14:00:08 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:08 <zodbot> Meeting started Thu Mar 12 14:00:08 2015 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:08 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:00:11 <Sparks> #meetingname Fedora Security Team
14:00:11 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:14 <Sparks> #topic Roll Call
14:00:16 * Sparks 
14:00:19 * jsmith is here!
14:00:28 <bvincent> .fas bvincent
14:00:29 <zodbot> bvincent: bvincent 'Brandon Vincent' <Brandon.Vincent@asu.edu>
14:02:22 <FabioOlive> .fas fleite
14:02:23 <zodbot> FabioOlive: fleite 'Fabio Olive Leite' <fabio.olive@gmail.com>
14:02:39 * ghorhe watching..
14:03:07 <FabioOlive> #topic Listing on the team's wiki page typical activities and low hanging fruit for newcomers/newbies that want to help.
14:03:35 <Sparks> FabioOlive: I'll include that in the agenda
14:03:39 <FabioOlive> hmm that was supposed to be a topic proposal, not sure I did it right :)
14:04:30 <Sparks> FabioOlive: Added
14:06:32 <Sparks> Okay, lets get started.
14:06:40 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:06:45 <Sparks> #topic Outstanding BZ Tickets
14:06:52 <Sparks> #info Thursday's numbers: Critical 1, Important 50 (+4), Moderate 359 (+3), Low 159 (-8), Total 569, Trend -1
14:06:57 <Sparks> #info Current tickets owned: 159 (~28%)
14:07:01 <Sparks> #info Tickets closed: 243 (+1)
14:07:16 <Sparks> Does anyone have anything specific to discuss with regards to tickets?
14:07:47 <FabioOlive> Do all those bugzillas need experts to look at them?
14:08:03 <FabioOlive> Or can some of those be reviewed by newcomers that want to help and learn?
14:08:35 <Sparks> They are all open to everyone to help.  :)  Some will be more difficult to deal with than others but one wouldn't know until they dig into them.
14:09:29 * Sparks needs to look at retired packages again to see what tickets he can close.
14:09:46 <FabioOlive> Sparks: ok, does the Fedora Sec Team wiki page link to a bugzilla query one can easily click in and dive into?
14:10:21 <Sparks> Tehre+
14:10:37 <Sparks> grrr
14:10:40 <FabioOlive> it would be great to have a section on the page where we list various links to "here's where you get work to do" :)
14:11:32 <Sparks> There are links on the wiki page that link directly to non-FST-owned cases.
14:11:49 <Sparks> They are by priority so, in theory, we should start at the top and work down.
14:12:02 <FabioOlive> hmm ok, sorry I haven't looked at the page recently
14:14:08 <Sparks> FabioOlive: https://fedoraproject.org/wiki/Security_Team#Contact <-- This is where the links are but this should be redesigned.
14:14:22 <FabioOlive> ok
14:14:34 <bojov> Sparks: there is bugzilla tickets against moodle package in epel 5. As far as i can see there is no more moodle package in epel 5.
14:15:08 <Sparks> bojov: Yeah, I think that might have been one of the retirees.
14:15:28 <bojov> moodle package only exists in epel 6
14:15:35 <danofsatx> good day, folks. I've not spoken up much in the security channel or meetings, but I have an idea pertaining to the current discussion.
14:15:48 <Sparks> danofsatx: Go ahead
14:17:51 <danofsatx> On the Fedora QA team, we use tracking bugs for our release tracking. That way, when we get issues that need to be tracked, we set them as blocking the BZ that is the tracker.
14:18:43 <danofsatx> Also, as part of our release validation testing, we assign a value to the WhiteBoard feild in BZ, which allows various tools to search BZ and pull out the bugs that have a particular value in the white board.
14:19:00 <danofsatx> an example of one tool: https://qa.fedoraproject.org/blockerbugs/milestone/22/beta/buglist
14:19:37 <Sparks> Yeah, we've talked about tooling before but we've not gotten far.
14:19:56 <danofsatx> I was thinking that security bugs could be tagged with either a blocker or whiteboard field, and that could be pulled back into the wiki to show current open security bugs.
14:20:14 <FabioOlive> interesting idea, handle the sec team more like QA or release management, having trackers and goals for each release. maybe even some "release criteria" like goal for fedora security
14:21:12 <danofsatx> Well. I've been meaning to talk to y'all - I've been in IT security for 15 years, and would like to help y'all out as much as I can. I'm not a developer, more of an integrator.
14:21:34 <danofsatx> I'll poke at the QA tools and see how easily they can be adapted to the security team.
14:22:31 <danofsatx> If I can do it, I'll throw up a proof-of-concept and let y'all poke at it, I can notify either via the channel or list which ever you'd prefer
14:23:16 <Sparks> danofsatx: security-team@l.fp.o, please
14:23:37 <danofsatx> roger, I'll make sure I'm subb'd (I thought I was...)
14:25:44 <Sparks> #topic Listing on the team's wiki page typical activities and low hanging fruit for newcomers/newbies that want to help.
14:25:45 <danofsatx> ok, subscribed to both security and security-team.
14:25:56 <Sparks> FabioOlive: Okay, what is your idea?
14:26:26 <FabioOlive> Sparks: oh no, I was commenting on danofsatx idea :-) to use blocker bugs and other typical QA processes for the SecTeam
14:27:39 <Sparks> FabioOlive: No, I changed to your topic that you asked for.
14:27:55 <FabioOlive> ah sorry
14:28:00 <danofsatx> it makes sense from a usability stand point. It will put everything in a central, easy to find location for newbies to browse, and veterans to use.
14:28:21 <FabioOlive> so, as an Ambassador I'm continually trying to attract new people into helping the project
14:28:50 <FabioOlive> and I would like to have a way to help/mentor newer contributors with simple tasks into the Security Team
14:29:20 <FabioOlive> so I was wondering if there are tasks or low hanging fruit we can list in our wiki page, that interested newbies can go through and help
14:29:32 <FabioOlive> kind of a "janitors" work, even
14:29:55 <FabioOlive> but that allows newcomers to exercise the tools and skills they will need to help in more complex tasks later
14:30:12 <Sparks> We don't but I feel that it's because if there were the person who would find such things would just go ahead and do the work to fix it instead of categorizing it.
14:30:28 <FabioOlive> to put it short, a more detailed and specific "how to start helping" section on the wiki page
14:30:33 <Sparks> We can try to do some triage, though.  I don't necessarily think it's a bad thing to do.
14:30:50 <FabioOlive> ok
14:30:51 <Sparks> https://fedoraproject.org/wiki/Security_Team#Work_flow
14:31:16 <FabioOlive> yeah, you mentioned the bugzilla query, for example. that certainly helps.
14:31:46 <Sparks> Well, the workflow basically describes what the process is in seven steps.
14:31:51 <FabioOlive> I'll start working with that and see how the idea can be further detailed, if needed. perhaps a few queries, from more janitorial work up to more complex bugfixing.
14:32:42 <danofsatx> another angle of attack that is used with the Infrastructure team is to assign trac tickets with an "easyfix" category: https://fedorahosted.org/fedora-infrastructure/report/14
14:33:05 <FabioOlive> as I myself get more involved and identify those "low hanging fruit" I'll edit the wiki page and add stuff
14:33:21 <danofsatx> basically, it's stuff the experienced admins can handle in their sleep, but it's not critical enough to be fixed immediately so it is left for the apprectices to cut their teeth on
14:33:37 <FabioOlive> yep, exactly what I was thinking
14:34:01 <Sparks> Again, I think the problem is going to be that once you figure out it's an easy fix you might as well finish the process since you're halfway there.
14:34:59 <FabioOlive> yeah, the issue is mainly coming up with an automated way to flag those. or maybe a specific bugzilla query for things that are low priority, need to be cleaned up, etc
14:35:34 <FabioOlive> if one needs to go through the bug to declare it easy, then like you said, it's time badly spent if you analyze and don't fix it
14:36:49 <Sparks> FabioOlive: I don't think it's necessarily a bad thing if someone starts into the process and then turns back when they realize it's more difficult than what they were expecting.  As long as they leave their notes in the ticket then its time-not-wasted.
14:37:05 <FabioOlive> ok
14:37:49 <FabioOlive> Sparks: later today I'll go over the bugs listed there and will check some, and tell people in my local group how to go about it
14:38:04 <danofsatx> ok, folks, it has been nice chatting with you. I have another client I'll leave idling to follow along, but this system needs rebooted.
14:38:08 <Sparks> FabioOlive: +1
14:38:21 <Sparks> #topic Open floor discussion/questions/comments
14:38:33 <Sparks> Okay, does anyone have anything they'd like to discuss?
14:44:10 <Sparks> Hearing none...  I'll go ahead and close for today.
14:44:17 <Sparks> Thanks, everyone, for coming.
14:44:20 <Sparks> #endmeeting