fedora_security_team
LOGS
19:21:20 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
19:21:20 <zodbot> Meeting started Wed Aug 27 19:21:20 2014 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:21:20 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:21:23 <Sparks> #meetingname Fedora Security Team
19:21:23 <zodbot> The meeting name has been set to 'fedora_security_team'
19:21:24 <Sparks> #topic Roll Call
19:22:03 * Sparks 
19:22:14 * Sparks spies bvincent and jtaylor90
19:22:24 <bvincent> .fas bvincent
19:22:25 <zodbot> bvincent: bvincent 'Brandon Vincent' <Brandon.Vincent@asu.edu>
19:22:40 <jsmith> .hellomynameis jsmith
19:22:41 <zodbot> jsmith: jsmith 'Jared Smith' <jsmith.fedora@gmail.com>
19:24:16 * Sparks apologizes for being tardy
19:24:21 <Sparks> Okay, we'll get started.
19:24:44 <Sparks> #topic Security-Team FAS Group and Editing BZ tickets
19:25:46 <Sparks> Some members were saying that they couldn't edit BZ tickets while others could.  A FAS group was created and permissions extended to that group so this should no longer be a problem.
19:26:19 <Sparks> #info All FST members should apply to the security-team group in FAS.
19:26:50 <Sparks> #info Members should use the email address used in FAS for their account in BZ.
19:26:53 <Sparks> Any questions?
19:27:58 <Sparks> #topic Outstanding BZ Tickets
19:28:01 <Sparks> #topic Outstanding BZ Tickets
19:29:19 <Sparks> #info Wednesday's numbers: Critical 2, Important 62, Moderate 398, Low 130, Total 592, Trend +17
19:30:44 <Sparks> #info Current tickets owned: 155
19:30:55 <revskills> sounds great
19:31:14 <Sparks> #info Closed tickets: 33
19:31:23 <Sparks> So, not bad.
19:31:50 <bvincent> OpenStack will be removed from EPEL. That should clear out a lot of stagnant reports.
19:32:08 <Sparks> I know I'm having some difficulties in getting some cases closed.  My largest problem is going to be the orphaned packages.  We'll see what releng ends up doing with them.
19:32:40 <Sparks> bvincent: Wow, no more OS in EPEL?
19:32:52 <misc> maybe saying "this one has a CVE and is orphaned, so we should fast track the removal" ?
19:32:56 <bvincent> #link https://fedorahosted.org/rel-eng/ticket/5966
19:33:34 <bvincent> Garth wants to redirect users to RDO.
19:33:50 <bvincent> #link http://openstack.redhat.com
19:34:38 <Sparks> misc: Well, we did that but got some bad feedback on libmodplug.
19:35:04 <Sparks> misc: Hopefully someone will actually maintain it.  Orphaned packages with vulnerabilities aren't a good thing.
19:35:07 <bvincent> What should we do about issues that the packager has not responded to emails?
19:35:26 <bvincent> The broken encryption issue in Synergy is in the Fedora 19 and EPEL packages.
19:35:34 <Sparks> bvincent: We can start the unresponsive packager protocol.
19:35:53 <bvincent> Sparks: Is their a link to this procedure?
19:36:03 <bvincent> *there
19:36:43 <Sparks> bvincent: There is but I'm not finding it at the moment.
19:37:16 <bvincent> Sparks: If it could be placed on the wiki, that would be great.
19:37:53 <Sparks> #link https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers
19:38:03 <bvincent> Sparks: Excellent. Thanks!
19:38:11 <revskills> +1 Sparks
19:38:19 <Sparks> bvincent: We can also get a proven packager to assist (like jsmith).
19:38:48 * jsmith is happy to assist
19:39:01 <Sparks> jsmith: Can you fix everything by lunch tomorrow?
19:39:20 <jsmith> Sparks: Nope... but I'm sure I could get around to *something* by then
19:39:52 <Sparks> heh
19:40:15 <Sparks> Anyone have any tickets they'd like to discuss?
19:40:50 <jsmith> Not anything in particular from me -- though it might be interesting to see if there are any critical unassigned bugs that could be assigned
19:41:27 <Sparks> jsmith: I'm working the only two critical bugs (for the same package)
19:41:37 <revskills> I don't have really serious problems, only owncloud with one CVE about admin bypass without details but we ask upstream for details
19:41:41 <revskills> all is going fine for me
19:41:43 <Sparks> jsmith: I've not been getting any information from upstream or down.
19:41:57 <jsmith> Sparks: OK, let me know if I can help in any way...
19:41:59 <revskills> all/everything
19:43:13 <Sparks> jsmith: Know anything about ruby-gems?
19:44:08 <Sparks> jsmith: Specifically rubygems-activesupport
19:44:51 <revskills> Sparks: I think huzaifas is working with glibc
19:45:14 <Sparks> revskills: Yes, he's owning that right now and paying for it  too.  :)
19:45:14 <revskills> do you have more info about this? because the exploit from Tavis Ormandy was directly for f20
19:45:35 <revskills> ok good to know
19:45:36 <revskills> :)
19:45:51 <Sparks> revskills: Sorry, I don't.
19:47:02 <jsmith> Sparks: No, but I'm willing to learn
19:47:58 <Sparks> #topic Open Floor
19:48:06 <Sparks> Anyone have anything they want to talk?
19:48:20 <jsmith> Sparks: Mind re-posting the links to the outstanding BZ items?
19:48:31 <jsmith> Sparks: For folks who might not already have them bookmarked?
19:48:41 * jsmith has nothing further
19:49:37 <Sparks> jsmith: The links are available on the wiki page.
19:49:45 <Sparks> #link https://fedoraproject.org/wiki/Security_Team
19:50:34 <Sparks> And for those playing at home:
19:50:40 <Sparks> #link https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661454&priority=urgent&query_format=advanced
19:50:49 <Sparks> #link https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661457&priority=high&query_format=advanced
19:50:59 <Sparks> #link https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661461&priority=medium&query_format=advanced
19:51:06 <Sparks> #link https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661462&priority=low&query_format=advanced
19:51:55 <Sparks> Those are links for critical, important, moderate, and low vulnerabilities, respectfully.
19:52:53 <Sparks> Okay, anything else?
19:54:29 * jsmith has nothing
19:54:41 <Sparks> Okay, I'm closing the meeting, then.  Thanks for everyone coming today.
19:54:48 <Sparks> #endmeeting