======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:01:10 UTC. The full logs are available
at
https://meetbot.fedoraproject.org/fedora-meeting/2016-04-14/fedora_securi...
.
Meeting summary
---------------
* Roll Call\ (Sparks, 14:01:16)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:05:46)
* Follow up on last week's tasks (Sparks, 14:06:29)
* ACTION: pjp to give a status update on security policy in the wiki
(carried over) (Sparks, 14:06:47)
* ACTION: Sparks to figure out how FST members can get access to
Fedora security bugs (carried over) (Sparks, 14:06:59)
* ACTION: pjp and d-caf to work on the feature requests for Koji and
Bodhi for private builds for embargoed vulnerabilities. (carried
over) (Sparks, 14:07:10)
* Apprenticeship (Sparks, 14:11:08)
* LINK:
https://lists.fedoraproject.org/archives/list/security-team@lists.fedorap...
(Sparks, 14:11:17)
* AGREED: Next week's meeting will be held via video-teleconference to
work through the Apprentice training (Sparks, 14:15:44)
* ACTION: mhayden to send an invitation for a VC meeting next week
with detailed agenda for reviewing security docs in the wiki
(mhayden, 14:17:57)
* HELP: -- review of post for personal / commblog
http://fpaste.org/355375/ (linuxmodder, 14:18:26)
* Handling embargoed vulnerabilities (Sparks, 14:18:46)
* ACTION: Sparks to follow up with pjp and d-caf on this project.
(Sparks, 14:19:15)
* pjp and d-caf were supposed to be working with Koji and Bodhi folks
to figure out private builds (carried over) (Sparks, 14:19:26)
* Outstanding BZ Tickets (Sparks, 14:19:39)
* Thursday's numbers: Critical 0 (0), Important 72 (-1), Moderate 510
(+15), Low 169 (+2), Total 751 (+16) (Sparks, 14:19:45)
* Open floor discussion/questions/comments (Sparks, 14:21:40)
* LINK:
http://fpaste.org/355375/ < proposed badlock post for
planet (linuxmodder, 14:22:37)
* LINK:
https://bodhi.fedoraproject.org/updates/FEDORA-2016-be53260726
(zoglesby, 14:23:55)
* gd got the patches out for Fedora fairly quickly for Samba (Sparks,
14:24:35)
* LINK:
https://access.redhat.com/security/updates/classification/
(Sparks, 14:27:19)
* Critical Impact - This rating is given to flaws that could be easily
exploited by a remote unauthenticated attacker and lead to system
compromise (arbitrary code execution) without requiring user
interaction. These are the types of vulnerabilities that can be
exploited by worms. Flaws that require an authenticated remote user,
a local user, or an unlikely configuration are not classed as
Critical impact. (Sparks, 14:27:35)
* mhayden wins the weekly prize of having sent the most mail to the
list over the last 30 days. (Sparks, 14:32:12)
Meeting ended at 14:33:33 UTC.
Action Items
------------
* pjp to give a status update on security policy in the wiki (carried
over)
* Sparks to figure out how FST members can get access to Fedora security
bugs (carried over)
* pjp and d-caf to work on the feature requests for Koji and Bodhi for
private builds for embargoed vulnerabilities. (carried over)
* mhayden to send an invitation for a VC meeting next week with detailed
agenda for reviewing security docs in the wiki
* Sparks to follow up with pjp and d-caf on this project.
Action Items, by person
-----------------------
* mhayden
* mhayden to send an invitation for a VC meeting next week with
detailed agenda for reviewing security docs in the wiki
* Sparks
* Sparks to figure out how FST members can get access to Fedora
security bugs (carried over)
* Sparks to follow up with pjp and d-caf on this project.
* **UNASSIGNED**
* pjp to give a status update on security policy in the wiki (carried
over)
* pjp and d-caf to work on the feature requests for Koji and Bodhi for
private builds for embargoed vulnerabilities. (carried over)
People Present (lines said)
---------------------------
* Sparks (59)
* linuxmodder (31)
* mhayden (22)
* zoglesby (12)
* zodbot (9)
* Southern_Gentlem (1)
14:01:10 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:01:10 <zodbot> Meeting started Thu Apr 14 14:01:10 2016 UTC. The chair is
Sparks. Information about MeetBot at
http://wiki.debian.org/MeetBot.
14:01:10 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:01:10 <zodbot> The meeting name has been set to
'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:01:13 <Sparks> #meetingname Fedora Security Team
14:01:13 <zodbot> The meeting name has been set to 'fedora_security_team'
14:01:16 <Sparks> #topic Roll Call\
14:01:35 <linuxmodder> .hellomynameis corey84
14:01:36 <zodbot> linuxmodder: corey84 'Corey Sheldon'
<sheldon.corey(a)gmail.com>
14:01:58 <linuxmodder> mattdm, you here with us today?
14:03:17 <Southern_Gentlem> .hello jbwillia
14:03:17 <zodbot> Southern_Gentlem: jbwillia 'Ben Williams'
<vaioof(a)yahoo.com>
14:03:30 * zoglesby
14:03:52 <linuxmodder> c0mrad3, said he'd be absent
14:05:39 <Sparks> Okay, lets get started
14:05:46 <Sparks> #info Participants are reminded to make liberal use of #info #link
#help in order to make the minutes "more better"
14:06:04 <Sparks> #chair zoglesby Southern_Gentlem linuxmodder
14:06:04 <zodbot> Current chairs: Southern_Gentlem Sparks linuxmodder zoglesby
14:06:29 <Sparks> #topic Follow up on last week's tasks
14:06:47 <Sparks> #action pjp to give a status update on security policy in the
wiki (carried over)
14:06:59 <Sparks> #action Sparks to figure out how FST members can get access to
Fedora security bugs (carried over)
14:07:10 <Sparks> #action pjp and d-caf to work on the feature requests for Koji and
Bodhi for private builds for embargoed vulnerabilities. (carried over)
14:07:35 <Sparks> zoglesby: I have down here that you were supposed to take the
Apprenticeship discussion to the list.
14:07:51 <Sparks> zoglesby: I believe you did this... Was there an outcome?
14:10:06 <zoglesby> no
14:10:16 <zoglesby> it was taken to the list, I would like to think people are
reading docs
14:10:42 <Sparks> ha!
14:11:02 <mhayden> i read through it after i saw it on the list -- i think we had
talked about taking the big list and breaking it into maturity levels
14:11:08 <Sparks> #topic Apprenticeship
14:11:17 <Sparks> #link
https://lists.fedoraproject.org/archives/list/security-team@lists.fedorap...
14:11:19 <mhayden> so that people would know which content they ought to review
based on their maturity level in information security
14:11:38 <zoglesby> that is the plan
14:11:44 <zoglesby> just need to execute on it
14:11:46 <Sparks> I see no responses to the email...
14:12:39 <Sparks> zoglesby: What are next steps?
14:12:48 <linuxmodder> I have had little time this week to do anything on it
14:12:50 <linuxmodder> :(
14:12:58 <Sparks> ditto
14:13:26 <zoglesby> Read and respond to what you think is good for first level
14:13:48 <linuxmodder> on that note for open floor I'd request a review of a
blog post for WP / likely the commblog as well on badlock
14:13:54 <mhayden> i wonder if we could do our next meeting via videoconference and
just work through it there
14:14:03 <mhayden> we could tag each one and then sort them when the call is over
14:14:27 <Sparks> mhayden: I'm not against that
14:14:43 <mhayden> perhaps a google hangout?
14:14:55 <zoglesby> I *should* be able to do that as well
14:15:09 <linuxmodder> I'd be cool with that
14:15:11 <Sparks> mhayden: I'll let you take the lead on that.
14:15:18 <mhayden> we could get the discussion done real-time and one person could
share their screen
14:15:36 <mhayden> Sparks: sure -- i'll send a meeting invitation to the list
14:15:44 <Sparks> #agreed Next week's meeting will be held via
video-teleconference to work through the Apprentice training
14:16:13 <mhayden> any objections if i just send a google calendar invitation
directly to the list?
14:16:52 <linuxmodder> nfm
14:17:08 <Sparks> mhayden: Might want to follow up to the invite with exactly what
we're trying to do if it isn't clear from the invite.
14:17:35 <mhayden> agreed
14:17:57 <mhayden> #action mhayden to send an invitation for a VC meeting next week
with detailed agenda for reviewing security docs in the wiki
14:18:18 <mhayden> zoglesby++
14:18:18 <zodbot> mhayden: Karma for zoglesby changed to 3 (for the f23 release
cycle):
https://badges.fedoraproject.org/tags/cookie/any
14:18:26 <linuxmodder> #help -- review of post for personal / commblog
http://fpaste.org/355375/
14:18:27 <mhayden> thanks for keeping this thing going
14:18:46 <Sparks> #topic Handling embargoed vulnerabilities
14:18:58 <Sparks> Neither pjp or d-caf are here to talk about this.
14:19:06 <zoglesby> :
14:19:09 <zoglesby> :(
14:19:15 <Sparks> #action Sparks to follow up with pjp and d-caf on this project.
14:19:25 <linuxmodder> on that with this weeks unembargoed ^^ badlock planned
post on that link
14:19:26 <Sparks> #info pjp and d-caf were supposed to be working with Koji and
Bodhi folks to figure out private builds (carried over)
14:19:39 <Sparks> #topic Outstanding BZ Tickets
14:19:45 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 72 (-1),
Moderate 510 (+15), Low 169 (+2), Total 751 (+16)
14:19:58 <Sparks> +Tickets by Severity-+-------+---------+
14:19:58 <Sparks> | Severity | Tickets | Owned | Unowned |
14:19:58 <Sparks> +----------+---------+-------+---------+
14:19:58 <Sparks> | medium | 510 | 40 | 470 |
14:19:58 <Sparks> | low | 169 | 13 | 156 |
14:20:00 <Sparks> | high | 72 | 29 | 43 |
14:20:03 <Sparks> +----------+---------+-------+---------+
14:20:18 <Sparks> Anyone have anything to discuss ticket-wise?
14:20:48 <linuxmodder> I should have cycles to tackle a few this week but not on
any active tickets
14:21:40 <Sparks> #topic Open floor discussion/questions/comments
14:21:45 <Sparks> Anyone have anything?
14:22:11 <linuxmodder> had some interest at bitcamp for security member joins
working on follow ups
14:22:37 <linuxmodder> #link
http://fpaste.org/355375/ < proposed badlock post
for planet
14:22:42 <linuxmodder> nffm
14:22:43 <Sparks> linuxmodder: I'm sure that would have made better sense had
there not been a shortage of punctuation.
14:23:16 <linuxmodder> Sparks, following up with some attendees at bitcamp that
showed interest
14:23:37 <Sparks> linuxmodder: I'm sure that even if you were in a SCIF you
likely heard about Badlock
14:23:51 <linuxmodder> lol
14:23:54 <zoglesby> also it is now in the main repo
14:23:55 <zoglesby>
https://bodhi.fedoraproject.org/updates/FEDORA-2016-be53260726
14:24:11 <Sparks> gd++
14:24:11 <zodbot> Sparks: Karma for gd changed to 1 (for the f23 release cycle):
https://badges.fedoraproject.org/tags/cookie/any
14:24:23 <linuxmodder> noted
14:24:35 <Sparks> #info gd got the patches out for Fedora fairly quickly for Samba
14:24:41 <linuxmodder> that was from yesterday before that dropped will update
14:25:14 <linuxmodder> any other issues /comments are welcome
14:25:14 <Sparks> It's important to note that Badlock was not a critical bug.
14:25:46 <linuxmodder> it was only Important correct
14:25:50 <Sparks> ...in spite of all the hype
14:25:52 <Sparks> correct
14:26:12 <linuxmodder> critical has the criterion of active 0day no?
14:26:49 <Sparks> linuxmodder: Not necessarily. It has to be remotely exploitable,
I think.
14:27:19 <Sparks> #link
https://access.redhat.com/security/updates/classification/
14:27:21 <linuxmodder> remote with no user interact seems logical
14:27:35 <Sparks> #info Critical Impact - This rating is given to flaws that could
be easily exploited by a remote unauthenticated attacker and lead to system compromise
(arbitrary code execution) without requiring user interaction. These are the types of
vulnerabilities that can be exploited by worms. Flaws that require an authenticated remote
user, a local user, or an unlikely configuration are not classed as Critical impact.
14:28:37 <linuxmodder> the fact badlock required auth users saved it from that
14:29:07 <linuxmodder> any other mods from the post before I publish it ?
14:29:07 <Sparks> I don't think the dust has settled completely on this vuln.
14:29:15 <linuxmodder> nor do I
14:29:27 <linuxmodder> residuals would not surprise me
14:29:30 <mhayden> invitation sent for next week -- let me know if i am missing
detail
14:29:35 <Sparks> I didn't really read through it for accuracy as I've been
overexposed to it now.
14:29:41 <linuxmodder> as this partly allowed drown
14:29:47 <Sparks> mhayden++
14:29:55 <mhayden> oh no -- i scheduled it for *today*
14:29:58 <linuxmodder> the links were to the access.rh links
14:29:59 <mhayden> rather than next thurs :P
14:30:01 * mhayden goes to fix
14:30:02 <Sparks> mhayden--
14:30:08 <zoglesby> lol
14:30:25 <linuxmodder> and wiki pages or official docs for the 'terms'
14:30:55 <Sparks> Okay, anything else?
14:31:12 <linuxmodder> if anyone else can give it an accuracy check that would be
great
14:31:39 <linuxmodder> << EOF
14:32:12 <Sparks> #info mhayden wins the weekly prize of having sent the most mail
to the list over the last 30 days.
14:32:31 <Sparks> And that's all I have.
14:32:44 <mhayden> :|
14:32:47 <mhayden> oopsies
14:32:50 <Sparks> Join us again, next week, when we do this all over again!
14:32:54 <mhayden> #makemailinglistsgreatagain?
14:33:02 <Sparks> mhayden++
14:33:04 <mhayden> haha
14:33:11 * mhayden orders a red hat
14:33:22 <mhayden> more like a red cap
14:33:30 <Sparks> Okay, see you all in the Intertubez!
14:33:33 <Sparks> #endmeeting