedora-security-team in Freenode IRC for backup
communications and notes. (Sparks, 14:17:26)
* Missing CVE bugs (Sparks, 14:25:17)
* Outstanding BZ Tickets (Sparks, 14:38:31)
* Thursday's numbers: Critical 0, Important 69, Moderate 468, Low 178
(Sparks, 14:39:23)
* Open floor discussion/questions/comments (Sparks, 14:41:19)
Meeting ended at 14:48:56 UTC.
Action Items
------------
Action Items, by person
-----------------------
* **UNASSIGNED**
* (none)
People Present (lines said)
---------------------------
* Sparks (59)
* linuxmodder (20)
* d-caf (7)
* zodbot (6)
* zoglesby (5)
* jsmith (5)
* mhayden (4)
* Astradeus (2)
14:00:53 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:00:53 <zodbot> Meeting started Thu Mar 10 14:00:53 2016 UTC. The
chair is Sparks. Information about MeetBot at
http://wiki.debian.org/MeetBot.
14:00:53 <zodbot> Useful Commands: #action #agreed #halp #info #idea
#link #topic.
14:00:53 <zodbot> The meeting name has been set to
'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:00:56 <Sparks> #meetingname Fedora Security Team
14:00:56 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:57 <Sparks> #topic Roll Call
14:00:58 * Sparks
14:01:04 * d-caf
14:02:31 * d-caf could have sworn had just seen linuxmodder in this
window...
14:02:35 * jsmith is here
14:02:55 <linuxmodder> .hello corey84
14:02:56 <zodbot> linuxmodder: corey84 'Corey Sheldon'
<sheldon.corey(a)gmail.com>
14:03:02 <linuxmodder> I was lol d-caf
14:03:51 <linuxmodder> will brb drink refill
14:05:58 * linuxmodder back
14:06:06 <mhayden> .hello mhayden
14:06:07 <zodbot> mhayden: mhayden 'Major Hayden' <major(a)mhtx.net>
14:08:03 * Sparks was hoping zoglesby would be here today
14:08:09 <Sparks> Okay, lets get startee
14:08:10 <Sparks> Okay, lets get started
14:08:19 * mhayden is generating this week's report
14:08:56 <Sparks> #topic Fedora Security Team FAD
14:09:05 <Sparks> #link
https://fedoraproject.org/wiki/Security_Team_FAD_2016
14:09:31 <d-caf> Tomorrow
14:09:44 <Sparks> #info It appears that we have five people coming to
the FAD, physically, and a few more remotely.
14:09:52 <mhayden> #link
http://paste.fedoraproject.org/336715/45761897/raw/
14:10:24 <Sparks> d-caf: Yes, tomorrow! :)
14:10:37 <linuxmodder> I'll be there maybe a bit delayed (9-930)
14:10:39 * Sparks needs to figure out which trains to take to get to
where I'm headed.
14:11:10 <d-caf> Yes, I'll be metroing in as well
14:11:47 * Astradeus remotely (sorry for being late)
14:12:27 <Sparks> I'll send out an email with contact information for
myself and Zach as well as instructions for the keysigning event.
14:12:38 <linuxmodder> so at least 3/5 will be metroing
14:14:32 <Sparks> I still haven't received word back on funding so we
may just be going Dutch
14:15:32 <jsmith> Worse comes to worse, I can probably cover lunch
14:15:33 <Sparks> I also have heard back from zoglesby regarding the
video conferencing setup at his office so standby for changes.
14:15:48 <jsmith> Want me to bring a couple of extra webcams?
14:16:13 <Sparks> Umm... Well, there apparently is some sort of setup
but we're not sure exactly what it supports.
14:16:38 <linuxmodder> I have a spare its only 720 p tho
14:16:48 <Sparks> I'll try to track down zoglesby today and get that
figured out. We can update the wiki as needed.
14:17:26 <Sparks> #info We'll be monitoring #fedora-security-team in
Freenode IRC for backup communications and notes.
14:17:42 <Sparks> We can run zodbot in there to collect our notes
14:18:04 <Sparks> But that will be our backup path if the video
conference changes.
14:19:45 <jsmith> OK.
14:19:54 <Sparks> Any additional questions?
14:21:14 <d-caf> Just looking forward to seeing everyone
14:21:29 <d-caf> Unfortunately I'm going to have to miss the rest of
this irc meeting, need to head out.
14:21:39 <d-caf> See everyone tomorrow!
14:22:26 <linuxmodder> Sparks, any special access concerns for the bldg
itself
14:23:15 <Sparks> linuxmodder: Not that I'm aware of.
14:23:40 <linuxmodder> okay
14:23:58 <Sparks> zoglesby says to go to the front desk and say that you
are here to see him (Zach Oglesby)
14:24:01 <linuxmodder> some of my dc tech stuff has them so I ask
14:24:20 <linuxmodder> noted
14:25:11 <Sparks> Okay, moving along...
14:25:17 <Sparks> #topic Missing CVE bugs
14:26:38 <Sparks> Yesterday a maintainer received a new version of a
program that fixed two CVEs. Upon checking BZ there were no CVE tracker
bugs for this CVE and MITRE didn't show anything either.
14:28:02 <Sparks> Turns out, the CVEs were still embargoed and thus
weren't showing up publically.
14:29:02 <linuxmodder> Sparks, when do those go un-enbargoed ?
14:29:06 <Sparks> Since upstream broke the embargo we opened up the bugs
as well. The update in Bodhi was properly attached to the new bug
tickets and all is well.
14:29:15 <linuxmodder> I remember seeing that exchange briefly yesterday
14:29:43 <Sparks> linuxmodder: Embargoes should have expiration dates
and times.
14:30:01 <Sparks> linuxmodder: Generally, this is worked out with
upstream so everyone is on the same page.
14:30:28 <Sparks> Why upstream released early I'm not sure.
14:31:33 <linuxmodder> I'm familar with the process was just curious
how /why the date was ignored (if known)
14:31:59 <Sparks> The takeaway to all this is we need to make sure that
patched CVEs get attached to BZ bugs so we can account for all of the fixes.
14:33:15 <zoglesby> Sparks: how many people can see the list of
embargoed tickets? (on fedora-security-team)
14:33:20 <zoglesby> is it just you?
14:34:04 <Sparks> If a CVE ticket does not exist then send a message to
secalert(a)redhat.com so RH Product Security can sort it all out.
14:34:50 <Sparks> zoglesby: It is likely just me since I'm on Product
Security. Embargoed CVEs that affect Fedora don't even have Fedora
tickets until they are unembargoed so there isn't anything to see.
14:35:42 <zoglesby> okay, hope this is a topic for tomorrow...
14:35:48 <Sparks> If you are so inclined, messages to
secalert(a)redhat.com can be encrypted using 9273 2337 E5AD 3417 5265 64AB
5E54 8083 650D 5882
14:36:07 <Sparks> zoglesby: It can/will be but there really isn't much
of a good answer, unfortunately.
14:36:37 <Sparks> Perhaps Fabio can join us tomorrow, remotely, for that
part of the discussion
14:36:59 <Sparks> Any other questions?
14:38:00 <zoglesby> No
14:38:31 <Sparks> #topic Outstanding BZ Tickets
14:38:37 <linuxmodder> imported that key for fture
14:39:23 <Sparks> #info Thursday's numbers: Critical 0, Important 69,
Moderate 468, Low 178
14:39:30 <Sparks> +Tickets by Severity-+-------+---------+
14:39:30 <Sparks> | Severity | Tickets | Owned | Unowned |
14:39:30 <Sparks> +----------+---------+-------+---------+
14:39:30 <Sparks> | medium | 468 | 40 | 428 |
14:39:31 <Sparks> | low | 178 | 13 | 165 |
14:39:32 <Sparks> | high | 69 | 20 | 49 |
14:39:34 <Sparks> +----------+---------+-------+---------+
14:39:43 <Sparks> Anyone have anything to talk about ticket-wise?
14:39:50 * jsmith doesn't
14:39:54 * mhayden hasn't had much time to follow up on security issues
lately :/
14:41:19 <Sparks> #topic Open floor discussion/questions/comments
14:41:20 <linuxmodder> not been active in the ticket list of late
hoping to look today
14:41:25 <Sparks> Okay, anyone have anything?
14:42:34 <linuxmodder> there was a hope in docs | blog to have a
revise of security docs for 23 ( seems some are back to 21)
14:42:59 <linuxmodder> can find the list link if needed but also was in
server list
14:43:00 <Astradeus> anything to review before tomorrow?
14:43:58 <Sparks> linuxmodder: We can talk about that tomrorow fi you wish
14:44:11 <linuxmodder> noted
14:45:51 <Sparks> Anything else?
14:47:44 <linuxmodder> nothing comes to mind but reserving right ot add
on ml if comes to mind :)
14:47:58 <Sparks> Okay, everyone have a good day and I'll be seeing you
all tomorrow!
14:48:07 <Sparks> right to add on ml?
14:48:16 <Sparks> Oh
14:48:24 <Sparks> I'm with you now. :)
14:48:29 <zoglesby> slow today?
14:48:33 <Sparks> everyday
14:48:39 <Sparks> every day
14:48:56 <Sparks> #endmeeting