fedora_security_team
MINUTES
14:00:48 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:48 <zodbot> Meeting started Thu Sep 17 14:00:48 2015 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:48 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:00:51 <Sparks> #meetingname Fedora Security Team
14:00:51 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:58 <Sparks> #topic Roll Call
14:01:00 * Sparks 
14:01:08 * d-caf 
14:01:20 * mhayden woots
14:04:51 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:05:02 <Sparks> #topic Major's article
14:05:15 <Sparks> #link http://i.imgur.com/reMiI9p.png
14:05:18 <Sparks> mhayden: Go
14:05:30 <mhayden> the current final draft is here -> http://i.imgur.com/reMiI9p.png
14:05:38 <mhayden> forgive the PNG but i figured it would be easiest to show the layout
14:05:56 <mhayden> i think the one point of contention was around the super-duper-emergency security@fp.o email address
14:06:03 <mhayden> i'm open to whatever verbiage we want to use there
14:06:15 <mhayden> then again, i'm not on that list so i can't really chime in ;)
14:06:46 <Sparks> My only concern is not with the article but what we're planning on doing with the security@ address
14:06:57 <d-caf> I think the question is, are anyone on the email list?
14:07:34 * mhayden hears crickets
14:07:37 <d-caf> Many meetings ago we wanted to make sure that the security@fp went to atleast 3 redhat people who were in some way connected to the security-team
14:07:38 <mhayden> ;)
14:07:45 <Sparks> Bressers is the one that's the admin on that list but he no longer has the pw.  I've asked for infra to reset it.
14:08:00 <mhayden> is RHT's "Product Security" team the same as SRT?
14:08:07 <d-caf> with the idea that eventually proven security-team members who were non-redhat and trusted could be added as well
14:08:09 <Sparks> mhayden: There is no more SRT
14:08:13 <Sparks> It's all Product Security
14:08:14 <mhayden> Sparks: ah, okay
14:08:20 <d-caf> but to keep the group relatively small but redundant
14:08:33 <mhayden> well unless there are any objections on the post, i'll poke ryan lerch to "make it so"
14:08:45 <Sparks> +1
14:09:04 * zoglesby us late again
14:09:12 <d-caf> I like the post, go for it.
14:09:24 <d-caf> But we've got to get the security@ email address resolved
14:09:25 <mhayden> zoglesby: gotta bring breakfast tacos if you're late
14:09:50 <zoglesby> mhayden: in the mail. two to four week delivery
14:09:51 <mhayden> okay, i'll go tickle wordpress and ask ryan to publish when ready
14:09:57 <d-caf> security@ needs to be confirmed as going to atleast two people
14:10:10 <Sparks> d-caf: Lets talk about that separately
14:10:18 <d-caf> Sparks: ok
14:10:36 <Sparks> Okay, anything else about the article?
14:10:53 <mhayden> thanks for the help on assembling the post, everyone ;)
14:11:01 <d-caf> mhayden: Thanks for writing it!!!
14:11:08 <mhayden> no problem! :)
14:11:31 <Sparks> #action mhayden to work with Ryan to get the article published
14:11:41 <Sparks> #agreed The article is ready to go.
14:11:55 <Sparks> #topic security@ email address
14:12:12 <Sparks> #info security@fp.o redirects to security-private@l.fp.o
14:12:42 <d-caf> ok, who is on security-private now?
14:13:36 <Sparks> d-caf: I just asked bress to join us if he's available.
14:13:42 <Sparks> d-caf: He's the admin on that list.
14:13:46 * Astradeus is sorry for being late - hi :)
14:14:04 <Sparks> Astradeus: Better late than never
14:14:46 <FabioOlive> .fas fleite
14:14:47 <zodbot> FabioOlive: fleite 'Fabio Olive Leite' <fabio.olive@gmail.com>
14:14:54 <Sparks> Welcome FabioOlive
14:15:16 <FabioOlive> :)
14:15:36 <Sparks> d-caf: FWIU, bress is the admin of security-private but really hasn't done anything with it in... years.  He no longer is aware of the pw so I've asked infra to reset it.
14:16:11 <Sparks> d-caf: I think thoger has the moderator pw but I don't think that gives you enough power to see who is subscribed.
14:16:19 <d-caf> So we don't know where it goes if anywhere
14:16:20 <Sparks> d-caf: We do need to regain control of the list, however.
14:16:29 <Sparks> Where what goes?
14:16:51 <bress> Sparks: What's up?
14:16:54 <d-caf> we don't know who is going to get an email sent to that list
14:17:11 <Sparks> bress: We're talking about the security-private list.  Any idea who is subscribed?
14:17:23 <mhayden> d-caf++
14:17:26 <d-caf> Sparks: can people who subscribe be approved?
14:17:30 <mhayden> ^^ for suggesting blog post title
14:17:52 <Sparks> d-caf: Correct.  I sent an email to security@ in the Spring asking anyone that received it to contact me and I got no responses so...
14:17:52 <bress> Sparks: I'll send you the admin password
14:18:04 <Sparks> bress: Okay, I guess infra reset it?
14:18:31 <bress> I saw a mail yesterday. I assumed someone else got a copy.
14:19:23 <Sparks> bress: I suspect they only sent it to you since you are the only owner
14:19:31 <Sparks> d-caf: And now I am the owner!
14:19:45 <d-caf> Sparks+++++
14:19:49 <Sparks> bress: Do you want to stay on as an owner?
14:20:09 <d-caf> mhayden: thanks, was insprired by the wrangling of nagios (and your use of the word in the article)
14:20:19 <d-caf> :-)
14:20:59 <Sparks> Okay, there are four people subscribed to the security-private list:  bress, mjc, Sparks, and thoger.
14:21:52 <d-caf> Excellent, that means it's covered and someone will see something comming in
14:22:02 <d-caf> that's really what I was most concerned with
14:22:20 <mhayden> bress++
14:22:20 <zodbot> mhayden: Karma for bressers changed to 1 (for the f22 release cycle):  https://badges.fedoraproject.org/tags/cookie/any
14:22:47 <Sparks> d-caf: Well, I don't know who *should* be on the list.
14:22:59 <d-caf> As for the eventual list makeup (redhat vs fedora vs community) that's for further discussion
14:23:30 <d-caf> Sparks: Do we want to have that discussion now?
14:23:47 <Sparks> We can.
14:24:06 <Sparks> I'm still not sure how to work with embargoes (and I hate embargoes).
14:24:20 <Sparks> We (Fedora) doesn't have a trusted relationship with anyone.
14:25:20 <d-caf> So what happens when someone reports a really nast 0 day to that security@fp address?
14:25:24 <FabioOlive> yeah, it would be nice to look at how other "pure community" projects handle this
14:25:37 <Sparks> FabioOlive: Debian?
14:25:53 * Sparks is trying to think of pure-community projects
14:26:11 <d-caf> Kernel, Debian, OpenBSD,
14:26:17 <FabioOlive> yeah, maybe we can ask them
14:26:25 * Sparks goes to grab someone
14:26:38 <mhayden> FabioOlive: i sit within rock-throwing-distance of someone very involved with Gentoo security
14:26:40 <FabioOlive> the kernel folk normally care very little about embargoes if at all, they usually just commit stuff and move on
14:26:53 <Sparks> mhayden: Then throw a rock at them
14:27:08 * mhayden picks up a little one
14:27:09 <Sparks> FabioOlive: I just asked Florian to come join us.
14:27:13 <Astradeus> mhayden: or a paper airplane
14:27:13 <mhayden> what should i be asking?
14:27:23 <FabioOlive> wrap the rock in a little paper with "how do you handle security?" written on :)
14:27:32 <Sparks> mhayden: "How does Gentoo handle embargoed security issues?"
14:27:37 <mhayden> gotcha
14:27:45 <Sparks> mhayden: I said a rock not a pebble
14:28:00 <FabioOlive> Sparks: yeah, I was thinking about asking fweimer about Debian
14:28:04 <d-caf> How do you handle confidentiality, security, time to patch, and openess to the community and transparency
14:28:06 <mhayden> well, we already handle embargoed Xen stuff in Fedora
14:28:09 <d-caf> you know little things like that...
14:28:17 <Sparks> FabioOlive: Well, he is the Debian security guy.  :)
14:28:20 <mhayden> the bugzillas are hidden until they're public
14:28:43 <Sparks> mhayden: In Fedora or in Red Hat?
14:28:59 <mhayden> well, RHT security probably gets the email ;)
14:29:05 <Sparks> right
14:29:11 <mhayden> but non-RHT employees work on the bug (or i've seen that in the past)
14:29:15 * mhayden looks at bugzilla
14:29:47 <FabioOlive> I believe one of the main points is "how is trust earned and maintained" with upstream projects that would start including Fedora in the embargoed notifications
14:30:05 <Sparks> #info Right now embargoed issues typically get reported to Red Hat Product Security.  Those issues get worked on internally and then information flows to Fedora once the embargo is lifted/expires.
14:30:34 <Sparks> FabioOlive: Our infrastructure isn't really setup to handle embargoed bits, though.
14:30:43 <FabioOlive> at some point someone had to trust the Debian/Gentoo/*BSD security teams and start including them in the notifications
14:30:52 <Sparks> fweimer: Welcome!  We just have a question about Debian.  :)
14:30:53 <FabioOlive> Sparks: yeah, that is an issue
14:31:03 <mhayden> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-7188 <-- embargo example
14:31:14 <fweimer> Sparks: Ahh. :)
14:31:18 <Sparks> fweimer: How does Debian deal with embargoed security issues?  Do they get advance notice?
14:31:20 <mhayden> looks like RHT bug existed prior to embargo, but hidden
14:31:27 <mhayden> Fedora folks not activated until it went public
14:31:39 <Sparks> mhayden: Yep
14:31:41 <fweimer> Sparks: Yes.  It's a completely separate archive and build queue.
14:32:07 <Sparks> fweimer: Is there a group that knows about these issues or is it just... you?
14:32:12 <mhayden> i guess there's a question there around RHT getting notified by OSS-SEC or Xen and when that can be shared with anyone not employed by RHT
14:32:26 <fweimer> Sparks: There is an entire security team.
14:32:46 <Sparks> fweimer: How did you guys get to be "trusted"?
14:32:57 <fweimer> Sparks: https://www.debian.org/intro/organization#security
14:33:31 <Sparks> I guess Fedora is a special case.  Most of what is shipped in Fedora is also in RHEL so Red Hat generally cares.
14:33:36 <mhayden> Sparks: first, you go into the deep woods...
14:33:59 <Sparks> mhayden: Yeah, I suspect as much.
14:34:24 <Sparks> fweimer: We're trying to figure out how to best get Fedora's security team more involved with... well... Fedora's security.
14:34:30 <fweimer> Sparks: We evaluate technical expertise and hope for the best.  All applicants are already DDs.
14:35:03 <fweimer> Sparks: It's the same thing with hiring anyone, really.  You can never be sure.
14:35:43 <FabioOlive> ok so maybe we can filter on Fedora proven packagers, for example?
14:35:59 <FabioOlive> like, get some of them involved in the FST
14:36:09 * Sparks eyes jsmith
14:36:10 <fweimer> FWIW, the general consensus on the Debian side is that embargoes do not prevent people from contributing.
14:37:02 <fweimer> I don't think Fedora has to worry about that.
14:39:00 <Sparks> fweimer: Well, one thing I see as a problem is our build infrastructure is all open so we really couldn't stage fixes ahead of an embargo expiration
14:40:21 <fweimer> Sparks: firefox needs 4.5 hours.  Is that really significant?
14:40:29 <Sparks> no
14:40:30 <zoglesby> yes, so we rush like crazy to fix it after the fact!
14:40:42 <Sparks> zoglesby: Well, that's what we already do.
14:40:51 <Sparks> zoglesby: So...  what does advance notice give us?
14:40:54 <fweimer> Sparks: Then the question is how much QA you can do in secret.
14:41:29 <fweimer> zoglesby: The challenge for Debian is to make the fixes happen at all, in a fairly consistent fashion.
14:41:34 <Sparks> #idea We establish a trusted relationship with Red Hat to get embargo notice on Fedora-only shipped packages.
14:41:48 * mhayden heard those Red Hat people are fairly nice
14:42:29 <fweimer> Sparks: Or bypass Red Hat and apply for distros membership directly.  Might be easier.
14:42:46 <Sparks> mhayden: They're all a$$holes.  :)
14:42:51 <Sparks> fweimer: We could.
14:42:53 <mhayden> Sparks++
14:43:01 <Sparks> mhayden: Especially me
14:43:31 <Sparks> I think we'd need to get a SOP written regarding handling such things.
14:43:34 <mhayden> i still get confused on the legal status of 'Fedora' and who has the authority to do memberships like that
14:43:37 <FabioOlive> how much of the process would we be able to perform during embargo? if we can only have public infrastructure, I'm thinking we could only get a maintainer to prepare a build locally, test it locally, and then push it into the build system and all immediately after unembargo
14:44:00 <Sparks> FabioOlive: Well, that would buy us a little time
14:44:12 <FabioOlive> yeah, could already be beneficial
14:44:13 <Sparks> mhayden: 'Fedora' has no legal status
14:44:27 <mhayden> well that solves it
14:44:46 <pjones> FabioOlive: there's already been some discussion with mikem about how to do that sort of thing in koji 2
14:45:19 <Sparks> FabioOlive: Step 2, erradicating all embargoes
14:45:42 <FabioOlive> Sparks: yeah, unfortunately that won't happen
14:46:15 <Sparks> Okay, we're getting short on time here.  Does someone want to write up a summary of this discussion and put it on the security team list?
14:47:02 <FabioOlive> Sparks: I can probably read up the logs and write a summary, considering I haven't been able to do anything for FST lately
14:47:12 <FabioOlive> I would feel less guilty :)
14:47:17 <bress> Sparks: I wasn't paying attention. I shouldn't be on that list, or own it.
14:47:37 <Sparks> #action FabioOlive to write up a summary of the embargo discussion and send it to the security team list.
14:47:40 <Sparks> bress: Ack
14:48:13 <d-caf> #link https://fedoraproject.org/wiki/Legal:Main#Legal
14:48:22 <d-caf> #link https://www.redhat.com/en/technologies/linux-platforms/articles/relationship-between-fedora-and-rhel
14:48:38 <d-caf> Just for background info on the relation (as documented)
14:48:45 <FabioOlive> nice
14:50:19 <Sparks> bress: Okay, you're gone.
14:50:31 <Sparks> Okay, so we'll move this discussion the list.
14:50:42 <Sparks> #topic Outstanding BZ Tickets
14:50:47 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 44 (+5), Moderate 402 (0), Low 156 (0), Total 558
14:50:51 <Sparks> #info Current tickets owned: 82 (~15%)
14:50:55 <Sparks> #info Tickets closed: 372 (0)
14:50:58 <Sparks> #info Tickets closed: 372 (0)
14:51:05 <Sparks> Anyone have anything ticket-wise?
14:51:28 <mhayden> qemu passed up cacti for the most CVE's
14:51:30 <mhayden> ;)
14:51:35 <d-caf> I grabbed some old challenge tickets, but haven't moved much on them
14:51:47 <d-caf> They had been owned perviously but then disowned and never picked up
14:52:44 <d-caf> nothing beyond taht
14:52:50 <d-caf> taht/that
14:53:19 <Sparks> Okay
14:53:23 <Sparks> mhayden: heh
14:53:30 <Sparks> #topic Open floor discussion/questions/comments
14:53:39 <Sparks> Anyone have anything?
14:53:54 <Astradeus> yeah
14:54:07 <Astradeus> i've pushed db-support for the report-tool
14:54:42 <Sparks> Astradeus++
14:54:42 <zodbot> Sparks: Karma for astra changed to 1 (for the f22 release cycle):  https://badges.fedoraproject.org/tags/cookie/any
14:55:06 <Astradeus> (currently via github-fork -> github:mhayden -> security-team-repo) ^^
14:55:31 <Astradeus> cookies! :)
14:55:56 <Astradeus> i'm thinking of splitting it up into a write-tool (fetch stats an save them)
14:56:05 <Astradeus> and into a read-tool (generate report)
14:56:30 <Astradeus> the write-tool could maybe integrated somewhere as cronjob or alike?
14:57:09 <Astradeus> also: is there a db-cluster (preferably pgsql or something) to write to - currently it creates a simple sqlite3-file
14:57:43 <Sparks> Astradeus: I'll let you and mhayden figure out the bits.
14:57:44 <Sparks> :)
14:58:39 <Astradeus> for the integration into fedora-infrastructure i'll need your help - i haven't done much in the fedora ecosystem until now ;)
14:59:23 <Sparks> Okay, anyone have any last second things to say?
14:59:50 <Sparks> #endmeeting