fedora_security_team
MINUTES
14:01:10 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:01:10 <zodbot> Meeting started Thu Apr 14 14:01:10 2016 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:01:10 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:01:10 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:01:13 <Sparks> #meetingname Fedora Security Team
14:01:13 <zodbot> The meeting name has been set to 'fedora_security_team'
14:01:16 <Sparks> #topic Roll Call\
14:01:35 <linuxmodder> .hellomynameis corey84
14:01:36 <zodbot> linuxmodder: corey84 'Corey Sheldon' <sheldon.corey@gmail.com>
14:01:58 <linuxmodder> mattdm,  you here with us  today?
14:03:17 <Southern_Gentlem> .hello jbwillia
14:03:17 <zodbot> Southern_Gentlem: jbwillia 'Ben Williams' <vaioof@yahoo.com>
14:03:30 * zoglesby 
14:03:52 <linuxmodder> c0mrad3,   said he'd be  absent
14:05:39 <Sparks> Okay, lets get started
14:05:46 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:06:04 <Sparks> #chair zoglesby Southern_Gentlem linuxmodder
14:06:04 <zodbot> Current chairs: Southern_Gentlem Sparks linuxmodder zoglesby
14:06:29 <Sparks> #topic Follow up on last week's tasks
14:06:47 <Sparks> #action  pjp to give a status update on security policy in the wiki (carried over)
14:06:59 <Sparks> #action Sparks to figure out how FST members can get access to Fedora security bugs (carried over)
14:07:10 <Sparks> #action pjp and d-caf to work on the feature requests for Koji and Bodhi for private builds for embargoed vulnerabilities. (carried over)
14:07:35 <Sparks> zoglesby: I have down here that you were supposed to take the Apprenticeship discussion to the list.
14:07:51 <Sparks> zoglesby: I believe you did this...  Was there an outcome?
14:10:06 <zoglesby> no
14:10:16 <zoglesby> it was taken to the list, I would like to think people are reading docs
14:10:42 <Sparks> ha!
14:11:02 <mhayden> i read through it after i saw it on the list -- i think we had talked about taking the big list and breaking it into maturity levels
14:11:08 <Sparks> #topic Apprenticeship
14:11:17 <Sparks> #link https://lists.fedoraproject.org/archives/list/security-team@lists.fedoraproject.org/thread/NCCG4ZFQ4IWA62OV4FVAIOMJQPE6Y7NR/
14:11:19 <mhayden> so that people would know which content they ought to review based on their maturity level in information security
14:11:38 <zoglesby> that is the plan
14:11:44 <zoglesby> just need to execute on it
14:11:46 <Sparks> I see no responses to the email...
14:12:39 <Sparks> zoglesby: What are next steps?
14:12:48 <linuxmodder> I have had little time this  week to  do anything on it
14:12:50 <linuxmodder> :(
14:12:58 <Sparks> ditto
14:13:26 <zoglesby> Read and respond to what you think is good for first level
14:13:48 <linuxmodder> on that note for open floor  I'd  request a  review of a  blog post  for  WP / likely the  commblog as well on badlock
14:13:54 <mhayden> i wonder if we could do our next meeting via videoconference and just work through it there
14:14:03 <mhayden> we could tag each one and then sort them when the call is over
14:14:27 <Sparks> mhayden: I'm not against that
14:14:43 <mhayden> perhaps a google hangout?
14:14:55 <zoglesby> I *should* be able to do that as well
14:15:09 <linuxmodder> I'd be  cool with that
14:15:11 <Sparks> mhayden: I'll let you take the lead on that.
14:15:18 <mhayden> we could get the discussion done real-time and one person could share their screen
14:15:36 <mhayden> Sparks: sure -- i'll send a meeting invitation to the list
14:15:44 <Sparks> #agreed Next week's meeting will be held via video-teleconference to work through the Apprentice training
14:16:13 <mhayden> any objections if i just send a google calendar invitation directly to the list?
14:16:52 <linuxmodder> nfm
14:17:08 <Sparks> mhayden: Might want to follow up to the invite with exactly what we're trying to do if it isn't clear from the invite.
14:17:35 <mhayden> agreed
14:17:57 <mhayden> #action mhayden to send an invitation for a VC meeting next week with detailed agenda for reviewing security docs in the wiki
14:18:18 <mhayden> zoglesby++
14:18:18 <zodbot> mhayden: Karma for zoglesby changed to 3 (for the f23 release cycle):  https://badges.fedoraproject.org/tags/cookie/any
14:18:26 <linuxmodder> #help -- review of  post  for  personal /  commblog  http://fpaste.org/355375/
14:18:27 <mhayden> thanks for keeping this thing going
14:18:46 <Sparks> #topic Handling embargoed vulnerabilities
14:18:58 <Sparks> Neither pjp or d-caf are here to talk about this.
14:19:06 <zoglesby> :
14:19:09 <zoglesby> :(
14:19:15 <Sparks> #action Sparks to follow up with pjp and d-caf on this project.
14:19:25 <linuxmodder> on that  with this weeks  unembargoed ^^ badlock  planned  post on that  link
14:19:26 <Sparks> #info pjp and d-caf were supposed to be working with Koji and Bodhi folks to figure out private builds (carried over)
14:19:39 <Sparks> #topic Outstanding BZ Tickets
14:19:45 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 72 (-1), Moderate 510 (+15), Low 169 (+2), Total 751 (+16)
14:19:58 <Sparks> +Tickets by Severity-+-------+---------+
14:19:58 <Sparks> | Severity | Tickets | Owned | Unowned |
14:19:58 <Sparks> +----------+---------+-------+---------+
14:19:58 <Sparks> | medium   | 510     | 40    | 470     |
14:19:58 <Sparks> | low      | 169     | 13    | 156     |
14:20:00 <Sparks> | high     | 72      | 29    | 43      |
14:20:03 <Sparks> +----------+---------+-------+---------+
14:20:18 <Sparks> Anyone have anything to discuss ticket-wise?
14:20:48 <linuxmodder> I should have  cycles to tackle  a few this week but not  on any active tickets
14:21:40 <Sparks> #topic Open floor discussion/questions/comments
14:21:45 <Sparks> Anyone have anything?
14:22:11 <linuxmodder> had some  interest  at  bitcamp for  security  member  joins  working on follow ups
14:22:37 <linuxmodder> #link http://fpaste.org/355375/  <  proposed badlock  post  for planet
14:22:42 <linuxmodder> nffm
14:22:43 <Sparks> linuxmodder: I'm sure that would have made better sense had there not been a shortage of punctuation.
14:23:16 <linuxmodder> Sparks,  following up with some  attendees at  bitcamp that  showed interest
14:23:37 <Sparks> linuxmodder: I'm sure that even if you were in a SCIF you likely heard about Badlock
14:23:51 <linuxmodder> lol
14:23:54 <zoglesby> also it is now in the main repo
14:23:55 <zoglesby> https://bodhi.fedoraproject.org/updates/FEDORA-2016-be53260726
14:24:11 <Sparks> gd++
14:24:11 <zodbot> Sparks: Karma for gd changed to 1 (for the f23 release cycle):  https://badges.fedoraproject.org/tags/cookie/any
14:24:23 <linuxmodder> noted
14:24:35 <Sparks> #info gd got the patches out for Fedora fairly quickly for Samba
14:24:41 <linuxmodder> that was from yesterday    before that   dropped will update
14:25:14 <linuxmodder> any other issues  /comments  are welcome
14:25:14 <Sparks> It's important to note that Badlock was not a critical bug.
14:25:46 <linuxmodder> it was only Important  correct
14:25:50 <Sparks> ...in spite of all the hype
14:25:52 <Sparks> correct
14:26:12 <linuxmodder> critical has the  criterion of  active  0day no?
14:26:49 <Sparks> linuxmodder: Not necessarily.  It has to be remotely exploitable, I think.
14:27:19 <Sparks> #link https://access.redhat.com/security/updates/classification/
14:27:21 <linuxmodder> remote with  no user interact  seems logical
14:27:35 <Sparks> #info Critical Impact - This rating is given to flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise (arbitrary code execution) without requiring user interaction. These are the types of vulnerabilities that can be exploited by worms. Flaws that require an authenticated remote user, a local user, or an unlikely configuration are not classed as Critical impact.
14:28:37 <linuxmodder> the fact  badlock required  auth users  saved it from that
14:29:07 <linuxmodder> any other mods  from the post  before I publish it ?
14:29:07 <Sparks> I don't think the dust has settled completely on this vuln.
14:29:15 <linuxmodder> nor do I
14:29:27 <linuxmodder> residuals would not  surprise me
14:29:30 <mhayden> invitation sent for next week -- let me know if i am missing detail
14:29:35 <Sparks> I didn't really read through it for accuracy as I've been overexposed to it now.
14:29:41 <linuxmodder> as  this  partly  allowed drown
14:29:47 <Sparks> mhayden++
14:29:55 <mhayden> oh no -- i scheduled it for *today*
14:29:58 <linuxmodder> the links were to the access.rh  links
14:29:59 <mhayden> rather than next thurs :P
14:30:01 * mhayden goes to fix
14:30:02 <Sparks> mhayden--
14:30:08 <zoglesby> lol
14:30:25 <linuxmodder> and  wiki pages or  official docs  for the  'terms'
14:30:55 <Sparks> Okay, anything else?
14:31:12 <linuxmodder> if anyone else  can give it an accuracy  check that would be great
14:31:39 <linuxmodder> << EOF
14:32:12 <Sparks> #info mhayden wins the weekly prize of having sent the most mail to the list over the last 30 days.
14:32:31 <Sparks> And that's all I have.
14:32:44 <mhayden> :|
14:32:47 <mhayden> oopsies
14:32:50 <Sparks> Join us again, next week, when we do this all over again!
14:32:54 <mhayden> #makemailinglistsgreatagain?
14:33:02 <Sparks> mhayden++
14:33:04 <mhayden> haha
14:33:11 * mhayden orders a red hat
14:33:22 <mhayden> more like a red cap
14:33:30 <Sparks> Okay, see you all in the Intertubez!
14:33:33 <Sparks> #endmeeting