14:00:07 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:07 <zodbot> Meeting started Thu Nov 13 14:00:07 2014 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:07 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:00:11 <Sparks> #meetingname Fedora Security Team
14:00:11 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:13 <Sparks> #topic Roll Call
14:00:14 * Sparks 
14:00:16 <bvincent> .fas bvincent
14:00:17 <zodbot> bvincent: bvincent 'Brandon Vincent' <Brandon.Vincent@asu.edu>
14:00:25 * pjp here
14:00:32 <mhayden> .fas mhayden
14:00:33 <zodbot> mhayden: mhayden 'Major Hayden' <major@mhtx.net>
14:00:43 <pjp> .fas pjp
14:00:46 <zodbot> pjp: pjp '' <pj.pandit@yahoo.co.in> - pjpedro 'PJ Pedro' <pjpedro@rogers.com> - sandeepj 'sandeepj' <sandeepjp22@gmail.com>
14:02:37 <Sparks> Okay, lets get started.
14:02:47 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:02:55 <Sparks> #topic Follow up on last week's action items
14:03:12 <Sparks> #action Sparks to follow up with fenrus02 (via the security list) on checksec and checksec2.
14:03:18 <Sparks> I didn't get to that...  :(
14:03:25 <Sparks> #topic Outstanding BZ Tickets
14:03:38 <Sparks> #info Wednesday's numbers: Critical 1, Important 46, Moderate 357, Low 163, Total 567, Trend +60
14:03:48 <Sparks> #info Current tickets owned: 209 (~37%)
14:03:55 <Sparks> #info Tickets closed: 154
14:05:22 <Sparks> Anyone have anything for this topic this morning?
14:05:58 <pjp> I've been following up with the bugs that I triaged during FAD,
14:06:31 <pjp> Most maintainers are non responsive,
14:06:52 <pjp> one says - This package is mostly dead upstream...
14:06:52 <pjp> So I need to check I can fix it myself, and if it still work.
14:07:05 <Sparks> Yeah, I think we might have cleaned up all the "easy" ones.
14:07:19 <bvincent> Oracle will be addressing a nearly decade old vulnerability in JDK which we had a ticket from 2010 about.
14:07:32 <pjp> Oh boy
14:07:35 <Sparks> Nice
14:07:39 <Sparks> Better late than...
14:07:48 <pjp> Yep,
14:08:06 <bvincent> They (Oracle) seemed pretty shocked.
14:08:31 <bvincent> I was surprised given the nature of Oracle products that this wasn't a common occurrence.
14:10:15 <pjp> I think we need to ping periodically on these bugs, and use non-responsive maintainer policy if they remain unattended for long.
14:10:21 <pjp> -> https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers
14:11:08 <Sparks> +1
14:11:13 <pjp> Is it possible to have a Bugzilla hook to have an automated ping on old security bugs?
14:11:39 <pjp> or even as newer bugs grow older than they should
14:12:15 <Sparks> #topic Open floor discussion/questions/comments
14:12:30 <bvincent> pjp: whineatnews.pl
14:13:11 <pjp> There are cases wherein bugs were closed because the Fedora release reached ELS, and were reopened against latest releases
14:13:22 <pjp> bvincent: okay,
14:14:09 <bvincent> #link http://www.bugzilla.org/docs/4.4/en/html/whining.html
14:14:17 * pjp clicks
14:14:29 <bvincent> It might be different now, but it would still require changes to the RH BZ, which probably wouldn't happenl.
14:14:30 <pjp> bvincent: thank you.
14:14:53 <pjp> Maybe a request to fedora-infra could help?
14:15:10 <Sparks> pjp: I think it's release engineering.
14:15:14 <mhayden> i love that it's called the "whining" module ;)
14:16:05 <pjp> Ideally IMO, security bugs should not overlap into next new release, ie. 6 months at max.
14:16:18 <bvincent> mhayden: whineatnews.pl I believe is depreciated, they've renamed it to whine.pl. Still quite appropriate.
14:16:33 <pjp> heh..yep, :)
14:17:56 <bvincent> nvm, and probably OT, I was wrong they still have two perl scripts for whining.
14:18:29 <pjp> Even better,
14:19:47 <pjp> Sparks: okay, I'll talk to them about it.
14:19:59 <Sparks> Okay, anyone have anything else?
14:20:08 * Sparks is doublebooked this morning
14:20:20 <mhayden> nothing for me
14:20:34 * pjp also makes a note to ping maintainer about retiring dead packages
14:21:13 <Sparks> Okay, I'll follow up on this stuff later this morning.
14:21:18 <pjp> nothing much for me too,
14:21:30 <Sparks> Thanks everyone for coming.
14:21:35 <pjp> Thank you.
14:21:51 <Sparks> #endmeeting