14:02:06 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:02:06 <zodbot> Meeting started Thu Apr 30 14:02:06 2015 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:02:06 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:02:07 <stbnruiz> its security meeting?
14:02:09 <Sparks> #meetingname Fedora Security Team
14:02:09 <zodbot> The meeting name has been set to 'fedora_security_team'
14:02:13 <Sparks> #topic Roll Call
14:02:15 * Sparks 
14:02:19 * d-caf 
14:02:44 <stbnruiz> .fas stbnruiz001
14:02:44 <zodbot> stbnruiz: stbnruiz001 'Esteban Ruiz Diaz Baez' <stbnruiz001@gmail.com>
14:02:48 <pjp> .me
14:03:05 <pjp> .hellomynameis pjp
14:03:06 <zodbot> pjp: pjp 'None' <pj.pandit@yahoo.co.in>
14:03:32 <stbnruiz> .hellomynameis stbnruiz
14:03:33 <zodbot> stbnruiz: Sorry, but you don't exist
14:04:21 <Sparks> Ouch, harsh zodbot
14:05:05 <Sparks> Okay, lets get started.
14:05:16 * Sparks wonders if jsmith will be around this morning
14:05:23 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:05:32 * jsmith is here, but on another call for ${DAYJOB} as well
14:05:34 <Sparks> #topic Follow up on last week's tasks
14:05:55 <Sparks> jsmith: Okay, can you comment on rubygem-activesupport?
14:06:53 <jsmith> Just waiting for feedback
14:07:05 <jsmith> So far, it seems like nobody has tested the scratch build
14:07:09 <Sparks> jsmith: How long are you going to wait?  :)
14:07:17 <jsmith> Not much longer
14:07:20 <Sparks> :)
14:07:21 <jsmith> I think I'll just push the update
14:07:28 <jsmith> ... as in today
14:07:30 <pjp> jsmith: the Fedora maintainer was going to fix the EPEL branches too, no? You had a word with him?
14:07:48 <jsmith> pjp: I haven't seen anything from mmorsi
14:08:08 <pjp> jsmith: I see, maybe it'll help to talk to him,
14:08:47 <pjp> At least it'll avoid duplication of efforts
14:09:16 <Sparks> #action jsmith to patch rubygem-activesupport as provenpackager (BZ 905374)
14:09:59 <Sparks> We'll revisit this next week.  Maybe you can try to reach out to mmorsi again?  Otherwise, I'd just push the fix.
14:11:32 <Sparks> pjp: Whatever happened with the non-responsive maintainer regarding that package?  I'm guessing you made contact?
14:12:04 <pjp> Sparks: Yes, the EPEL maintainer said he no longer uses the EPEL package and thus has no time to maintain it,
14:12:21 <Sparks> pjp: Will he be orphaning the package?
14:12:33 <pjp> Sparks: Upon contacting mmorsi about it, he said he'll work on fixing the EPEL branches of the package
14:12:45 <pjp> mmorsi is the Fedora branch maintainer
14:13:00 <Sparks> Okay, so is he going to continue to maintain the package after this fix?
14:13:13 <pjp> Sparks: The bug is still open, once mmorsi updates the EPEL branch, I'll close it
14:13:19 <pjp> Sparks: Yes,
14:13:29 <Sparks> Okay
14:13:45 <Sparks> #topic 90-Day Challenge
14:14:04 <Sparks> #link https://ethercalc.org/90-day-challenge
14:14:13 <Sparks> #info 90-Day Challenge has a goal to close all 2014 and prior Important CVEs in Fedora
14:14:23 <Sparks> #info As of 2015-04-29, of the 38 target bugs 9 have been closed, 4 are On_QA, 25 are Open
14:14:30 <Sparks> #info Two cases have had non-responsive maintainer process started.
14:14:48 <pjp> Cool! :)
14:14:57 <Sparks> So we're up to about 25% of the cases being closed or close to being closed.
14:15:17 <Sparks> And we've burned through around 33% of our time.  :)
14:15:26 <Sparks> Still, this is very good!
14:15:59 <Sparks> Interestingly enough, I've seen that most of these cases just needed a little nudge to get them rolling.
14:16:19 <pjp> That's true for lot of cases
14:16:19 <d-caf> Looks like one of my tickets the current maintaner doesn't have time make a patch
14:16:30 <pjp> It seems that they just forget about pushing updates
14:16:38 <Sparks> pjp: +1
14:16:57 <Sparks> I wonder if they understand the definition of "maintaining".
14:17:02 <pjp> :)
14:17:12 <d-caf> #link https://bugzilla.redhat.com/show_bug.cgi?id=1132022
14:17:22 * pjp clicks
14:17:30 <Sparks> I started two non-responsive maintainer processes yesterday.
14:18:20 <Sparks> d-caf: Yeah, I saw that.  That's not really a good response.
14:18:30 <d-caf> Sparks: yeah, I was not impressed
14:18:37 <Sparks> d-caf: If they don't have time to deal with the package then they need to orphan it.
14:18:48 <Sparks> d-caf: Give someone else a chance to pick it up and run with it.
14:19:09 <d-caf> Sparks: Agreed that was what I was going to propose
14:19:43 <Sparks> +1
14:19:56 <d-caf> I have another ticket that will need to be non-reponseive process as well #link https://bugzilla.redhat.com/show_bug.cgi?id=1142546
14:20:47 <Sparks> Yep
14:21:41 <pjp> Sparks: This one is Michael Stahnke again, I guess it'll need to be orphaned too, https://bugzilla.redhat.com/show_bug.cgi?id=917234
14:21:58 <pjp> Sparks: I'll pursue it further
14:22:27 <pjp> looks like fedora branch is already orphaned
14:23:17 <Sparks> Okay
14:23:34 <Sparks> Let's move on...
14:23:40 <Sparks> #topic Outstanding BZ Tickets
14:23:47 <Sparks> #info Thursday's numbers: Critical 1, Important 37 (-5), Moderate 341 (-3), Low 156 (-5), Total 535, Trend -13
14:23:52 <Sparks> #info Current tickets owned: 110 (~21%)
14:23:56 <Sparks> #info Tickets closed: 303 (+14)
14:24:30 <Sparks> I a bit worried by the %age of cases being owned.  It appears that we're closing cases but not jumping on the new ones.  I wonder if that's because of the challenge.
14:25:14 <d-caf> I'm trying to pick up a few new ones as well, specially important
14:25:36 <Sparks> +1
14:26:01 <Sparks> It seems, though, that we have just a small handful of folks doing work.  I wonder what we can do to get more people involved.
14:27:48 <jsmith> I haven't jumped on any new cases in a while... but I'll try to do that
14:28:01 <pjp> Sparks: email list + blogs to invite more people, also we might need to help them to start
14:28:04 <jsmith> Especially since I"ll be on the road the next two weeks
14:28:13 <Sparks> pjp: +1
14:28:27 <Sparks> pjp: We can all do some blogging to get folks interested.
14:28:39 <pjp> Could we host a test day kind of exercise on some day?
14:28:44 <pjp> Sparks: Yes,
14:28:54 <jsmith> Sparks: Or even a FAD!
14:28:56 * pjp makes a note to write one over weekend
14:29:26 <Sparks> jsmith: I think we're pretty well distributed to do a FAD.
14:29:30 <pjp> jsmith: Yes, FAD is a good idea too, though it'll be more local
14:29:41 <jsmith> Sparks: Flock workshop?
14:29:50 <Sparks> s/well distributed/well too distributed
14:30:07 <Sparks> jsmith: Are you going to Flock?  I wasn't planning on it myself.
14:30:51 <jsmith> Sparks: Probably going, yes
14:31:00 * pjp has submitted a talk too,
14:31:27 <pjp> We could have a FST meet-up at Flock ;)
14:31:58 <jsmith> WORKSFORME
14:32:39 <d-caf> Where is Flock?
14:32:43 <pjp> jsmith: I guess you submitted a talk at FUDCon APAC, no?
14:32:55 <pjp> d-caf: Rochester, NY
14:33:10 <jsmith> pjp: Yes, and it was accepted -- but I haven't yet gotten permisison from my boss to buy my plane ticket :-(
14:33:20 <d-caf> #link https://fedoraproject.org/wiki/Flock
14:33:41 <pjp> jsmith: Oh, :(
14:33:53 <jsmith> pjp: Still have about a 50% chance of coming :-)
14:34:13 <pjp> jsmith: That's cool! Look forward to see ya again :)
14:35:31 <d-caf> Are there any objections to going the fedora maintainers recommendation of removing this package from EPEL: #https://bugzilla.redhat.com/show_bug.cgi?id=824089
14:35:40 <Sparks> jsmith: Can you send something to the list?
14:35:52 <jsmith> Sparks: Sure... will do.
14:35:55 <d-caf> It's also likely an abandoned package since I've got no response from the actual maintainer
14:37:49 <pjp> d-caf: right, it's been retired from -devel and F21
14:38:23 <pjp> But removing from EPEL depends on if there are any users or dependent packages for it
14:38:59 <d-caf> pjp: Yeah, it's going to be a little more work to see if it get's cleared up, but patching it's probalby even more work
14:39:17 * pjp nods
14:39:18 <d-caf> specially since there is not an active maintainer
14:39:30 <pjp> Yep,
14:40:08 <d-caf> If there are no objects I'm going to start looking into what it's going to take to remove it, maybe I'll get lucky :-/
14:40:21 <pjp> d-caf: Sure,
14:40:35 <d-caf> objects/objections...
14:47:45 <pjp> Hello..!?!
14:47:47 <pjp> Sparks: around?
14:47:51 <d-caf> ?
14:48:26 <pjp> d-caf: I was wondering why the sudden silence
14:48:35 <pjp> We are nearing closing time,
14:48:37 <d-caf> I was about to comment
14:48:46 <d-caf> as well
14:48:49 <pjp> :)
14:49:01 <d-caf> Sparks: ? jsmith: ?
14:49:31 <jsmith> Sorry, got pulled into work meeting
14:49:49 <jsmith> I'm fine with dropping it
14:49:52 <pjp> If there is not much on pending bugs, I had filed couple of tickets against the fedora-design & -badge teams
14:49:57 <pjp> #link https://fedorahosted.org/design-team/ticket/367
14:50:04 <pjp> #link https://fedorahosted.org/fedora-badges/ticket/373
14:50:09 <d-caf> Yeah, I took a look at them
14:50:23 <pjp> The designer need our comments and feedback
14:50:40 <pjp> Please provide your due comments on those tickets, it is important as they are working for us
14:51:09 <d-caf> I would comment, but I haven't figured out the appropriate login to use
14:51:11 <pjp> The least we could do is tell them if we like/dislike what they are creating,
14:51:23 <pjp> d-caf: FAS login works
14:51:46 <d-caf> pjp: didn't work last night, but maybe I just caught it at a bad moment
14:52:20 <pjp> d-caf: Oh, I've been using it with no issues at all,
14:52:37 <d-caf> pjp: Yeah, just failed for me now as well
14:52:46 <d-caf> probably something messed up with my account
14:52:54 <d-caf> some perm some where
14:53:05 <pjp> d-caf: You have permission in your FAS account to share credentials for validation?
14:53:23 <pjp> d-caf: I think openid validation requires that,
14:53:34 <Sparks> Sorry, I'm on a phone call
14:53:37 <pjp> d-caf: if you login to FAS system, there is checkbox to tick
14:53:41 <pjp> Sparks: okay
14:53:43 <d-caf> Yeah, i'll need to check, haven't gotten to taht yet
14:53:43 <Sparks> #chair pjp d-caf
14:53:43 <zodbot> Current chairs: Sparks d-caf pjp
14:54:52 <pjp> #topic Open floor discussion/questions/comments
14:55:38 <jsmith> I've spent the week dealing with the fallout of the recent WordPress security issues
14:55:55 <pjp> jsmith: Ah yeah
14:56:00 <jsmith> 4.2.1 was *not* a great patch for the vulnerabilities in 4.2, so a 4.2.2 release should be coming soon
14:56:16 <d-caf> jsmith: Any word on a 4.1.3 patch?
14:56:29 <d-caf> or they forcing all to go the 4.2.x branch?
14:56:36 <jsmith> Also, the drupal7-views vulnerability has been patched by asrob, and there's a new package in updates-testing
14:56:42 <Sparks> #chair jsmith
14:56:42 <zodbot> Current chairs: Sparks d-caf jsmith pjp
14:56:48 <Sparks> Whew, sorry about that folks.
14:56:54 <jsmith> d-caf: I think they're backporting as far back as 3.7
14:56:57 <pjp> Sparks: np,
14:57:04 <jsmith> d-caf: At least, if it's not too hard for them to do so
14:58:02 <pjp> 3 minutes to conclude,
14:58:45 * pjp sent a mail ping to Michael Stahnke
14:58:51 <d-caf> I had nothing further, I'll get my FAS fixed and try to comment on the designs
14:59:08 <pjp> d-caf: Cool, thanks much! :)
14:59:53 <pjp> We are reaching closing time, let's continue further discussion on the list,
15:00:34 <pjp> End meeting - 1
15:00:46 <pjp> End meeting - 2
15:01:07 <pjp> End meeting - 3
15:01:09 <pjp> #endmeeting