fedora_security_team
MINUTES
14:00:15 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:15 <zodbot> Meeting started Thu Jun 11 14:00:15 2015 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:15 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:00:18 <Sparks> #meetingname Fedora Security Team
14:00:18 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:25 <Sparks> #topic Roll Call
14:00:26 * Sparks 
14:00:56 * pjp waves
14:01:01 * d-caf 
14:03:48 <Sparks> jsmith: You joining us today?
14:05:08 * Sparks notes jsmith is at a conference this week
14:05:13 <Sparks> Okay, lets get started.
14:05:20 <Sparks> #topic Follow up on last week's tasks
14:05:29 * mhayden should be able to finally start attending these meetings starting with this one ;)
14:05:58 <Sparks> #info jsmith pushed the fix for rubygem-activesupport (BZ 905374).  We officially no longer have any critical vulnerabilities in Fedora or EPEL (that we know of).
14:06:17 <Sparks> #info Sparks blogged about the 90-day challenge
14:06:19 <pjp> mhayden: Cool, welcome back! :)
14:06:36 <Sparks> mhayden: Welcome!
14:06:48 <Sparks> #action FabioOlive will propose automated non-responsive maintainer process on the FST list
14:06:51 <d-caf> mhayden: welcome!
14:06:57 <mhayden> i've been gone so long i think i owe everyone a breakfast taco :|
14:07:01 <Sparks> #action Team Goal: All important CVEs from 2014 and before should be fixed by the end of June.
14:07:15 <Sparks> #topic 90-Day Challenge
14:07:22 <Sparks> #link https://ethercalc.org/90-day-challenge
14:07:28 <Sparks> #info 90-Day Challenge has a goal to close all 2014 and prior Important CVEs in Fedora
14:07:31 <Sparks> #info 90-Day Challenge has a goal to close all 2014 and prior Important CVEs in Fedora
14:07:40 <Sparks> #info As of 2015-06-11, of the 38 target bugs 14 have been closed, 1 is On_QA, and 23 are Open
14:07:52 <Sparks> #action Sparks to remove FST_Owner from 90-day Challenge bugs where there doesn't appear to be any interaction
14:08:08 <Sparks> Yeah, I didn't get to that last week.  I'll carve out some time to do so today.
14:08:51 <Sparks> So there has been no movement for the last two weeks.  I suspect we've gotten all the "easy" ones taken care of.
14:09:02 * pjp checking his bugs and plans to follow-up today
14:09:43 <d-caf> I tried following up on several last night, mostly non-responsive maintainers at this point or aging out with fedora 20
14:10:09 <d-caf> Frustrating as usual...
14:10:14 <pjp> True,
14:10:18 <Sparks> Okay.  I'd say we concentrate on the ones not aging out.
14:11:30 <d-caf> going to try and find new maintainer and got to file non-responsive (which i've been behind on doing...sorry)
14:11:57 <Sparks> d-caf: Yeah, we've all been behind.
14:12:59 <Sparks> We've basically got three weeks left with the challenge.  I'm going to clear out the FST_owner tag on any bug that I don't see action on and let other folks take over those tickets.
14:13:25 <Sparks> Lets see if we can do a push the last few weeks.
14:14:07 <pjp> Yep
14:14:45 <pjp> Sparks: It'll help if you could clear such owners from the ethercalc sheet, the unowned ones could then be up for grabs
14:15:30 <Sparks> pjp: Yes, I'll do that too.
14:15:38 <d-caf> Yeah, I can try to take on a few more, I've been picking up new 2015 ones already
14:15:39 <pjp> Sparks: Thank you.
14:15:41 <Sparks> I'll send an email with that information when it's done.
14:16:03 <pjp> d-caf: let's clear the 2014 lot first,
14:16:13 <pjp> Sparks: cool!
14:16:37 <d-caf> pjp: Agreed, but my 2014 ones have been in non-response hold so took some others to move on
14:16:46 <d-caf> would take 2014 if I knew which ones were free for the taking
14:16:54 <pjp> d-caf: Right,
14:17:50 <Sparks> Anything else about the challenge?
14:18:45 <mhayden> are any of you going to the RH Summit? it might be fun to have a hackathon of sorts there and crush some of these
14:19:02 <pjp> Sparks: should  we send the current status to the fst list? Maybe we'll find more takers.
14:19:48 <Sparks> pjp: Yeah, we could.
14:20:16 <pjp> That'll help
14:21:53 <Sparks> #topic Outstanding BZ Tickets
14:22:00 <Sparks> #info Thursday's numbers: Critical 0 (-1), Important 48 (+3), Moderate 360 (-14), Low 162 (-2), Total 574, Trend -14
14:22:09 <Sparks> #info Current tickets owned: 107
14:22:16 <Sparks> #info Tickets closed: 328 (+8)
14:22:25 <Sparks> So, we finally got rid of the critical.
14:22:31 <Sparks> jsmith++
14:22:31 <zodbot> Sparks: Karma for jsmith changed to 12:  https://badges.fedoraproject.org/tags/cookie/any
14:23:09 <Sparks> Wait, that works now?
14:23:21 <striker> yep
14:23:24 <striker> Sparks++
14:23:34 <Sparks> HAHAHAHHA
14:23:37 <Sparks> That's so funny.
14:23:37 <d-caf> or not...
14:23:45 <striker> Sparks already has a cookie
14:23:53 <striker> can't give him two, I think :(
14:24:00 <pjp> :)
14:24:02 <striker> .fas sparks
14:24:02 <zodbot> striker: twosparks123 'tom sparks' <twosparks@ntin.net> - bq87xrz2 'Joel Sparks' <jsparks58@gmail.com> - sparksd2145 'Thomas Ibarra' <sparksd2145@gmail.com> - skraps 'Rob Sparks' <gskraps@gmail.com> - sparks 'Eric Christensen' <sparks@redhat.com> - brynspar 'Bryan Sparks' <brynspar@gmail.com>
14:24:03 <Sparks> We've only been talking about this for... years.
14:24:26 <Sparks> Yeah, I think I'm 'sparks' not 'Sparks' in FAS.
14:24:38 <striker> .fas sparks@redhat.com
14:24:38 <zodbot> striker: sparks 'Eric Christensen' <sparks@redhat.com>
14:24:40 <striker> :)
14:25:43 <mhayden> are EPEL packages in scope? i assumed yes
14:26:11 <pjp> mhayden: Yep
14:26:16 <mhayden> gotcha
14:26:59 <Sparks> mhayden: Yeah, those numbers include both Fedora and EPEL packages.
14:28:16 <Sparks> #topic New Meeting Time
14:28:27 <Sparks> #link http://whenisgood.net/98rtz7p/results/eyz7qkh
14:29:13 <Sparks> Still looks like Monday and Thursday at 20:00 UTC is best.
14:29:52 <Sparks> Of course that would pretty much rule out pjp and d-caf
14:29:53 <pjp> 20:00 UTC is too late for IST, 01:30 am
14:29:57 <d-caf> is that link utc?
14:30:01 <Sparks> Yes
14:30:54 <d-caf> yeah, as stated before that time will be difficult ot make for myself, but oh well
14:31:46 <d-caf> 14:00 UTC looks good for many on Wed/thurs
14:32:07 <Sparks> d-caf: Well, that's now and we see the turnout we have now.
14:32:35 <d-caf> true, but 20:00 and you know you'll likely loose 1-2 of the ones you have now ;-)
14:32:45 <pjp> :)
14:33:10 <Sparks> correct
14:33:24 * Sparks ponders selecting a time that no one can make
14:33:39 <pjp> ..:)
14:33:49 * d-caf feels sorry for Sparks knowing there is no win on this...
14:34:13 <Sparks> Yeah, well, the other solution would be to have alternating meeting times.  One week "early" and the next "late".
14:34:52 <d-caf> Sparks: could try that for a while and see how it works and what the turn out is for the two times
14:35:03 <pjp> Hmmn, we could try that. But not at 20:00 UTC
14:35:32 <d-caf> I'm guessing one at 1400 one at 2000, maybe both Thursday
14:35:37 <Sparks> Right.
14:35:48 <pjp> Maybe 17:00-18:00 hrs would help
14:36:02 <Sparks> I mean, the meetings aren't really important but I'd like to get people involved in asking questions if they have them.
14:36:24 <d-caf> pjp: that drops is into serious work hours on the EDT zone
14:36:33 <pjp> d-caf: I see,
14:37:32 <d-caf> there is usuallly some leaway early in the morning and later afternoon, unfortunately for me afternoon just stap busy...
14:37:41 <d-caf> stap/stay
14:37:50 <d-caf> jeeze my typing is off this morning
14:38:01 <d-caf> no coding for me
14:41:03 <Sparks> Okay, I'll put something out on the mailing list and we'll figure it oiut.
14:41:06 <Sparks> out even
14:41:13 <Sparks> #topic Open floor discussion/questions/comments
14:41:17 <Sparks> Anyone have anything?
14:41:35 <pjp> Sparks: Did we sort out the security@fp.o mess?
14:42:35 <pjp> We need to bring that back to life,
14:43:39 <d-caf> pjp: The discussion or the email address?
14:43:45 <Sparks> pjp: We didn't.  Apparently the email address goes to the security-private@l.fp.o.
14:44:10 <pjp> d-caf: the email address, and publicise it to wider audiences
14:44:17 <pjp> Sparks: Yes
14:44:21 <d-caf> and who is on the security-private@l.fp.o ?
14:44:40 <pjp> d-caf: no-one I guess, ;)
14:44:59 <d-caf> I assume that's a restricted list
14:45:00 <pjp> Sparks: Do we need to open any ticket against rel-eng or fedora-admins ?
14:45:57 <Sparks> pjp: Well, I think we need to make sure we have folks watching that account before we start publicizing it.  Also, how do we handle sensitive bugs?
14:46:01 <pjp> Sparks: Let's get the FST members on that list, and publish security@fp.o across all channels,
14:46:34 <pingou> (that would be infra, not rel-eng)
14:46:39 <pjp> Sparks: We'll figure it out, won't be much difficult,
14:46:57 <pjp> pingou: I see, thank you.
14:47:05 <d-caf> I'm not sure I would do all FST members automatically
14:47:31 <pjp> d-caf: or at least the ones who are regulars at these meetings,
14:47:55 <d-caf> pjp: Yes, people proven to be involved/helping track record..
14:48:43 <Sparks> pjp: Okay, I'll let you run with that.
14:49:03 <mhayden> have y'all found most maintainers to be fairly responsive?
14:49:11 * mhayden channels some optimism
14:49:21 <d-caf> 70/30 on responsiveness
14:49:25 <pjp> Sparks: Cool, I'll make a list of folks to subscribe to it, and raise a ticket against infra
14:49:36 <Sparks> mhayden: If they were responsive they would have already fixed the problem and likely wouldn't be hearing from us.
14:49:43 * mhayden nods
14:49:51 <Sparks> pjp: Make sure we get control of that list.
14:49:59 <pjp> mhayden: Yes, most do respond to pings or emails
14:50:05 <pjp> Sparks: Yes
14:50:21 <mhayden> pjp: ah, so bumping the ticket and sending emails to maintainers seems to work?
14:50:24 <pjp> Sparks: do we need security-private too?
14:50:26 <mhayden> i thought about sending a courtest email
14:50:31 <mhayden> s/courtest/courtesy/
14:50:43 <Sparks> pjp: Well, that
14:50:44 <pjp> mhayden: Yes
14:50:58 <pjp> Sparks: let's have one list, it'll be easy to maintain
14:50:59 <Sparks> pjp: Well, that's where that email address goes right now.  Might be good to hold the history.
14:51:09 <pjp> Sparks: Okay, makes sense
14:52:11 <Sparks> Anyone have anything else?
14:52:39 <pjp> Nope,
14:53:14 <d-caf> No
14:54:07 <mhayden> nope
14:54:38 <Sparks> Okay, thanks for coming out!
14:54:43 <Sparks> #endmeeting