19:00:09 <Sparks_too> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
19:00:09 <zodbot> Meeting started Wed Jul 30 19:00:09 2014 UTC.  The chair is Sparks_too. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:09 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:00:13 <Sparks_too> #meetingname Fedora Security Team
19:00:13 <zodbot> The meeting name has been set to 'fedora_security_team'
19:00:18 <Sparks_too> #topic Roll Call
19:00:20 * Sparks_too 
19:02:06 <jsmith> .hellomynameis jsmith
19:02:07 <zodbot> jsmith: jsmith 'Jared Smith' <jsmith.fedora@gmail.com>
19:02:33 * thoger 
19:03:03 <ignatenkobrain> hey
19:03:10 <ignatenkobrain> Sparks_too: hi
19:03:14 <ignatenkobrain> revskills: ^^
19:03:14 <BVincent> .hellomynameis BVincent
19:03:16 <zodbot> BVincent: Sorry, but you don't exist
19:03:18 <Sparks_too> Oh good, people!  :)
19:03:19 <jrusnack> here
19:03:29 <bojov> present :)
19:03:33 <BVincent> Present
19:03:59 <ignatenkobrain> I have ~15 mins
19:04:01 <ignatenkobrain> =(
19:04:16 <Sparks_too> ignatenkobrain: Anything you need to say before leaving?
19:04:41 <ignatenkobrain> I think no. I didn't have time to handle bugs
19:04:46 <ignatenkobrain> so, lets go ?
19:05:27 <Sparks_too> I've posted the link to the agenda in the meeting header.  I'll be working from there today.
19:05:59 <Sparks_too> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
19:06:05 <Sparks_too> #topic Follow up on last week's action items (10 minutes)
19:06:11 <ignatenkobrain> cool
19:06:12 <Sparks_too> jrusnack to document the use of fst_owner: in the whitepages of the bugs
19:06:32 <jrusnack> yup, done. anything I missed ?
19:06:52 <Sparks_too> #info jrusnack documented the use of fst_owner at https://fedoraproject.org/wiki/Security_Team#Taking_ownership_of_tracking_bugs
19:07:15 <Sparks_too> Sparks to create a team roster with links to people's User: wiki pages.
19:07:40 <Sparks_too> I started this but I want to bring this up later as it sucked the way I was doing it.
19:07:48 <Sparks_too> It'll ultimately fail my way.
19:07:59 <Sparks_too> jrusnack to follow up with upstream
19:08:12 <Sparks_too> That was clearly an incomplete task
19:08:22 <Sparks_too> jrusnack: Was that a follow up for pwgen?
19:09:03 <jrusnack> #info sent patches that fix CVE-2014-4440 and CVE-2014-4442, analysis about CVE-2014-4441, so far no response
19:09:17 <ignatenkobrain> jrusnack: sadly
19:09:32 <Sparks_too> jrusnack: I did talk with Kurt about 4441.  Lets talk about pwgen a bit later in the meeting as well
19:09:43 <Sparks_too> Sparks to follow up with Product Security regarding the validity of the CVEs.
19:09:43 <jrusnack> no problem
19:09:59 <Sparks_too> And I did my task by talking to Kurt of which we'll talk about in a few minutes.  :)
19:10:07 <Sparks_too> And that was all the tasks from last week!
19:10:14 <Sparks_too> #topic Roster
19:10:29 <Sparks_too> #link https://fedoraproject.org/wiki/Security_Team_Roster
19:10:52 <Sparks_too> Okay, I started putting this together but I clearly didn't have all the information I needed.
19:11:04 <jrusnack> #info that roster needs more info. like, name, bugzilla account, irc nick at least
19:11:05 <BVincent> .hellomynameis bvincent
19:11:06 <zodbot> BVincent: bvincent 'Brandon Vincent' <Brandon.Vincent@asu.edu>
19:11:11 <Sparks_too> So with that, I'd like everyone (and I'll put this out on the list) to go to that page and add your own information there.  :)
19:11:28 <Sparks_too> jrusnack: +1
19:11:47 <Sparks_too> I think it would be good to know if you are a proven packager as well.
19:12:02 <ignatenkobrain> .fasinfo BVincent
19:12:03 <zodbot> ignatenkobrain: User "BVincent" doesn't exist
19:12:22 <ignatenkobrain> BVincent: do you have FAS account ?
19:12:31 <revskills> probably have sense to have a common user profile, but not so much important. I have my from the templates
19:12:49 <BVincent> I couldn't find my old account. Username is lowercase only for FAS.
19:13:14 <Sparks_too> revskills: Yes
19:13:54 <Sparks_too> Anything else with this?
19:14:08 * jsmith is a proven packager, fwiw
19:14:18 <ignatenkobrain> jsmith: cool
19:16:16 <Sparks_too> jsmith: What's the zodbot command for tasks?  #task?
19:16:19 <thoger> jrusnack: "As <owner> bugzilla login should be used", wasn't FAS login the final plan?
19:16:30 <jsmith> #action
19:16:34 <Sparks_too> TNX
19:16:56 <Sparks_too> #action Sparks to send a message to the list asking people to add themselves to the roster
19:17:03 <ignatenkobrain> ack
19:17:21 <jrusnack> thoger: well, then I am confused. I remember you arguing for bugzilla login, cause it makes easier to cc on bugs. What was the argument for FAS login again ?
19:17:42 <ignatenkobrain> jrusnack: more easy to track ?
19:18:30 <ignatenkobrain> we can use fasinfo command for zodbot and we will get all needed info
19:18:35 <ignatenkobrain> something like this
19:18:40 <thoger> jrusnack: you did not like bz login, so FAS name was proposed as alternative.  you seemed to be fine  with that.  i'm fine either way
19:18:44 <ignatenkobrain> .fasinfo sparks
19:18:45 <zodbot> ignatenkobrain: User: sparks, Name: Eric Christensen, email: sparks@redhat.com, Creation: 2007-07-17, IRC Nick: Sparks, Timezone: US/Eastern, Locale: en, GPG key ID: 0x024BB3D1, Status: active
19:18:48 <zodbot> ignatenkobrain: Approved Groups: gitpublican-fedora sysadmin-hosted sysadmin-docs sysadmin elections gitscap-security-guide @gitcreate-tx-configuration @gitsecure-coding gitcsi cla_fedora cla_done sysadmin-keys @gitdocsglue cvsfedora @docs +gitfedora-wiki @gitfedora-cms fedorabugs packager @docs-publishers @gitweatheralert @docs-writers @gitamateur-radio-menus cla_fpca @gitkeysigning-party-manual
19:19:38 <Sparks_too> So lets just use FAS ID.  You will likely already be CC'd on the BZ ticket if you added your fst_owner tag.
19:19:57 <jrusnack> Sparks_too: yup, I`ll update it
19:20:11 <Sparks_too> Okay, anything else WRT the roster?
19:20:49 <Sparks_too> Okay, moving on
19:20:55 <Sparks_too> #topic Rewards
19:21:00 <ignatenkobrain> yup yup
19:21:03 <ignatenkobrain> very interesting
19:21:23 <jrusnack> rewards already ?
19:21:30 <Sparks_too> So I want to do what I can to reward people for working towards closing security vulnerabilitles
19:21:38 <Sparks_too> vulnerabilities even
19:21:51 <Sparks_too> jrusnack: You... you will get nothing.  :)
19:21:59 <ignatenkobrain> hehe
19:22:09 <jrusnack> oh damn
19:22:26 <Sparks_too> #idea Create a badge for fixing 50, 100, 200, 500, and 1000 security bugs
19:22:44 <ignatenkobrain> 1000 ?> oh
19:22:51 <ignatenkobrain> I think that's not possible
19:22:52 <ignatenkobrain> :D
19:22:55 <Sparks_too> ignatenkobrain: It could happen...  :)
19:23:12 <Sparks_too> ignatenkobrain: I'm trying to think long term.
19:23:14 <jrusnack> soudns good !
19:23:31 <Sparks_too> ignatenkobrain: I'm also hoping we never see the day when that badge gets awarded.
19:23:35 <bojov> sounds interesting
19:23:42 <ignatenkobrain> Sparks_too: huh!
19:23:43 <revskills> +1
19:24:20 <ignatenkobrain> Sparks_too: when this achievement awarded we should kill some packages in our repos I thing
19:24:22 <Sparks_too> So the problem with doing the badges is that right now it'll all be manually awarded since there isn't any real good way tie BZ to the system that awards badges.
19:24:22 <ignatenkobrain> think*
19:24:53 <Sparks_too> ignatenkobrain: Yes, we've clearly missed the opportunity to prevent the chaos that is a vulnerability.
19:24:55 <ignatenkobrain> I don't know how it can handle it automatically, BUT
19:25:09 <ignatenkobrain> can it track closed bugs with Whiteboard?
19:25:32 <Sparks_too> It cannot.  The badge system has never been introduced to Bugzilla.
19:25:46 <ignatenkobrain> I think we should make a patch
19:25:47 <ignatenkobrain> :D
19:25:58 <ignatenkobrain> anyway
19:26:02 <ignatenkobrain> we can write scripts
19:26:02 <Sparks_too> Tracking the whiteboard fst_owner tag I might be able to script some of this, though.
19:26:08 <ignatenkobrain> yes
19:26:13 <ignatenkobrain> I'd like to write this script
19:26:21 <Sparks_too> ignatenkobrain: It's yours
19:26:47 <bojov> ignatenkobrain: if upstream agree
19:26:58 <Sparks_too> #action ignatenkobrain to write a script to somehow get stats from BZ and use them for the badge system
19:27:16 <ignatenkobrain> bojov: temporary we can use our custom scripts and in the future integrate BZ with badges system
19:27:21 <Sparks_too> Is everyone agreed with the badges?
19:27:36 <bojov> +1
19:27:44 <ignatenkobrain> ack
19:27:47 <jrusnack> yes
19:28:06 <jsmith> ACK
19:28:09 <revskills> ack
19:28:12 <ignatenkobrain> Sparks_too: I saw something about SWAG
19:28:15 <ignatenkobrain> in wiki
19:28:19 <ignatenkobrain> what about that ?
19:29:16 <Sparks_too> #agreed Badges for fixing 50, 100, 200, 500, and 1000 security bugs.
19:29:38 <Sparks_too> #idea Make t-shirts for FST members who close x number of cases
19:29:53 <ignatenkobrain> sounds good
19:30:20 <Sparks_too> So, I may have some moneys for t-shirts and such.  I'm thinking that if we can show someone is a regular contributor to the team that we can reward them with a t-shirt.
19:30:51 <ignatenkobrain> I think any members who have badge 50 fixed sec bugs can have it
19:31:05 <Sparks_too> I have not thought anything of criteria but there are people within Red Hat that are very pleased to see this work happen and are willing to put some money into some t-shirts or the like.
19:31:14 <revskills> hall of fame too?
19:31:51 <Sparks_too> revskills: Sure, if we can script the BZ scraping we should be able to make an automated hall of fame page.
19:31:56 <ignatenkobrain> revskills: that's idea
19:32:05 <ignatenkobrain> how about wiki page
19:32:13 <Sparks_too> #idea Hall of fame webpage
19:32:16 <ignatenkobrain> which will auto-generate/auto-update
19:32:24 <ignatenkobrain> using BZ stats?
19:32:24 <bojov> for each one hundred can get a hat? :)
19:32:28 <ignatenkobrain> from first script
19:32:45 <Sparks_too> bojov: Perhaps
19:33:07 <ignatenkobrain> bojov: I'd say Red Hat. Originally Red Hat
19:33:14 <Sparks_too> ignatenkobrain: I'm wondering if we can have the script dump the numbers into a db that we can use for long-term stats AND for rewards
19:33:20 <ignatenkobrain> not сувенир
19:33:31 <ignatenkobrain> yes
19:33:37 <ignatenkobrain> I can use sqlite for example
19:33:52 <ignatenkobrain> so. I'd like to do this
19:34:11 <Sparks_too> Okay, so a t-shirt after 50 vulnerabilities get closed?
19:34:28 <ignatenkobrain> +1
19:34:46 <bojov> it's fine by me
19:34:57 <BVincent> Sounds good.
19:35:00 <ignatenkobrain> https://github.com/ignatenkobrain/fedora-security-team
19:35:00 <revskills> looks fine for me, and hall of fame
19:35:09 <ignatenkobrain> I will create scripts here
19:35:14 <ignatenkobrain> oh. there.
19:35:41 <Sparks_too> #agreed T-shirts for those closing 50 vulnerabilities (pending funding)
19:35:52 <bojov> hall of fame for people not for sec bugs?
19:36:24 <Sparks_too> bojov: ?
19:36:36 <BVincent> I would assume people...
19:37:00 <ignatenkobrain> #action ignatenkobrain to write a script to somehow get stats from BZ and use them for "hall of fame" FST wiki page
19:37:22 <bojov> I assume for people too
19:37:22 <ignatenkobrain> Sparks_too: is github is good for us?
19:37:31 <ignatenkobrain> or we want use git.fedorahosted
19:37:38 <ignatenkobrain> or git.fedorapeople ?
19:37:47 <Sparks_too> ignatenkobrain: I'd prefer to use fedorahosted
19:38:05 <Sparks_too> FOSS and all that
19:38:14 <revskills> fedora hosted
19:38:15 <ignatenkobrain> #action ignatenkobrain to request git repo for FST scripts
19:38:37 <ignatenkobrain> well
19:38:37 <Sparks_too> #agreed Hall of Fame showing FST members and their current vulnerabilities closed count
19:39:01 <Sparks_too> Anything else with this or can I move on?
19:39:19 <ignatenkobrain> 100+ badge should provide hat :D
19:39:33 <Sparks_too> I'll see what kind of money I can get.  :)
19:39:54 <Sparks_too> Okay, moving on.
19:39:56 <ignatenkobrain> btw, i think i can provide some money for that if we're need
19:39:58 <ignatenkobrain> go
19:40:05 <Sparks_too> #topic Outstanding BZ Tickets
19:40:14 <Sparks_too> #info Monday's numbers: Critical 3, Important 69, Moderate 366, Low 128, Total 566, Trend -11
19:40:20 <Sparks_too> #info Current tickets owned: 4
19:40:39 <ignatenkobrain> unfortunately, I don't have time now. but I want to say some words
19:40:52 <ignatenkobrain> some bugs still has POST status
19:40:58 <ignatenkobrain> ~5-7 from me
19:41:05 <ignatenkobrain> and 1 from adamw IIRC
19:41:08 <Sparks_too> I wanted to point out that last number.  I'm not sure if people aren't working cases or if they aren't owning cases but I'd like to see that "owned" number go up.
19:41:10 <ignatenkobrain> more than week
19:41:13 <revskills> I was this week working on some security related for fedora, but I will start now with this
19:41:20 <Sparks_too> ignatenkobrain: +1
19:41:43 <ignatenkobrain> I think we should poke people
19:41:50 <Sparks_too> Probably
19:41:59 <ignatenkobrain> jsmith: what do you think ?
19:42:08 <ignatenkobrain> probably you can easy fix them ?
19:42:14 <Sparks_too> Is anyone here using Eucalyptus?
19:42:20 <jsmith> I'd be happy to take a look at a few of them
19:42:27 <ignatenkobrain> jsmith: give me 5 mins
19:42:28 <jsmith> (as I have time around my $DAYJOB, of course)
19:43:07 <ignatenkobrain> #link https://bugzilla.redhat.com/query.cgi?bug_status=POST&chfield=bug_status&chfieldto=1w&chfieldvalue=POST&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&query_format=advanced
19:43:10 <jsmith> ignatenkobrain: Now just happens to be a good time for me to start looking :-)
19:43:40 <Sparks_too> jrusnack: Want to talk about your update on pwgen?
19:43:46 <jrusnack> sure
19:44:15 <jrusnack> I sent two patches that fix 4440 and 4442, Theodore has not yet responded
19:44:32 <jrusnack> as for 4441, I did some analysis and forwarded to our list and Theodore
19:45:18 <Sparks_too> jrusnack: I think 4441 was the one I talked to Kurt about (who actually issued the CVE).  The data is what swayed him to issue it in the first place so it's likely good.
19:45:20 <jrusnack> the thing is, if define that pronounceable password generator is secure if distribution of passwords it generates is uniform
19:45:36 <jrusnack> (which is a sound definition) then the 4441 is valid
19:45:46 <Sparks_too> right
19:45:56 <jrusnack> the only trouble is
19:46:27 <jrusnack> if we want to fix this, we cannot just fix the algorithm, since removing the bias reduces number of password that can be possibly generated
19:46:48 <jrusnack> in such a way that bias helps attacker much *less* than the password space reduction
19:47:09 <jrusnack> so either tear the algorithm apart and start from scratch or better leave that unfixed
19:47:24 <Sparks_too> jrusnack: What's the severity of this?
19:47:55 <jrusnack> Sparks_too: medium
19:48:32 <jrusnack> Sparks_too: what did Kurt say about this ?
19:48:55 <Sparks_too> jrusnack: I really wouldn't worry too much about a medium right now.  Not saying it isn't something we shoud look at but I wouldn't expend a lot of energy on this when we have lots of worse stuff out there.
19:49:07 <Sparks_too> jrusnack: Kurt said that he felt the CVE was valid.
19:49:23 <Sparks_too> jrusnack: He didn't say anything about the fix being good or bad.
19:50:55 <Sparks_too> jrusnack: So, unless the developer is going to rewrite this to make it okay I suspect our options are to remove the functionality in our package, or try to fix it ourselves (I don't like this option), or just live with it.
19:51:00 <Sparks_too> Not great options.
19:51:51 <jrusnack> I`d go with live with it, or challenge Kurt to show how this is exploitable :)
19:51:54 <ignatenkobrain> I have to go
19:51:56 <ignatenkobrain> have fun!
19:52:04 <revskills> bye ignatenkobrain
19:52:09 <ignatenkobrain> Sparks_too: jrusnack: jsmith: revskills: bye!
19:52:13 <jrusnack> I`ll wait for Theo`s response, and leave this be
19:52:16 <jrusnack> ignatenkobrain: bye !
19:52:30 <bojov> bye ignatenkobrain
19:52:34 <revskills> jrusnack: some times not bad idea to dev a PoC
19:52:35 <Sparks_too> jrusnack: Feel free to push Kurt for better reasoning.
19:53:36 <jrusnack> Sparks_too: sure.
19:54:29 <jrusnack> Sparks_too: would it make sense to lower the severity ?
19:54:35 * Sparks_too isn't going to talk about Eucalyptus today
19:55:31 <Sparks_too> jrusnack: No, the severity is set by RH Product Security using a magic 8-ball or other scientific method.  What they rate it as is correct (unless they change it later).
19:55:39 <Sparks_too> Moderate isn't awful.
19:55:55 <jrusnack> right
19:56:19 <Sparks_too> jrusnack: Okay, anything on pwgen?
19:56:25 <Sparks_too> jrusnack: Okay, anything else on pwgen?
19:56:26 <jrusnack> Sparks_too: nope, move on
19:56:34 <Sparks_too> #topic Open floor discussion
19:56:40 <Sparks_too> Anyone have anything?
19:57:19 <bojov> no
19:57:19 <BVincent> First meeting here. Any recommendations where to start on BZ?
19:58:16 <Sparks_too> BVincent: On the Security Team wiki page (https://fedoraproject.org/wiki/Security_Team) are links to the bugs.  Find something you feel like you can handle and dig in.
19:58:40 <Sparks_too> BVincent: They are ranked by severity: Critical > Important > Moderate > Low
19:59:04 <Sparks_too> BVincent: I'd prefer to concentrate on the top two severities right now.
19:59:30 <BVincent> Sparks_too: Just work with upstream eh?
19:59:42 <revskills> Sparks_too: plan about CVE ttl f20/f21
20:00:11 <Sparks_too> BVincent: This may help > https://fedoraproject.org/wiki/Security_Team#Work_Flow
20:00:30 <Sparks_too> revskills: Until they are fixed or no longer being shipped.
20:00:47 <Sparks_too> revskills: I suspect many packages just get pushed into rawhide and CVEs keep going.
20:00:59 <BVincent> Sparks_too: Just what I was looking for. Sounds great!
20:01:00 <Sparks_too> Okay, it's the top of the hour.  Thanks everyone for coming.
20:01:08 <Sparks_too> #endmeeting