14:16:10 <mhayden> #startmeeting Fedora Security Team
14:16:11 <zodbot> Meeting started Thu Apr 21 14:16:10 2016 UTC.  The chair is mhayden. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:16:11 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:16:11 <zodbot> The meeting name has been set to 'fedora_security_team'
14:16:20 <mhayden> #meetingname Fedora Security Team
14:16:20 <zodbot> The meeting name has been set to 'fedora_security_team'
14:16:52 <mhayden> #info Use the RHEL 7 security guide as initial reading for now
14:17:27 <mhayden> #action Rewrite the Fedora Security Guide to be more of what we're looking for
14:18:04 <mhayden> What items from the information security training page is valuable?
14:18:22 <mhayden> #link https://fedoraproject.org/wiki/Information_Security_Training
14:19:08 <mhayden> #info Fedora Defensive Coding docs could be useful, but may need some updating
14:19:12 <mhayden> #link https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/index.html
14:19:40 <mhayden> Some of the publican issues may preclude the docs work
14:19:58 <mhayden> The content for the secure coding docs exists inside fedorahosted, not inside Red Hat
14:20:53 <mhayden> We may need to review our mission statement to figure out which docs should be needed
14:22:02 <mhayden> Need to understand CWE and CDE data (I think I spelled those acronyms correctly) :)
14:22:22 <mhayden> Some of the information is internal to RHT, but could be publicized possibly
14:22:28 <mhayden> s/CDE/CVE/ ^^
14:22:55 <mhayden> #action Sparks to make it so on this CWE/CVE business
14:24:45 <mhayden> RHT has some internal guidelines around introducing new folks to the product security team roles/responsibilities
14:24:58 <Sparks> #link https://access.redhat.com/security/updates/classification
14:24:59 <mhayden> Some of these could be helpful
14:25:32 <mhayden> CVE FAQ from MITRE could be helpful
14:25:47 <mhayden> A writeup exists on handling embargoes
14:25:57 <mhayden> #link https://cve.mitre.org/about/faqs.html
14:26:13 <mhayden> Secure source code is important (hashing, signing code, etc)
14:26:14 <Sparks> #link http://www.candlepinproject.org/presentations/pki-crash-course
14:26:21 <mhayden> Sparks has something super hot we must look at ^^
14:27:32 <mhayden> RHT has checklists internally so that people get familiar with all of the aspects of working with security issues
14:27:39 <mhayden> May be able to be Fedora-tized
14:28:15 <mhayden> #chair mhayden Sparks
14:28:15 <zodbot> Current chairs: Sparks mhayden
14:28:34 <mhayden> #info Understanding packaging is important
14:29:03 <mhayden> #link https://fedoraproject.org/wiki/Join_the_package_collection_maintainers
14:32:55 <mhayden> Astradeus suggested the Applied Crypto Hardening PDF
14:32:58 <mhayden> #link https://bettercrypto.org/static/applied-crypto-hardening.pdf
14:34:49 <Astradeus> is it useful to provide some example case how we do stuff?
14:34:50 <mhayden> #info this should be opinioned and about how "we" do things as opposed to just security work in general
14:35:18 <mhayden> Astradeus: good question -- we could cover that topic next
14:40:16 <mhayden> #info Everything sparks touches turns to gold :)
14:40:55 <Astradeus> just a basic "search bug -> bug maintainer -> provide / check fix -> bug maintainer again -> close bug" or something alike maybe would be useful?
14:41:19 <Sparks> .whoowns openssl
14:41:19 <zodbot> Sparks: tmraz
14:42:12 <mhayden> #info Would be nice to find an example of a security packaging fix done by a non RHT person
14:43:14 <mhayden> #agree Heartbleed was a very sad time all around
14:44:12 <mhayden> oops, i should have use agreed, i guess
14:44:20 <mhayden> #agreed Heartbleed was a very sad time all around
14:44:52 <Sparks> .whoowns xen
14:44:52 <zodbot> Sparks: myoung
14:44:59 <Sparks> .fasinfo myoung
14:45:00 <zodbot> Sparks: User: myoung, Name: None, email: m.a.young@durham.ac.uk, Creation: 2009-02-12, IRC Nick: None, Timezone: None, Locale: None, GPG key ID: None, Status: active
14:45:03 <zodbot> Sparks: Approved Groups: cla_fedora cla_done packager fedorabugs cla_fpca
14:46:14 <mhayden> #info Xen security bugs could be an example -- XSA-108 was a good one
14:48:00 <Sparks> #link https://access.redhat.com/sites/default/files/riskreportgraphics_branded_unbrandeedissues_final_v2.png
14:48:08 <mhayden> Sparks: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-7188
14:48:36 <skamath> Hello Security Team :) I'm new here.
14:48:46 <mhayden> howdy skamath!
14:48:52 <mhayden> we're wrapping up
14:49:17 <skamath> Ah, I must have come early
14:49:19 <mhayden> #action Apprentice wiki page will be updated soon
14:49:26 <Astradeus> hi skamath, most of the meeting goes on google-hangouts, so you're currently only getting parts of conversation
14:49:37 <mhayden> skamath: we're having a special meeting today
14:49:43 <mhayden> to discuss our apprentice program
14:49:51 <mhayden> 99.9% of our meetings are here in this channel on irc
14:50:06 <Sparks> 99.999999%
14:50:09 <skamath> Thank you for the welcome :) Sound good!
14:50:28 <linuxmodder> skamath,  https://plus.google.com/hangouts/_/mhtx.net/fst-hangout
14:50:38 <skamath> Err, is there a 'procedure' to join the Security Team?
14:50:50 <Astradeus> skamath: there will be :)
14:50:58 <mhayden> #action Sparks will ask if he can share some of his internal security apprentice information
14:51:06 <linuxmodder> skamath,  that is the bulk of  the  content for today
14:51:06 <mhayden> skamath: *that* is the topic of today's meeting
14:51:28 <Sparks> skamath: We usually hangout in #fedora-security-team
14:51:37 <Sparks> ...when we're not meeting
14:51:52 <skamath> #fedora-security is different?
14:52:21 <skamath> Oh and sorry for interrupting. I'll catch you people later on #fedora-security-team
14:52:27 <mhayden> skamath: no need to be sorry!
14:52:39 <Sparks> skamath: #fedora-security is a general channel.
14:52:42 <mhayden> we're working on some stuff to make it more straightforward for new members to join
14:53:17 <skamath> mhayden++ Sparks++ Astradeus++ Cookies for all :)
14:53:19 <zodbot> skamath: Karma for mhayden changed to 4 (for the f23 release cycle):  https://badges.fedoraproject.org/tags/cookie/any
14:53:22 <zodbot> skamath: Karma for sparks changed to 1 (for the f23 release cycle):  https://badges.fedoraproject.org/tags/cookie/any
14:53:25 <zodbot> skamath: Karma for astra changed to 2 (for the f23 release cycle):  https://badges.fedoraproject.org/tags/cookie/any
14:53:31 * mhayden scarfs his cookie
14:53:32 <mhayden> thanks skamath
14:53:41 <Astradeus> *nom* :)
14:53:45 <mhayden> any other notes to add here? we're about to wrap
14:53:49 <Sparks> Mmmm.... chocolate chip cookie
14:54:02 * mhayden toots the meeting horn
14:54:24 <mhayden> okay, i'll close it up before someone mentions heartbleed again
14:54:27 <mhayden> thanks, everyone!
14:54:29 <mhayden> #endmeeting