Security Team meeting minutes for 2015-11-05

Eric Christensen sparks at fedoraproject.org
Thu Nov 5 14:49:39 UTC 2015


Meeting started by Sparks at 14:00:21 UTC. The full logs are available
at
http://meetbot.fedoraproject.org/fedora-meeting/2015-11-05/fedora_security_team.2015-11-05-14.00.log.html
.



Meeting summary
---------------
* Roll Call  (Sparks, 14:00:26)
  * LINK:
    https://lists.fedoraproject.org/pipermail/security-team/2015-November/000401.html
    (mhayden, 14:05:21)
  * Participants are reminded to make liberal use of #info #link #help
    in order to make the minutes "more better"  (Sparks, 14:14:32)

* Follow up on last week's tasks  (Sparks, 14:15:03)
  * ACTION: Sparks to talk with mattdm regarding private security
    tickets in BZ.  (Sparks, 14:15:26)
  * This was started but hasn't really moved forward.  (Sparks,
    14:15:42)
  * ACTION: Sparks to discuss using Bluejeans for an online GPG key
    signing event  (Sparks, 14:15:50)
  * This isn't mandatory so if you don't feel comfortable participating
    or don't feel comfortable with not holding an ID in your hands then
    you don't have to participate.  (Sparks, 14:18:05)
  * ACTION: mhayden to get Astradeus' changes to the stats script into
    the fedora-security-team git repo  (Sparks, 14:22:29)
  * ACTION: pjp to give a status update on security policy in the wiki
    (carried over)  (Sparks, 14:23:37)

* Education and Training  (Sparks, 14:23:42)
  * LINK: https://fedoraproject.org/wiki/Information_Security_Training
    (Sparks, 14:23:49)
  * LINK:
    https://benchmarks.cisecurity.org/downloads/multiform/index.cfm -
    should it be there?  (fenrus02, 14:25:27)
  * LINK: https://wiki.mozilla.org/Security/Server_Side_TLS .. and ..
    https://mozilla.github.io/server-side-tls/ssl-config-generator/ ?
    or too much detail ?  (fenrus02, 14:27:53)
  * Astradeus' changes for the script are now merged ;)  (mhayden,
    14:27:59)

* Outstanding BZ Tickets  (Sparks, 14:31:29)
  * Thursday's numbers: Critical 1 (0), Important 40 (0), Moderate 457
    (+11), Low 170 (+8), Total 668  (Sparks, 14:31:36)
  * Current tickets owned: 85  (Sparks, 14:31:42)
  * IDEA: FST gets copied on critical and important CVEs that come to
    Fedora/EPEL.  (Sparks, 14:34:49)
  * ACTION: Sparks to work with PST to get our mailling list included on
    BZ tickets for critical and important CVEs.  (Sparks, 14:39:03)
  * Apparently FST members can't look at security bugs.  This is likely
    a problem if we're supposed to be fixing such things.  (Sparks,
    14:40:32)
  * ACTION: Sparks to figure out how FST members can get access to
    Fedora security bugs  (Sparks, 14:40:47)
  * Anyone finding a security bug in Fedora that doesn't have a CVE
    should let PST know so we can get a CVE issued.  secalert at redhat.com
    (Sparks, 14:41:32)

* Open floor discussion/questions/comments  (Sparks, 14:43:34)

Meeting ended at 14:46:52 UTC.




Action Items
------------
* Sparks to talk with mattdm regarding private security tickets in BZ.
* Sparks to discuss using Bluejeans for an online GPG key signing event
* pjp to give a status update on security policy in the wiki (carried
  over)
* Sparks to work with PST to get our mailling list included on BZ
  tickets for critical and important CVEs.
* Sparks to figure out how FST members can get access to Fedora security
  bugs




Action Items, by person
-----------------------
* Astradeus
  * mhayden to get Astradeus' changes to the stats script into the
    fedora-security-team git repo
* mattdm
  * Sparks to talk with mattdm regarding private security tickets in BZ.
* mhayden
  * mhayden to get Astradeus' changes to the stats script into the
    fedora-security-team git repo
* Sparks
  * Sparks to talk with mattdm regarding private security tickets in BZ.
  * Sparks to discuss using Bluejeans for an online GPG key signing
    event
  * Sparks to work with PST to get our mailling list included on BZ
    tickets for critical and important CVEs.
  * Sparks to figure out how FST members can get access to Fedora
    security bugs
* **UNASSIGNED**
  * pjp to give a status update on security policy in the wiki (carried
    over)




People Present (lines said)
---------------------------
* Sparks (72)
* mhayden (17)
* fenrus02 (6)
* Astradeus (6)
* zodbot (4)
* mattdm (3)
* rishi (2)
* jsmith (1)



14:00:21 <Sparks> #startmeeting Security Team Meeting - Agenda: 
https://fedoraproject.org/wiki/Security_Team_meetings
14:00:21 <zodbot> Meeting started Thu Nov  5 14:00:21 2015 UTC.  The chair is 
Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:21 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link 
#topic.
14:00:24 <Sparks> #meetingname Fedora Security Team
14:00:24 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:26 <Sparks> #topic Roll Call
14:00:29 * Sparks 
14:01:50 * Astradeus 
14:03:11 <Sparks> mhayden: ping
14:03:11 <zodbot> Sparks: Ping with data, please: 
https://fedoraproject.org/wiki/No_naked_pings
14:03:22 <mhayden> Sparks: aaaaack, DST
14:03:28 <mhayden> :P
14:03:35 <Sparks> mhayden: We're on zulu time!
14:03:42 * mhayden scurries over to his calendar to adjust the invitation
14:03:48 <Sparks> mhayden: Could you run your script for numbers, please?
14:03:51 <mhayden> on it
14:03:56 <Sparks> TU
14:04:01 <Sparks> mattdm: You around?
14:05:21 <mhayden> #link https://lists.fedoraproject.org/pipermail/security-team/2015-November/000401.html
14:05:23 <mhayden> ^^ stats
14:08:01 <Sparks> Hmmm, I thought I took care of that Critical last week.
14:09:04 <rishi> fg
14:09:07 <rishi> sorry
14:10:56 <Sparks> Sorry for the delay, I'm still tweeking the minutes.
14:11:01 * Sparks is running behind this morning
14:13:15 <mhayden> DSt made all of my meetings scoot up
14:14:32 <Sparks> #info Participants are reminded to make liberal use of #info 
#link #help in order to make the minutes "more better"
14:14:48 <Sparks> mhayden: Just put the TZ for this meeting as UTC and it'll 
always be correct.  :)
14:14:53 <Sparks> Okay, lets get started.
14:15:03 <Sparks> #topic Follow up on last week's tasks
14:15:13 <mhayden> figured out how to do that in android -- makes up for 
Exchange's shortcomings :P
14:15:26 <Sparks> #action Sparks to talk with mattdm regarding private 
security tickets in BZ.
14:15:42 <Sparks> #info This was started but hasn't really moved forward.
14:15:50 <Sparks> #action Sparks to discuss using Bluejeans for an online GPG 
key signing event
14:16:04 <Sparks> I haven't done this but does anyone have a problem with 
doing this?
14:16:12 <mhayden> i did my first gpg key signing at the last flock, it was fun!
14:16:45 <mhayden> i'm not sure how some folks might feel about their 
identification cards/passports/licenses being on screen
14:16:52 <mhayden> someone could screenshot it and do nefarious things
14:17:17 <Sparks> Well, lots of people could do lots of things...  I'm not 
sure that it requires a screenshot.
14:17:26 <mhayden> haha
14:18:05 <Sparks> #info This isn't mandatory so if you don't feel comfortable 
participating or don't feel comfortable with not holding an ID in your hands 
then you don't have to participate.
14:18:18 <mattdm> Sparks: I'm around for, like, 11 minutes
14:18:51 <Sparks> mattdm: Can I get on your calendar for later today to 
discuss furthering the mission of the FST?
14:19:05 <Astradeus> i think in that case hiding the passport number should be 
enough to make it a little bit protected - the rest of the security features 
is the same on all other identification-things
14:19:51 <Astradeus> e.g. the hologram and the name needs to be visible i 
think, the passport number does not need to be
14:20:04 <Sparks> Okay, I'll try to send something to the list just after the 
meeting while it's fresh on my mind.
14:20:15 <Sparks> Astradeus: True
14:20:24 <mhayden> i think sgallagh arranged the last signing at flock
14:20:42 <Sparks> Astradeus: I suspect that most Customs folks are using the 
RFID chip for auth now anyway.
14:20:59 * mhayden is one of the few without a chipped passport at the moment 
:P
14:21:09 <mattdm> Sparks: -- yes... maybe 3pm (US/Eastern)?
14:21:15 <Sparks> mhayden: Yeah, likely.  I've usually done them at events 
around here.
14:21:41 <Sparks> mattdm: 3pm ET works for me.  I'll send you info.  Thanks!
14:22:20 <Sparks> mhayden: What?!?  How can you survive without the little 
chip thingy?  :)
14:22:25 <Sparks> Okay, moving on...
14:22:29 <Sparks> #action mhayden to get Astradeus' changes to the stats 
script into the fedora-security-team git repo
14:22:38 <Sparks> mhayden: ^^^ did this happen?
14:23:15 <mattdm> Sparks: cool
14:23:20 <mhayden> nah, but i am going to look at it right now ;)
14:23:37 <Sparks> #action pjp to give a status update on security policy in 
the wiki (carried over)
14:23:42 <Sparks> #topic Education and Training
14:23:49 <Sparks> #link 
https://fedoraproject.org/wiki/Information_Security_Training
14:23:57 <Sparks> (From last week...)
14:24:31 <Sparks> I've started compiling training aids for learning about 
information security.  I've created the above wiki page to list them.
14:25:08 <Astradeus> i've been skipping over a few entries already - nice page 
:)
14:25:27 <fenrus02> 
https://benchmarks.cisecurity.org/downloads/multiform/index.cfm - should it be 
there?
14:26:29 <Sparks> fenrus02: IDK.  Is that educational or just benchmark 
information?
14:26:43 <fenrus02> how / why to make alterations
14:27:05 <Sparks> It could be.  Feel free to add it.
14:27:21 <fenrus02> ditto for https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ ?
14:27:53 <fenrus02> https://wiki.mozilla.org/Security/Server_Side_TLS  .. and 
.. https://mozilla.github.io/server-side-tls/ssl-config-generator/ ?  or too 
much detail ?
14:27:59 <mhayden> #info Astradeus' changes for the script are now merged ;)
14:28:30 <Sparks> fenrus02: Yes, but use a WorldCat URL for books.  
https://www.worldcat.org/title/bulletproof-ssl-and-tls/oclc/889874499
14:28:47 <fenrus02> ok.  why worldcat instead of the publisher page?
14:29:09 <Sparks> Worldcat shows where to get the book (and not just from 
Amazon) like libraries
14:29:27 <Sparks> I want to make it easier for folks to find the materials.
14:29:37 <Sparks> Especially if they can get them for free.
14:31:29 <Sparks> #topic Outstanding BZ Tickets
14:31:36 <Sparks> #info Thursday's numbers: Critical 1 (0), Important 40 (0), 
Moderate 457 (+11), Low 170 (+8), Total 668
14:31:42 <Sparks> #info Current tickets owned: 85
14:31:55 <Sparks> +Tickets by Priority--+-------+---------+
14:31:55 <Sparks> | Priority    | Count | Owned | Unowned |
14:31:55 <Sparks> +-------------+-------+-------+---------+
14:31:55 <Sparks> | medium      | 457   | 45    | 412     |
14:31:56 <Sparks> | low         | 170   | 14    | 156     |
14:31:58 <Sparks> | high        | 40    | 26    | 14      |
14:32:00 <Sparks> | unspecified | 4     | 0     | 4       |
14:32:03 <Sparks> | urgent      | 1     | 0     | 1       |
14:32:05 <Sparks> +-------------+-------+-------+---------+
14:32:09 <Astradeus> i didn't have the time to look at tickets unfortunately 
:/
14:32:16 <Sparks> Anyone have anything ticket-wise to discuss?
14:34:26 <Sparks> Oh, I have something.
14:34:49 <Sparks> #idea FST gets copied on critical and important CVEs that 
come to Fedora/EPEL.
14:35:03 <fenrus02> +1
14:35:43 <Sparks> I figure that way we will get notified immediately instead of 
finding out something has been there after a few days/weeks.
14:37:01 <Sparks> mhayden: ^^^
14:37:17 <mhayden> that'd be nifty
14:39:03 <Sparks> #action Sparks to work with PST to get our mailling list 
included on BZ tickets for critical and important CVEs.
14:40:32 <Sparks> #info Apparently FST members can't look at security bugs.  
This is likely a problem if we're supposed to be fixing such things.
14:40:47 <Sparks> #action Sparks to figure out how FST members can get access 
to Fedora security bugs
14:41:32 <Sparks> #info Anyone finding a security bug in Fedora that doesn't 
have a CVE should let PST know so we can get a CVE issued.  
secalert at redhat.com
14:42:08 <Sparks> Anyone have anything else?
14:42:14 * jsmith shows up late, and has nothing :-(
14:42:27 <Sparks> jsmith: Welcome!
14:43:34 <Sparks> #topic Open floor discussion/questions/comments
14:43:45 <Sparks> Okay, does anyone have anything before we close for the day?
14:45:16 <Sparks> Nothing?
14:45:52 <Sparks> Okay, I'm going to go ahead and close the meeting and try to 
update next week's agenda now (for a change) and start working on my action 
items.
14:45:57 <Sparks> Thanks, all, for coming out!
14:46:11 <Astradeus> thank you for managing the meeting :)
14:46:52 <Sparks> #endmeeting
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/security-team/attachments/20151105/c3cccb2c/attachment.sig>


More information about the security-team mailing list