fedora_security_team
MINUTES
14:00:57 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:57 <zodbot> Meeting started Thu Sep 24 14:00:57 2015 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:57 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:01:00 <Sparks> #meetingname Fedora Security Team
14:01:00 <zodbot> The meeting name has been set to 'fedora_security_team'
14:01:02 <Sparks> #topic Roll Call
14:01:04 * Sparks 
14:01:06 * d-caf 
14:01:09 * Astradeus 
14:02:50 * mhayden 
14:03:19 <Sparks> Oh good, the BZ upgrade broke my script.
14:03:52 <Sparks> mhayden: Does your script still work?
14:04:00 * mhayden looks
14:04:08 <Sparks> mhayden: Mine is coming back as "2" for each category.
14:04:20 <Sparks> Oh which I'm assuming is incorrect.
14:04:33 <mhayden> sorry, forgot to send out the summary today
14:05:28 <mhayden> Sparks: sent to ML just now
14:05:32 <Sparks> TU
14:06:07 <mhayden> https://lists.fedoraproject.org/pipermail/security-team/2015-September/000368.html
14:07:53 <Sparks> Okay, the agenda has been updated.
14:09:53 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:09:59 <Sparks> #topic Follow up on last week's tasks
14:10:06 <Sparks> mhayden to work with Ryan to get the article published
14:10:19 <Sparks> mhayden: This happened.  Anything you'd like to say here?
14:10:32 <mhayden> thanks for the help in getting that together, everyone
14:10:35 * mhayden will go check the stats
14:11:04 <Sparks> FabioOlive to write up a summary of the embargo discussion and send it to the security team list.
14:11:23 <Sparks> This happened as well.  I haven't responded, yet, but I have some ideas.
14:11:52 * Sparks thinks FabioOlive is not feeling well this morning and won't be joining us.
14:12:01 <Sparks> #topic Outstanding BZ Tickets
14:12:10 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 42 (-2), Moderate 409 (+7), Low 152 (-4), Total 603
14:12:42 <Sparks> #info The recent BZ upgrade has broken my script so I'll need to get that worked out OR I can just start using/relying on mhayden's script.
14:13:01 <Sparks> Anyone have anything regarding BZ tickets?
14:13:05 <mhayden> i just merged in Astradeus' sqlite changes in github
14:13:48 <Astradeus> and i just verified, that that version still works with bugzilla
14:13:49 <Sparks> mhayden: I wonder how difficult it would be to use your script to create a web "dashboard" with pretty charts and such.
14:13:51 <mhayden> i'll give it a test
14:14:09 <mhayden> Sparks: if we have a database accessible, not terribly difficult
14:14:17 <mhayden> could even generate static html with it
14:14:20 <Sparks> We can still report basic numbers here but I've always wanted something better.
14:14:42 <Sparks> mhayden: I'll happily help out but I'm not really sure how to get from here to there.
14:15:31 <Sparks> mhayden: Maybe show how many FST members have how many tickets and their trends (how many tickets have each FST member helped close, etc).
14:16:04 <Sparks> mhayden: And it would be really nice if we could somehow feed that kind of data into fedmsg
14:16:08 <mhayden> totally
14:16:21 <mhayden> i'd be glad to help but $dayjob is heating up for the next 1-2 months :/
14:16:41 <Astradeus> i'd have some time, but i'd need requests ;)
14:16:54 <Sparks> #idea Use mhayden's script to create a dashboard and host it somewhere (fedorapeople?)
14:17:17 <threebean> where is this script?
14:17:18 <Sparks> #idea Somehow push information to fedmsg
14:17:32 <Sparks> mhayden: Should we just use github for devel?
14:17:43 <Sparks> mhayden: And, if so, could you post the URL?
14:17:57 <mhayden> https://github.com/major/fedora-meeting-report
14:17:58 <Astradeus> and i'd need someone to assist me a little bit with fedora infrastructure
14:18:06 <Sparks> #link https://github.com/major/fedora-meeting-report
14:18:19 <Sparks> mhayden: What's it written in?
14:18:28 <mhayden> python
14:18:36 * Sparks goes to find his python book
14:18:58 * mhayden has his head in openstack all day ;)
14:18:59 <threebean> ty.  FYI, we expect to have fedmsg messages from bugzilla in early 2016 (like, January).  but the date has been pushed back many times now..
14:19:15 <mhayden> threebean: i will buy you a breakfast taco when that's working :)
14:19:23 <mhayden> (that's like currency in south texas)
14:19:25 <Sparks> #action Sparks to add "issues" to fedora-meeting-report on github
14:19:26 <threebean> I will totally eat it, mhayden.
14:20:05 <Sparks> threebean: That will be awesome when that happens.
14:21:57 <Sparks> Okay, anything else on this?
14:22:59 <d-caf> nope, I'm still slammed at work so not much progress
14:23:10 <Sparks> d-caf: Understood
14:23:18 * Sparks summons FabioOlive to the room
14:23:25 <Sparks> #topic Handling embargoed issues
14:23:33 <Sparks> Sorry, I just added this to the agenda
14:23:44 <FabioOlive> .fas fleite
14:23:44 <zodbot> FabioOlive: fleite 'Fabio Olive Leite' <fabio.olive@gmail.com>
14:23:59 <FabioOlive> hmm that should have changed to fabio@olive.pro.br by now
14:24:19 <Sparks> #info We now have security@fp.o going to security-private@l.fp.o and we have a few people subscribed to security-private@l.fp.o.
14:24:52 <Sparks> FabioOlive: https://admin.fedoraproject.org/accounts
14:25:33 <Sparks> #info FabioOlive Started a discussion on security-team@l.fp.o regarding moving the FST into a more proactive role of handling security bugs.
14:25:47 <Sparks> Does anyone have anything they'd like to discuss regarding that?
14:26:36 <FabioOlive> how do we manage a private key for encrypted reports?
14:26:48 <Sparks> FabioOlive: I spoke with bress the other day...
14:26:54 <mhayden> #info 1,639 views on the fedoramag blog post about the security team
14:27:11 <Sparks> It appears we *could* create a GPG key and put it on several Yubikeys and hand those out.
14:27:17 <Sparks> #info It appears we *could* create a GPG key and put it on several Yubikeys and hand those out.
14:28:23 <Sparks> There would be a cost for the Yubikeys but, to me, that's the best way to handle distributing keys.
14:29:06 <Sparks> s/best/better
14:29:19 <FabioOlive> that is interesting, considering there is a cost, do we want to limit the participation in the private list?
14:29:27 <Sparks> There is likely a best way but it involves using hard/software that's proprietary
14:29:35 <FabioOlive> like 3 or 4 people at most, and obviously without too much turnover
14:29:48 <Sparks> That was my thought.
14:30:20 <Sparks> The responsibility of those people should be to open/manage a BZ ticket that's "private" and use that to keep upstream and packagers informed.
14:30:25 <Sparks> IMO
14:31:29 <FabioOlive> yeah.  any ideas for how we handle the BZs?  if we can't have private BZs, do we want to have "empty" BZs or something?
14:32:12 <Sparks> I wonder if we *could* have private BZs in this case.  We'd end up making the entire ticket public at some point in the future is that still bad?
14:32:17 <Sparks> mattdm: ^^^
14:32:27 * Sparks ponders who to talk with regarding that.
14:33:49 <Astradeus> what use do 'empty' BZs have?
14:35:00 <FabioOlive> yeah, they would just signal "a bug in component X", so it would be dumb
14:35:27 <FabioOlive> and if we open an empty bug and later on fill it with security stuff, it becomes obvious for the future "empty" bugs
14:35:46 <FabioOlive> sorry, I'm feeling particularly stupid today, been a bit sick
14:36:06 <Sparks> I don't like that idea.  We need a sane place to do work.
14:36:06 <Astradeus> so it would be for statistics?
14:36:20 <FabioOlive> yeah, forget I ever mentioned "empty" bugs
14:37:25 <Sparks> FabioOlive: I mean, it's an idea but I don't think it's very useful for what I feel we need.
14:37:30 <FabioOlive> yeah
14:37:46 <Sparks> Okay, I'll talk with mattdm OOB and see what he thinks.
14:37:50 <Sparks> Anyone have anything else?
14:37:56 <Astradeus> anyone has an idea on the traffic on those security@-lists?
14:38:19 <Sparks> #action Sparks to talk with mattdm regarding private security tickets in BZ.
14:38:32 <Sparks> Astradeus: What's the question?
14:38:52 <Astradeus> i mean if it's 4 embargo-worthy tickets a months i'd say just keep it without a BZ-ticket until it is public
14:39:22 <Sparks> Astradeus: Well, how do we communicate, securely, with upstream and the packager?
14:39:39 <Sparks> Astradeus: And if we don't then what's the purpose of knowing about an embargoed issue ahead of time?
14:41:15 <FabioOlive> Sparks: can we use the private list only for getting the notification and assigning a responsible FST member to deal with it? then this FST member emails the maintainer privately, using their GPG key, and the maintainer talks to the upstream project, privately, to obtain the fix?
14:41:30 <Astradeus> so the idea is that only a few people have the private gpg key and have some means to distribute the issue to a bigger group (=security team or something alike) if necessary?
14:41:48 <FabioOlive> so the security-private list would serve only as a central point of contact and "dispatching" the work to the right maintainer
14:42:11 <FabioOlive> and maybe taking over the work in case of a non-responsive maintainer
14:42:25 <Astradeus> more or less what FabioOlive said^^
14:42:27 <Sparks> FabioOlive: Assuming that's all possible...
14:42:56 <FabioOlive> yeah, I'm trying to think of the workflow, and then we figure out the resources needed given the workflow
14:43:17 <Sparks> FabioOlive: Which is why I liked the idea of using BZ... It's a fairly common, secure means of communicating with all parties involved.
14:43:26 <FabioOlive> the goal being that we can prepare a security update during embargo in order to build and approve immediately after unembargo
14:43:55 <FabioOlive> Sparks: yeah, but can Fedora use private bugs? I don't know that, my only use of BZ has been with my Red Hat credentials.
14:44:27 <Astradeus> Sparks: what stops us from getting the same method for private tickets in BZ as the RH people?
14:44:37 <Sparks> FabioOlive: Assuming we can.  I'm going to talk with mattdm and then whomever he says I should talk with to get an answer on that.
14:44:55 <Sparks> Astradeus: Trust
14:45:18 <Astradeus> Sparks: so there is only one kind of private tickets?
14:45:46 <Sparks> Astradeus: Well, there are private and there are public.  The private tickets are private to a specific group.
14:46:16 <Sparks> Astradeus: Well, the specific group and whomever you add onto that ticket.
14:47:39 <Astradeus> i thought of asking for a tickettype whose tickets are private to e.g. the group "fedora-security"
14:48:00 <FabioOlive> yeah, we would need a fedora-security group in bugzilla, and having the people in the private security list be on that group
14:48:13 <Sparks> Yes.
14:48:15 <Sparks> That
14:48:42 <Astradeus> but lets see, what new info we'll have next week :)
14:49:05 <Sparks> Okay, we'll carry this over to next week with a hopeful update on the listserv.
14:49:05 <FabioOlive> :)
14:49:11 <Sparks> Anyone have anything else before we move on?
14:51:06 <Sparks> #topic Open floor discussion/questions/comments
14:51:12 <Sparks> Anyone have anything?
14:51:38 <Astradeus> is it interesting in any way that medium-severity-tickets are growing?
14:51:52 <Sparks> Astradeus++ For his db work on mhayden's script
14:51:58 <Astradeus> thx :)
14:52:03 <Sparks> Astradeus++
14:52:05 <mhayden> Astradeus++
14:52:05 <zodbot> mhayden: Karma for astra changed to 2 (for the f22 release cycle):  https://badges.fedoraproject.org/tags/cookie/any
14:52:11 <mhayden> MACAROONS FOR EVERYONE
14:52:15 <Sparks> What the heck?
14:52:17 <Astradeus> oha :)
14:52:30 <mhayden> wut
14:52:39 <CRob> yum
14:52:41 <Sparks> Astradeus: Medium-severity tickets will always be growing.
14:53:01 <Sparks> Astradeus: We can attack them as soon as we get all the Important ones out of the way.  :)
14:53:45 * Sparks contemplates an online video GPG key signing event for FST
14:54:47 * Sparks notes no one took the bait
14:54:50 <Sparks> Okay then
14:55:08 <Astradeus> i did think about it in terms like "what is this" ^^
14:55:34 <FabioOlive> Sparks: like people gather in a videoconf and speak their key fingerprints and people sign each others keys?
14:55:35 <Sparks> Astradeus: Ever participated in a key-signing event?
14:56:04 <Sparks> FabioOlive: I was thinking that if we all wrote them down and provided ID then it would be like doing it face-to-face
14:56:39 <Astradeus> Sparks: yes, standard key signing
14:56:39 <FabioOlive> yeah, as long as we can confirm the fingerprints in a way that is not easy to tamper with, like online video, maybe it will work :)
14:56:48 <Astradeus> never with video so far
14:56:52 * Sparks contemplates a blog post
14:57:00 <Sparks> #info https://sparkslinux.wordpress.com/?s=keysigning
14:57:11 <Sparks> Shameless plug
14:57:16 <FabioOlive> Sparks: let's try it out, wouldn't hurt
14:57:51 <Sparks> #action Sparks to start a discussion on the FST list regarding an online video GPG key signing event.
14:57:58 <Sparks> Anyone have anything else?
14:57:59 <Southern_Gentlem> Sparks, as long as its a live video of theperson
14:58:05 <Sparks> Southern_Gentlem: Right
14:58:23 <FabioOlive> then show a piece of paper with the ID printed out and spell it out
14:58:35 * Sparks figured putting something on his blog might yield someone's input of why it wouldn't be a good idea
14:58:37 <FabioOlive> multiple redundant confirmations of the information that would be hard to tamper with
14:58:52 <Southern_Gentlem> upload keys and eveyone display there keys
14:59:23 <Sparks> Okay, anything else before we sign off for the day?
14:59:33 * Sparks notes there is another meeting starting immenently
15:00:05 <Sparks> Okay, thanks for coming out!  See you all on the interwebz.
15:00:08 <Sparks> #endmeeting