fedora_security_team
MINUTES
14:25:50 <c0mrad3> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:25:50 <zodbot> Meeting started Thu Apr  7 14:25:50 2016 UTC.  The chair is c0mrad3. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:25:50 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:25:50 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:26:25 <c0mrad3> #chair Astradeus
14:26:25 <zodbot> Current chairs: Astradeus c0mrad3
14:27:14 <Astradeus> i think we can skip roll call ;)
14:27:36 <Astradeus> #topic Follow up on last week's tasks
14:28:38 <c0mrad3> #meetingname Fedora Security Team
14:28:38 <zodbot> The meeting name has been set to 'fedora_security_team'
14:29:22 <Astradeus> neither of d-caf, Sparks, pjp or zoglesby are in the channel, so we do not have any updates from any tasks
14:30:18 <c0mrad3> yes I am not sure where to get the Outstanding BZ Tickets Astradeus
14:30:37 <Astradeus> ah, mhayden sent them out via email
14:30:57 <Astradeus> there is a script somewhere querying the bugzilla and compiling a report
14:32:03 <Astradeus> #link https://git.fedorahosted.org/cgit/fedora-security-team.git/tree/report_generator.py
14:32:03 <c0mrad3> Astradeus: let's hit the open floor and discuss something else
14:32:42 <Astradeus> lets do the numbers first
14:32:50 <c0mrad3> Astradeus: I will try running the script and post it here
14:32:57 <c0mrad3> ack
14:33:08 <Astradeus> #topic Outstanding BZ Tickets
14:33:22 <Astradeus> +Tickets by Severity-+-------+---------+
14:33:23 <Astradeus> | Severity | Tickets | Owned | Unowned |
14:33:23 <Astradeus> +----------+---------+-------+---------+
14:33:23 <Astradeus> | medium   | 495     | 40    | 455     |
14:33:23 <Astradeus> | low      | 167     | 13    | 154     |
14:33:25 <Astradeus> | high     | 73      | 29    | 44      |
14:33:27 <Astradeus> +----------+---------+-------+---------+
14:34:17 <c0mrad3> Astradeus: cool!
14:35:04 <c0mrad3> tickets are increasing since the last week
14:35:12 <Astradeus> c0mrad3: are you already on the mailinglist? you should have received the mail from mhayden.
14:35:52 <Astradeus> yes, medium and high have increased, and low tickets have decreased
14:35:53 <c0mrad3> Astradeus: just now looked at them it's like 43 min ago
14:38:17 <Astradeus> Critical 0 (0), Important 73 (+6), Moderate 495 (+10), Low 167 (-4), Total 735 (+12)
14:39:45 <Astradeus> i do have one ticket i probably can close this week without additional support, but I still hope the mentoring thing works out sometime this week :)
14:39:49 <Astradeus> next topic?
14:40:21 <c0mrad3> #topic Open floor discussion/questions/comments
14:40:53 <c0mrad3> Astradeus: did you contact your mentor on fixing your first bug ?
14:41:50 <Astradeus> no, we did not write this week - it also has been quite busy from my dayjob, so i did not have too much time myself.
14:43:09 <Astradeus> how about you?
14:43:29 <c0mrad3> me too did not email him I was attending a hackthon, I will email him after this meeting
14:43:58 <Astradeus> so busy too :)
14:44:57 <c0mrad3> Also need to read a lot of wiki and get used to the work cycle, and I have many doubts in my mind to clear
14:45:24 <Astradeus> any questions which might be quick to answer?
14:46:25 <c0mrad3> like what should we do if the vuln is fixed upstream in a newer version, should be package the newer one and send it as security update ?
14:47:17 <Astradeus> first contact the maintainer, usually the maintainer then builds a new update
14:47:36 <c0mrad3> what if they won't patch for the current version of the software ?
14:47:49 <Astradeus> it is sent as a regular update currently, because there ist no special treatment for security patches currently
14:48:16 <Astradeus> we give them some timeframe we wait for a response
14:48:55 <c0mrad3> so all we do is look for security bugs and make sure that the maintainer updates the new package without the vuln ?
14:49:04 <Astradeus> if there is no answer and the vulnerability is serious, people from the proven-packagers-group can also package software and push it to the mirrors
14:49:12 <Astradeus> primarily, yes
14:49:35 <c0mrad3> okay! any other things that we do ?
14:51:03 <Astradeus> currently thinking about ways how to push security patches faster through the mirrors
14:51:28 <c0mrad3> ack, let end the meeting
14:51:46 <Astradeus> as the fedora security team is still building up - how to establish trust
14:52:24 <Astradeus> because e.g. the redhat security people or the debian security people do get information way earlier (embargoed vulns)
14:52:48 <c0mrad3> yes I get it the vulns shouldn't be shown to every one
14:53:20 <Astradeus> so fedora could be faster to push patches if we have a group which is trusted to see embargoed vulns
14:53:55 <Astradeus> (at least for some time - i'm definitely on the side that vulns should be public after some reasonable timeframe)
14:54:18 <Astradeus> i think those two things are currently the main issues
14:54:31 <c0mrad3> only after they are fixed / updates are available
14:54:43 <c0mrad3> they should be made public
14:55:08 <Astradeus> ah, and maybe to try to be advisors for security questsions other fedora-groups might have
14:55:39 <Astradeus> *questions
14:56:07 <Astradeus> or questions regular fedora-users might have
14:56:09 <c0mrad3> #endmeeting