Security Team meeting minutes for 2015-11-12
Eric Christensen
sparks at fedoraproject.org
Thu Nov 12 15:13:31 UTC 2015
======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:02:22 UTC. The full logs are available
at
http://meetbot.fedoraproject.org/fedora-meeting/2015-11-12/fedora_security_team.2015-11-12-14.02.log.html
.
Meeting summary
---------------
* Roll Call (Sparks, 14:02:27)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:09:37)
* LINK:
https://lists.fedoraproject.org/pipermail/security-team/2015-November/000412.html
(mhayden, 14:09:44)
* Follow up on last week's tasks (Sparks, 14:09:52)
* ACTION: pjp to give a status update on security policy in the wiki
(carried over) (Sparks, 14:11:22)
* ACTION: Sparks to figure out how FST members can get access to
Fedora security bugs (Sparks, 14:12:35)
* Virtual GPG Key Signing Event (Sparks, 14:13:05)
* Education and Training (Sparks, 14:20:57)
* LINK: https://fedoraproject.org/wiki/Information_Security_Training
(Sparks, 14:21:10)
* LINK: http://www.cl.cam.ac.uk/~rja14/book.html (d-caf, 14:24:17)
* LINK: http://www.cl.cam.ac.uk/~rja14/book.html (d-caf, 14:24:25)
* Future of the Team (Sparks, 14:26:30)
* IDEA: Apprenticeship (Sparks, 14:35:33)
* ACTION: Sparks to bring up apprenticeship on list (Sparks,
14:40:49)
* ACTION: Sparks to talk more about the discussion with mattdm on the
list (Sparks, 14:41:12)
* Outstanding BZ Tickets (Sparks, 14:42:08)
* Thursday's numbers: Critical 1 (0), Important 41 (+1), Moderate 454
(-3), Low 178 (+8), Total 674 (Sparks, 14:42:17)
* Current tickets owned: 85 (Sparks, 14:42:30)
* LINK: https://bugzilla.redhat.com/show_bug.cgi?id=1266404
(mhayden, 14:46:22)
* FST Logo (Sparks, 14:50:10)
* LINK:
https://fedorahosted.org/design-team/attachment/ticket/367/fst.png
(Sparks, 14:50:13)
* Open floor discussion/questions/comments (Sparks, 14:50:55)
* LINK: https://bugzilla.redhat.com/show_bug.cgi?id=1209214 (d-caf,
14:53:15)
* LINK: http://paste.fedoraproject.org/289651/73400771/raw/
(mhayden, 14:55:20)
* ACTION: Sparks to send a note to the list regarding to updating f21
tickets (Sparks, 14:58:20)
Meeting ended at 15:00:59 UTC.
Action Items
------------
* pjp to give a status update on security policy in the wiki (carried
over)
* Sparks to figure out how FST members can get access to Fedora security
bugs
* Sparks to bring up apprenticeship on list
* Sparks to talk more about the discussion with mattdm on the list
* Sparks to send a note to the list regarding to updating f21 tickets
Action Items, by person
-----------------------
* Sparks
* Sparks to figure out how FST members can get access to Fedora
security bugs
* Sparks to bring up apprenticeship on list
* Sparks to talk more about the discussion with mattdm on the list
* Sparks to send a note to the list regarding to updating f21 tickets
* **UNASSIGNED**
* pjp to give a status update on security policy in the wiki (carried
over)
People Present (lines said)
---------------------------
* Sparks (101)
* mhayden (36)
* d-caf (35)
* Astradeus (7)
* zodbot (5)
* Southern_Gentlem (2)
14:02:22 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:02:22 <zodbot> Meeting started Thu Nov 12 14:02:22 2015 UTC. The chair is
Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:02:22 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link
#topic.
14:02:25 <Sparks> #meetingname Fedora Security Team
14:02:25 <zodbot> The meeting name has been set to 'fedora_security_team'
14:02:27 <Sparks> #topic Roll Call
14:02:28 * Sparks
14:03:35 <mhayden> .hello mhayden
14:03:36 <zodbot> mhayden: mhayden 'Major Hayden' <major at mhtx.net>
14:03:53 <Astradeus> .hello astra
14:03:54 <zodbot> Astradeus: astra 'David Kaufmann' <astra at ionic.at>
14:08:24 <Sparks> Sorry, I'm just updating the agenda
14:09:04 <mhayden> no worries
14:09:09 <d-caf> sorry late
14:09:37 <Sparks> #info Participants are reminded to make liberal use of #info
#link #help in order to make the minutes "more better"
14:09:44 <mhayden> #link https://lists.fedoraproject.org/pipermail/security-team/2015-November/000412.html
14:09:47 <mhayden> ^^ current report
14:09:52 <Sparks> #topic Follow up on last week's tasks
14:10:00 <Sparks> Sparks to talk with mattdm regarding private security
tickets in BZ.
14:10:12 <Sparks> This was done and I'll be talking more about that today
14:10:21 <Sparks> Sparks to discuss using Bluejeans for an online GPG key
signing event
14:11:05 <Sparks> This was done but we didn't get any takers.
14:11:22 <Sparks> #action pjp to give a status update on security policy in
the wiki (carried over)
14:11:29 <Sparks> And pjp isn't here.
14:11:40 <Sparks> Sparks to work with PST to get our mailling list included on
BZ tickets for critical and important CVEs.
14:11:54 <Sparks> I did this but it may not be possible with our current
tooling.
14:12:25 <Sparks> I contintue to work on this
14:12:35 <Sparks> #action Sparks to figure out how FST members can get access
to Fedora security bugs
14:12:42 <Sparks> I need to continue to work on this.
14:13:05 <Sparks> #topic Virtual GPG Key Signing Event
14:14:00 <Sparks> I sent out an email about this but no one followed through
with their fingerprints.
14:14:09 <Astradeus> ah, forgot :/
14:14:18 <mhayden> i like the idea, but i'm not inclined to participate
14:14:25 <d-caf> Yes, sorry, got busy at work, doing extra hours
14:14:56 <Sparks> mhayden: No?
14:15:34 <mhayden> i'm still ancy about having my id captured via webcam
14:15:36 <mhayden> or parts of it
14:15:53 <mhayden> but, then again, i don't get terribly excited about gpg key
signing in the first place, so i'm an oddball
14:15:56 <mhayden> :P
14:16:01 <Sparks> clearly
14:16:11 <mhayden> haha
14:16:15 <Sparks> The ID thing is an interesting arguement.
14:16:19 <mhayden> my wife thinks i'm an oddball as well
14:16:48 <d-caf> mhayden: I'm in the same boat (though I have mostly converted
my wife over the years..)
14:16:55 <Astradeus> i'd probably go with taping something over my birthdate
and unique-number probably
14:17:16 <Sparks> I mostly think it's a strawman arguement since we generally
don't protect our IDs in real life (at least in the US where we have to
present them for various reasons).
14:17:49 <d-caf> Sparks: "some" don't protect there IDs (the guy with an RFID
blocking wallet notes...)
14:18:04 <d-caf> :-)
14:18:13 <Sparks> This is also a "private" event only open to the few of us
so... a much reduced group of people
14:18:25 <Sparks> d-caf: Do you have to provide your ID to buy alcohol?
14:18:37 <Sparks> or to use your credit card?
14:19:04 <d-caf> Sparks: sometimes ID is required, and I try to shield it.
And I have dedicated credit cards for certain types of purchases
14:19:23 <d-caf> Yeah, I add overhead to my life <shrug>
14:19:50 <Sparks> I'm not saying it's dumb to protect your ID, by the way.
14:20:48 <Sparks> Okay, moving on
14:20:51 <d-caf> I'm fine with key-signing, but yes, I will be presenting a
partially redacted ID if I participate
14:20:57 <Sparks> #topic Education and Training
14:21:10 <Sparks> #link
https://fedoraproject.org/wiki/Information_Security_Training
14:21:36 <Sparks> If you know of anything that should go here please let me
know.
14:22:33 <d-caf> It's a good collection, I only had one thing to add at this
point, nice work!
14:22:39 <mhayden> that's a good list
14:23:02 <Sparks> Hopefully it's a useful resource
14:23:05 <mhayden> i could think of some non-free things (like specific classes
from SANS) that might be helpful
14:23:23 <d-caf> There is also the Security Engineering book, and there are
many free Online classes that I need to track down to add
14:23:51 <d-caf> There are also free SANS webinars, but they range in quality
14:24:17 <d-caf> http://www.cl.cam.ac.uk/~rja14/book.html
14:24:25 <d-caf> #link http://www.cl.cam.ac.uk/~rja14/book.html
14:25:24 <Sparks> Cool
14:26:30 <Sparks> #topic Future of the Team
14:26:43 <Sparks> I had a nice chat with mattdm last week.
14:27:57 <Astradeus> any outcomes?
14:27:58 <Sparks> We agree that the FST is an important part of Fedora
14:28:29 <Sparks> We want FST to start working on more projects and be the go-
to group for all things security
14:29:07 <Sparks> This is includes the possibility of working on embargoed
vulnerabilities
14:29:23 <mhayden> doesn't that overshadow Red Hat's Product Security team
work?
14:29:30 <Sparks> No,
14:29:47 <Sparks> In fact, RH PST doesn't actually work on anything Fedora.
14:30:53 <Sparks> Fedora now has to wait for an embargo to be lifted for work
to begin
14:30:58 <Sparks> I want to change that
14:31:14 <d-caf> Sparks: +1
14:31:26 <Sparks> Especially on Fedora-only or EPEL-only vulnerabilities
14:31:31 <mhayden> that'd be helpful
14:31:54 <Sparks> There is much work to do here, though.
14:32:31 <Sparks> Our tool chains don't support activities that don't leak
information
14:32:51 <mhayden> it seems like we need a security-minded person embedded in
some of the bigger sigs/working groups, like server/workstation/cloud
14:32:56 <Sparks> So we'll need to work on that
14:33:02 <Sparks> mhayden: +12
14:33:05 <Sparks> errr
14:33:07 <Sparks> +1
14:33:12 * mhayden has the server wg covered! :P
14:33:56 <Sparks> woot!
14:34:42 <mhayden> i like the mission and i think we need to get more involved
where the action is happening
14:34:57 <Sparks> agreed
14:35:33 <Sparks> #idea Apprenticeship
14:35:34 <mhayden> i'd like to find an automated way to "nag" maintainers to
update their bugzilla tickets + packages
14:36:08 <Sparks> We need a way to establish trust in individuals.
14:36:36 <Sparks> And we need to provide a way to train people
14:36:48 <d-caf> Sparks: individuals? Package maintaniners or FST members?
14:36:58 <Sparks> FST members
14:37:24 <Southern_Gentlem> i will be continueing doing updated lives for the
project so if we have anymore things hit like heartbleed new users can install
after the fix is pushed and not be vulnerable
14:38:05 <Sparks> +1
14:38:27 <d-caf> Southern_Gentlem: +1
14:38:38 <Southern_Gentlem> so you know whatever gets fixed at least is getting
pushed
14:39:12 <mhayden> also, at a minimum, we need a talk at the next flock on the
FST
14:39:30 <mhayden> and it might not hurt to try to get a post onto fedoramag
once or twice per quarter
14:39:33 <Sparks> Where is the next Flock?
14:39:42 <mhayden> Sparks: i assume in Europe since it was in NA this year
14:40:07 <mhayden> i will probably need to pick between traveling for FOSDEM
and Flock :|
14:40:49 <Sparks> #action Sparks to bring up apprenticeship on list
14:41:04 <d-caf> Unfortunately unless they are near where I live chances of me
going or next to nill :-(
14:41:12 <Sparks> #action Sparks to talk more about the discussion with mattdm
on the list
14:41:44 <Sparks> Sorry, I meant to send out a message regarding the meeting
last week.
14:42:01 <Sparks> Okay, lets move on
14:42:08 <Sparks> #topic Outstanding BZ Tickets
14:42:17 <Sparks> #info Thursday's numbers: Critical 1 (0), Important 41 (+1),
Moderate 454 (-3), Low 178 (+8), Total 674
14:42:30 <Sparks> #info Current tickets owned: 85
14:42:38 <Sparks> +Tickets by Priority--+-------+---------+
14:42:38 <Sparks> | Priority | Count | Owned | Unowned |
14:42:38 <Sparks> +-------------+-------+-------+---------+
14:42:38 <Sparks> | medium | 454 | 45 | 409 |
14:42:38 <Sparks> | low | 178 | 14 | 164 |
14:42:40 <Sparks> | high | 41 | 26 | 15 |
14:42:43 <Sparks> | unspecified | 3 | 0 | 3 |
14:42:45 <Sparks> | urgent | 1 | 0 | 1 |
14:42:48 <Sparks> +-------------+-------+-------+---------+
14:42:50 <Sparks> Anyone have anything?
14:43:02 <d-caf> What's the urgent one?
14:43:25 <Sparks> IDK. I thought I had found it and made it not urgent.
Maybe it's a new one?
14:43:53 <d-caf> wierd, nothing in bugzilla
14:43:57 <Sparks> Which is why I want better notification of urgent and high
(critical and important) vulns.
14:44:18 <Sparks> mhayden: Is your script stuck?
14:44:43 <mhayden> let me print out the ticket that is causing the urgent to
show
14:46:09 <mhayden> 1266404
14:46:22 <mhayden> https://bugzilla.redhat.com/show_bug.cgi?id=1266404
14:46:35 <mhayden> why is that one showing up in the Fedora list?
14:46:37 * mhayden digs
14:46:53 <d-caf> weird, well at least it's on QA :-)
14:47:03 <Sparks> It's a RHEL bug
14:47:04 <mhayden> SecurityTracking is in the keywords
14:47:12 <mhayden> that's unusual for RHEL bugs IIRC
14:47:31 <Sparks> Yeah. Need to make sure you're limiting on Product: Fedora,
too
14:48:04 * mhayden edits
14:48:16 <mhayden> haha, oh my
14:48:32 <mhayden> i wonder if limiting on Fedora drops EPEL
14:48:33 <d-caf> Fedora EPEL as well (or Fedora * )
14:49:01 <mhayden> okay, script needs tweaking :)
14:49:31 <Sparks> That's fine.
14:50:10 <Sparks> #topic FST Logo
14:50:13 <Sparks> https://fedorahosted.org/design-team/attachment/ticket/367/fst.png
14:50:31 <Sparks> I hope everyone will provide feedback
14:50:36 <d-caf> Oh, had onemore ticket question, but can cover in open
discussion
14:50:48 <Sparks> Opps, sorry
14:50:55 <Sparks> #topic Open floor discussion/questions/comments
14:50:58 <Sparks> d-caf: Go
14:51:16 <d-caf> This ticket, should it be given a priority?
https://bugzilla.redhat.com/show_bug.cgi?id=1220138
14:51:57 <d-caf> or severity
14:52:44 <Sparks> d-caf: I just marked it as a "high" since one of the
dependencies was a "high" CVE
14:53:06 <d-caf> There is also another ticket taht is marked high, but with no
priority so shows in unknown
14:53:15 <d-caf> https://bugzilla.redhat.com/show_bug.cgi?id=1209214
14:53:49 <d-caf> Wondering if we should check on priority and severity? Or
what is the true meaning between those seperate ratings?
14:53:51 <Sparks> We need to make sure that all the unspecified tickets get a
severity and that if it's an actual vulnerability that it gets a CVE via
secalert at redhat.com
14:53:51 <Astradeus> so the first bug #1220138 is a "add mono 4 to f22" ?
14:54:31 <d-caf> Well the first bug is they are using an old mono that has lots
of issues, and there proposed fix is updating to mono 4
14:54:47 <d-caf> I have not tracked down the full status of this and how bad
it may be
14:54:53 <Sparks> d-caf: I think priority is set by the project but severity
of a vulnerability should be impact as provided by the CVSS score via RH PST.
14:54:54 <mhayden> correct security team report ->
http://paste.fedoraproject.org/289651/73400771/raw/
14:55:12 <d-caf> Just noticed two unspecified tickets and decided to look at it
this morning
14:55:20 <mhayden> #link http://paste.fedoraproject.org/289651/73400771/raw/
14:55:36 <Sparks> Oh crap
14:55:41 <Astradeus> d-caf: according to the referenced (closed) bug
(#1089426) mono 4 is already in f23
14:55:59 <Sparks> We need someone to start going through the F21 bugs and see
if we need to move them forward to F22 or higher.
14:56:02 * Sparks did that last time
14:56:14 <d-caf> Astradeus: Good, but F22 still may need the same update
14:56:21 <Sparks> Anyone want to handle that?
14:57:37 <Sparks> Okay, I'll send that to the list
14:58:03 <d-caf> We probably also need to udpate our links here:
http://fedoraproject.org/wiki/Security_Team to go off severity and not
priority?
14:58:20 <Sparks> #action Sparks to send a note to the list regarding to
updating f21 tickets
14:58:41 <d-caf> Since this is comming up unknown, but is rated high severity
https://bugzilla.redhat.com/show_bug.cgi?id=1209214
14:58:57 <d-caf> Also need to check reporting scripts are doing the same
14:59:22 <Sparks> ya
14:59:30 <Sparks> Okay, last few seconds... anyone have anything?
15:00:41 <Sparks> Okay, lets move these discussions to the list
15:00:52 <Sparks> Thanks, everone, for coming!
15:00:53 <Astradeus> thanks all :)
15:00:57 <d-caf> Sparks: thanks all!
15:00:59 <Sparks> #endmeeting
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/security-team/attachments/20151112/fd94f651/attachment-0001.sig>
More information about the security-team
mailing list