#fedora-meeting: Security Team Meeting - Agenda:
Meeting started by c0mrad3 at 14:25:50 UTC. The full logs are available
* Follow up on last week's tasks (Astradeus, 14:27:36)
* Outstanding BZ Tickets (Astradeus, 14:33:08)
* Open floor discussion/questions/comments (c0mrad3, 14:40:21)
Meeting ended at 14:56:09 UTC.
Action Items, by person
People Present (lines said)
* Astradeus (38)
* c0mrad3 (23)
* zodbot (5)
14:25:50 <c0mrad3> #startmeeting Security Team Meeting - Agenda:
14:25:50 <zodbot> Meeting started Thu Apr 7 14:25:50 2016 UTC. The
chair is c0mrad3. Information about MeetBot at
14:25:50 <zodbot> Useful Commands: #action #agreed #halp #info #idea
14:25:50 <zodbot> The meeting name has been set to
14:26:25 <c0mrad3> #chair Astradeus
14:26:25 <zodbot> Current chairs: Astradeus c0mrad3
14:27:14 <Astradeus> i think we can skip roll call ;)
14:27:36 <Astradeus> #topic Follow up on last week's tasks
14:28:38 <c0mrad3> #meetingname Fedora Security Team
14:28:38 <zodbot> The meeting name has been set to 'fedora_security_team'
14:29:22 <Astradeus> neither of d-caf, Sparks, pjp or zoglesby are in
the channel, so we do not have any updates from any tasks
14:30:18 <c0mrad3> yes I am not sure where to get the Outstanding BZ
14:30:37 <Astradeus> ah, mhayden sent them out via email
14:30:57 <Astradeus> there is a script somewhere querying the bugzilla
and compiling a report
14:32:03 <Astradeus> #link
14:32:03 <c0mrad3> Astradeus: let's hit the open floor and discuss
14:32:42 <Astradeus> lets do the numbers first
14:32:50 <c0mrad3> Astradeus: I will try running the script and post it here
14:32:57 <c0mrad3> ack
14:33:08 <Astradeus> #topic Outstanding BZ Tickets
14:33:22 <Astradeus> +Tickets by Severity-+-------+---------+
14:33:23 <Astradeus> | Severity | Tickets | Owned | Unowned |
14:33:23 <Astradeus> +----------+---------+-------+---------+
14:33:23 <Astradeus> | medium | 495 | 40 | 455 |
14:33:23 <Astradeus> | low | 167 | 13 | 154 |
14:33:25 <Astradeus> | high | 73 | 29 | 44 |
14:33:27 <Astradeus> +----------+---------+-------+---------+
14:34:17 <c0mrad3> Astradeus: cool!
14:35:04 <c0mrad3> tickets are increasing since the last week
14:35:12 <Astradeus> c0mrad3: are you already on the mailinglist? you
should have received the mail from mhayden.
14:35:52 <Astradeus> yes, medium and high have increased, and low
tickets have decreased
14:35:53 <c0mrad3> Astradeus: just now looked at them it's like 43 min ago
14:38:17 <Astradeus> Critical 0 (0), Important 73 (+6), Moderate 495
(+10), Low 167 (-4), Total 735 (+12)
14:39:45 <Astradeus> i do have one ticket i probably can close this
week without additional support, but I still hope the mentoring thing
works out sometime this week :)
14:39:49 <Astradeus> next topic?
14:40:21 <c0mrad3> #topic Open floor discussion/questions/comments
14:40:53 <c0mrad3> Astradeus: did you contact your mentor on fixing
your first bug ?
14:41:50 <Astradeus> no, we did not write this week - it also has been
quite busy from my dayjob, so i did not have too much time myself.
14:43:09 <Astradeus> how about you?
14:43:29 <c0mrad3> me too did not email him I was attending a
hackthon, I will email him after this meeting
14:43:58 <Astradeus> so busy too :)
14:44:57 <c0mrad3> Also need to read a lot of wiki and get used to the
work cycle, and I have many doubts in my mind to clear
14:45:24 <Astradeus> any questions which might be quick to answer?
14:46:25 <c0mrad3> like what should we do if the vuln is fixed
upstream in a newer version, should be package the newer one and send
it as security update ?
14:47:17 <Astradeus> first contact the maintainer, usually the
maintainer then builds a new update
14:47:36 <c0mrad3> what if they won't patch for the current version of
the software ?
14:47:49 <Astradeus> it is sent as a regular update currently, because
there ist no special treatment for security patches currently
14:48:16 <Astradeus> we give them some timeframe we wait for a response
14:48:55 <c0mrad3> so all we do is look for security bugs and make
sure that the maintainer updates the new package without the vuln ?
14:49:04 <Astradeus> if there is no answer and the vulnerability is
serious, people from the proven-packagers-group can also package
software and push it to the mirrors
14:49:12 <Astradeus> primarily, yes
14:49:35 <c0mrad3> okay! any other things that we do ?
14:51:03 <Astradeus> currently thinking about ways how to push
security patches faster through the mirrors
14:51:28 <c0mrad3> ack, let end the meeting
14:51:46 <Astradeus> as the fedora security team is still building up
- how to establish trust
14:52:24 <Astradeus> because e.g. the redhat security people or the
debian security people do get information way earlier (embargoed
14:52:48 <c0mrad3> yes I get it the vulns shouldn't be shown to every one
14:53:20 <Astradeus> so fedora could be faster to push patches if we
have a group which is trusted to see embargoed vulns
14:53:55 <Astradeus> (at least for some time - i'm definitely on the
side that vulns should be public after some reasonable timeframe)
14:54:18 <Astradeus> i think those two things are currently the main issues
14:54:31 <c0mrad3> only after they are fixed / updates are available
14:54:43 <c0mrad3> they should be made public
14:55:08 <Astradeus> ah, and maybe to try to be advisors for security
questsions other fedora-groups might have
14:55:39 <Astradeus> *questions
14:56:07 <Astradeus> or questions regular fedora-users might have
14:56:09 <c0mrad3> #endmeeting
"Only thing that can never be 'RE-CYCLED' is 'WASTED TIME' ".