fedora_security_team
LOGS
14:00:27 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:27 <zodbot> Meeting started Thu May  5 14:00:27 2016 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:27 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:00:27 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:00:29 <Sparks> #meetingname Fedora Security Team
14:00:29 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:41 <Sparks> #topic Roll Call
14:00:42 * Sparks 
14:00:51 <linuxmodder> .hello  linuxmodder
14:00:52 <zodbot> linuxmodder: linuxmodder 'Corey W Sheldon' <sheldon.corey@openmailbox.org>
14:01:10 <skamath> .hello skamath
14:01:11 <zodbot> skamath: skamath 'Sachin S Kamath ' <sskamath96@gmail.com>
14:01:57 <linuxmodder> I may drop out  fyi  I'm on a  sketchy connect
14:02:23 <mhayden> .hello mhayden
14:02:24 <zodbot> mhayden: mhayden 'Major Hayden' <major@mhtx.net>
14:03:16 * d-caf 
14:03:32 <d-caf> .hello d-daf
14:03:33 <zodbot> d-caf: Sorry, but you don't exist
14:03:38 <d-caf> LOL
14:03:55 <d-caf> .hello d-caf
14:03:56 <zodbot> d-caf: Sorry, but you don't exist
14:04:01 <linuxmodder> no ghosts or  illegals allowed :)
14:04:08 <d-caf> LOL
14:04:17 <d-caf> I'm so broken...
14:04:18 <linuxmodder> damn stowaways :)
14:04:52 <Astradeus> .hello astra
14:04:53 <zodbot> Astradeus: astra 'David Kaufmann' <astra@ionic.at>
14:04:56 * Sparks cleans up the queue for the FST FAS group
14:05:51 <Sparks> Okay, lets get started...
14:06:02 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:06:19 <linuxmodder> sidenote:  finishing  up edits on  install-guide for  pagure and  hitting  security-guide today  (may have  questions for the more  seasoned folks later )
14:06:31 <Sparks> linuxmodder: Awesome
14:06:51 <Sparks> #chair mhayden d-caf Astradeus linuxmodder
14:06:51 <zodbot> Current chairs: Astradeus Sparks d-caf linuxmodder mhayden
14:06:53 <d-caf> linuxmodder: cool!
14:06:59 <linuxmodder> planning to  pull out the selinux guide shoehorned stuff and  update/ validate selinux-guide as well
14:07:13 <linuxmodder> that later part is likely to be a pita
14:07:25 <d-caf> yeah linuxmodder! yeah SELinux!
14:07:25 <Sparks> linuxmodder: You might just be able to revert the import in git.
14:07:51 <Sparks> #topic Follow up on last week's tasks
14:07:54 * d-caf currently dealing with crond_t domain transitions to customer policies....
14:08:04 * Sparks notes pjp isn't here.
14:08:18 <Sparks> #action pjp to give a status update on security policy in the wiki (carried over)
14:08:29 <Sparks> #action Sparks to figure out how FST members can get access to Fedora security bugs (carried over)
14:08:29 <linuxmodder> Sparks,  will tag up later with you for that then
14:08:43 <linuxmodder> for the 3rd week now :)
14:09:05 <Sparks> d-caf: Have you had a chance to look at the feature requests for private builds?
14:09:12 <d-caf> I have :-)
14:09:31 <linuxmodder> private builds were the embargoed build thing yes?
14:09:41 <Sparks> d-caf: Nice!  Okay, I'll set a topic for this meeting to talk about it, then.
14:09:47 <Sparks> linuxmodder: Yes
14:09:48 <d-caf> I spent several hours digging through Koji and Bodhi documentation and open tickets seeing what was/wan't there for our goals
14:10:03 <Sparks> #action zoglesby to update the reading list for the Apprenticeship
14:10:22 <dgilmore> d-caf: nothing is there for your goals :(
14:10:23 <Sparks> #topic Private builds in infrastructure for embargoed bits
14:10:34 <Sparks> d-caf: Tell us what you've found out.
14:10:53 <d-caf> So, koji is actually a little closer to our goals than I thought
14:11:12 <dgilmore> d-caf: how?
14:11:22 <linuxmodder> buildoverrides ?
14:11:30 <dgilmore> d-caf: there is nothing in koji that is close to doing what you want
14:11:32 <dgilmore> or neeed
14:11:34 <dgilmore> need
14:11:37 <d-caf> Still probably needs a few things added, but looking over the policy language it seems that you can specify a lot of specific permissions per user
14:11:54 <dgilmore> d-caf: not really
14:12:27 <dgilmore> d-caf: and any build is visible, you are going to have to write a lot of code to hide a build until an embargo is lifted
14:12:30 <d-caf> So the policy language allows restricting what tags/tasks can be accessed
14:13:01 <dgilmore> d-caf: it does not
14:13:26 <d-caf> dgilmore: fine, I'll stop talking then
14:13:49 <d-caf> dgilmore: you are telling me no before i even finish writing anything
14:14:01 <Sparks> d-caf: Please continue
14:14:07 <dgilmore> d-caf: I will shut up
14:14:36 <Sparks> d-caf: And point to docs so we can clear up any confusion if what you are saying is, in fact, incorrect.
14:15:04 <d-caf> I will be a moment, I have to go find what I was reading over as I'm on a different computer
14:15:22 <d-caf> https://fedoraproject.org/wiki/Koji/Policies
14:16:14 <d-caf> So, in this policy there is the ability to confine things. based on tags
14:16:14 <Sparks> #link https://fedoraproject.org/wiki/Koji/Policies
14:17:20 <d-caf> Though we would need to get the policy expanded to better handle user perms (vs admin vs everyone else) there is potential there to restrict the builds.
14:17:50 <d-caf> not saying there isn't more work needed, but their is some framework to start from.
14:18:31 <d-caf> additionally there is teh ability to restrict via list-targets and tags which could also be leveraged into this
14:18:58 <d-caf> but it would reguire some changes in the normal path/tagging for these special embargo instances
14:19:22 <d-caf> Bodhi on the other hand, well, that has next to nothing
14:19:40 <d-caf> I don't even really see much of a framework to start from
14:19:40 <Sparks> And then there's distgit
14:19:55 <d-caf> I didn't get to distgit, completey forgot about that.
14:20:28 <Sparks> dgilmore: Okay, your turn.  Are we confusing what's being said in the docs?
14:20:41 <d-caf> Koji needs work, but there is framework there to work with, bodhi will need a ton of work. didn't check distgit
14:21:08 <Sparks> #action Sparks to garden the Koji wiki pages to standardize the pages and add a category or two.
14:21:30 <d-caf> #link https://fedoraproject.org/wiki/Koji#Tags_and_Targets
14:22:07 <d-caf> Policy work with tags and targets, need to addes better user support and likely interaction with outside repos
14:22:47 <d-caf> Will also need to consider what access of admins on this system (who "can" see all) with regard to embargos
14:24:29 <Sparks> #action d-caf to continue working on private builds in koji, bodhi, and distgit.
14:24:30 <d-caf> Need to work with people (like dgilmore or pjp ) to help come up with a plan and layout a series of tickets to create to help guide the work
14:24:37 <Sparks> Anything else?
14:25:14 <d-caf> dgilmore: I want your opinions and help, just need to give me a chance to layout my mind :-) (no matter how insane it is sometimes)
14:27:13 <Sparks> Okay, moving on
14:27:27 <Sparks> #topic Windows/OS X Tools in F25
14:27:36 <Sparks> #link https://lists.fedoraproject.org/archives/list/security-team@lists.fedoraproject.org/thread/I7JESRGWRWDXFDGODBUPTUL3KWTXAGVP/
14:27:43 <Sparks> grrr
14:28:02 <dgilmore> d-caf: sorry was looking at something else
14:28:05 <Sparks> #link https://lists.fedoraproject.org/archives/list/security-team@lists.fedoraproject.org/thread/I7JESRGWRWDXFDGODBUPTUL3KWTXAGVP/
14:28:23 <Sparks> I just released this message to the list right before the meeting.
14:28:56 <Sparks> It appears that mattdm has asked that we sign off on some tools for Window/OS X users.
14:29:51 <Sparks> The email isn't incredibly detailed as to what the question is.  Does someone want to follow up on this?
14:30:26 <d-caf> Sparks: unfortunately I'm going to have to drop out now as I have a realworld meeting.  I am very interested in what this windows/osx tool thing is, but can't take lead on it
14:30:31 <d-caf> catch you later.
14:30:37 <Sparks> d-caf: Okay, have a good day.
14:30:49 <Sparks> Anyone else?
14:31:04 <dgilmore> Sparks: the tool is suppopsed to download Fedora isos and install them only a usb stick or disk
14:31:31 <Sparks> Okay, so it's the USB installer thingy that we currently have in Fedora but for Windows and OS X users?
14:31:48 <dgilmore> yeah
14:32:16 <Sparks> dgilmore: Is there a wiki page for this project or is it just living in email right now?
14:32:45 * Sparks isn't sure if we're being asked to review the code or the idea of making Windows/OS X software available.
14:32:50 <dgilmore> it was a accepted f24 change that has been postponed
14:33:25 <dgilmore> Sparks: some people want to build it on computers under their desks
14:33:31 <dgilmore> and ship those binaries
14:33:36 <Sparks> ewww
14:34:12 <dgilmore> I believe what has been asked is that the security team sign off on what level of risk is accepted in how we build and ship it
14:34:14 <Sparks> Do we have the means of compiling the software for non-Linux OSs within our infrastructure?
14:34:33 <dgilmore> Sparks: sounds like you guys need to ask more questions first
14:34:45 <Sparks> dgilmore: Yes
14:35:18 <Sparks> This conversation seems to be not happening on a list.  Is there a proper public place to have this discussion?
14:35:26 <dgilmore> koji supports windows natively and it may be possible for to use mingw to cross somplie if they switch to c++
14:35:59 <dgilmore> Sparks: there is probably a few places it could be happening
14:36:21 <Sparks> dgilmore: Name one and I'll take it there.
14:36:33 <dgilmore> Sparks: Christian is supposed to follow up with a proposal
14:36:33 <Sparks> dgilmore: Otherwise, I'll just try to follow up the best I can.
14:37:34 <dgilmore> Sparks: I think a ticket is needed for the security team side of the discussion
14:37:42 <dgilmore> that is what Matthew asked for
14:38:01 <Sparks> #action Sparks to follow up on the shipping of non-Linux binaries of the USB ISO tool.
14:38:11 <Sparks> #action Sparks to create a ticket for the request
14:38:21 <Sparks> dgilmore: Okay, I'll take care of that, then.  Thanks.
14:38:55 <dgilmore> https://fedoraproject.org/wiki/Changes/LUCasPrimaryDownloadable
14:39:03 <dgilmore> thanks Sparks
14:39:19 <Sparks> #link https://fedoraproject.org/wiki/Changes/LUCasPrimaryDownloadable
14:39:33 <Sparks> Okay, moving along
14:39:39 <Sparks> #topic Outstanding BZ Tickets
14:39:40 <dgilmore> Sparks: if you have nothing else on your agenda I would like to give some follow up info on koji
14:39:47 <dgilmore> or at the end
14:39:54 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 88 (+8), Moderate 531 (+11), Low 182 (+2), Total 801 (+21)
14:40:06 <Sparks> dgilmore: Okay, I'll get you some time in just a moment
14:40:12 <Sparks> +Tickets by Severity-+-------+---------+
14:40:12 <Sparks> | Severity | Tickets | Owned | Unowned |
14:40:12 <Sparks> +----------+---------+-------+---------+
14:40:12 <Sparks> | medium   | 531     | 40    | 491     |
14:40:12 <Sparks> | low      | 182     | 13    | 169     |
14:40:14 <Sparks> | high     | 88      | 28    | 60      |
14:40:17 <Sparks> +----------+---------+-------+---------+
14:40:36 <Sparks> I suspect another bug round up would be nice to get these highs down a bit.
14:41:08 <Sparks> mhayden: You know, it would be nice to get some better statistics on these tickets.  Where does this code live, again?
14:41:27 <mhayden> the fedora-security-team repo
14:41:32 * Sparks is thinking he might be able to make some additions.
14:41:37 <Sparks> okay
14:41:43 <Sparks> mhayden: I'll send you some patches
14:41:55 <Sparks> Anyone have anything ticket-related to discuss?
14:42:00 <mhayden> hah okay
14:42:54 <Sparks> #topic Private builds in infrastructure for embargoed bits
14:43:02 <Sparks> dgilmore: Okay, go.  :)
14:43:29 <dgilmore> Sparks: thanks
14:43:47 <dgilmore> so koji's policys only have effect when doing builds and tagging
14:44:00 <dgilmore> and even then they are not very good
14:44:35 <dgilmore> for instance we can not stop someone doing kernel etc build that is not have the secure-boot permission
14:44:51 <dgilmore> we can only stop that build being tagged anywhere
14:44:56 * linuxmodder back will catch up the  interim from minutes
14:45:11 <dgilmore> all read items do not have any policy on them
14:45:45 <dgilmore> setting the policy is very fragile and covers a small subset of things
14:46:20 <Sparks> so far from bullet-proof
14:46:30 <dgilmore> right
14:46:37 <dgilmore> and it does not really confine anything
14:46:47 <dgilmore> it just redirects things
14:47:09 <Sparks> I may be imagining this but didn't you say that this was a feature request that was being investigated already?
14:47:18 <dgilmore> it may be possible to extend it to cover everything needed, but that will be a lot of work
14:47:38 <dgilmore> Sparks: its something that has been asked for since we moved to koji
14:47:48 <Sparks> Okay
14:48:03 <Sparks> A lot of work?  What else do you have going on over there?
14:48:05 * Sparks ducks
14:48:10 <dgilmore> and everytime it has been the conculsion has been its too much work, too low a priority for something that will be rarely used
14:48:38 <dgilmore> there is maybe 3 or 4 times a year it wuld be useful
14:48:38 <Sparks> define "rarely"
14:48:44 <Sparks> true
14:48:50 <dgilmore> at least that we know of
14:48:57 <dgilmore> maybe if it was there it would be used more
14:49:06 <dgilmore> openjdk is the big one that would use it
14:49:09 <Sparks> dgilmore: Perhaps I can get more better numbers
14:49:19 <Sparks> dgilmore: Not saying that your numbers are inaccurate
14:49:23 <dgilmore> openssl maybe
14:49:34 <dgilmore> Sparks: there is a lot of unkowns
14:49:39 <dgilmore> that was our guess
14:50:26 <Sparks> dgilmore: I think I can pull out all the critical and important vulns that were embargoed prior to release for last year.
14:50:38 <dgilmore> Sparks: one area that is difficult
14:51:09 <dgilmore> take http://koji.fedoraproject.org/koji/buildinfo?buildID=760088
14:51:20 <dgilmore> it is a java-1.8.0-openjdk build
14:51:27 <dgilmore> say it was embargoed
14:51:44 <dgilmore> and we could hide all evidence of it from koji web
14:52:09 <dgilmore> the rpms and logs all exist https://kojipkgs.fedoraproject.org//packages/java-1.8.0-openjdk/1.8.0.91/5.b14.fc25/
14:52:26 <dgilmore> you would have to go searching for it
14:52:30 <dgilmore> but it could be found
14:52:35 <Sparks> hmmm
14:52:55 <dgilmore> we likely would have to do something in koji to make that hidden
14:53:10 <dgilmore> but allow people who need to test it have access
14:53:23 <Sparks> correct
14:53:40 <dgilmore> maybe hiding from koji-web is enough
14:53:56 <dgilmore> but allowing the api to expose it and kojipkgs access
14:54:18 <dgilmore> I am not 100% sure how far we have to go in order to ensure that it is not leaked
14:54:34 <dgilmore> so I err on the side of we need to limit all access
14:54:38 <Sparks> Well... I suspect having something out there is too much
14:54:42 <Sparks> yes
14:54:55 <Sparks> Okay, we'll continue to work on this and gather information
14:55:11 <dgilmore> kojipkgs is just apache running serving up data
14:55:17 <Sparks> #action Sparks to get stats on the number of vulns that were embargoed that affected Fedora/EPEL.
14:55:18 <linuxmodder> so kijipkgs  access would be  what   proven packagers?
14:55:24 <dgilmore> there is no application or logic controlling it
14:55:33 <dgilmore> linuxmodder: today its everyone
14:55:59 <dgilmore> something would need to be changed
14:56:19 <dgilmore> maybe instead of /packages they go in /embargo
14:56:23 <linuxmodder> and there is no 'current'  way to  use fas or kerberos to  restrict that ?
14:56:31 <dgilmore> and we have ssl cert auth or something on it
14:56:40 <dgilmore> linuxmodder: not currently
14:57:08 <linuxmodder> so a second  Fedora CA cert  like  koji login  needs now  ?  but  only for  embargoes?
14:57:10 <dgilmore> putting the output into a different namespace would be invasive in koji
14:57:15 <dgilmore> but would be doable
14:57:32 <linuxmodder> invasive how?
14:57:32 <dgilmore> linuxmodder: perhaps, or maybe just oauth
14:57:55 <linuxmodder> openid == oauth  isn't it
14:57:57 <dgilmore> linuxmodder: invasive in that we would need pretty significant code changes in koji to do it
14:58:06 <linuxmodder> ah
14:58:17 <dgilmore> and we would need to then have a way to make it unembargoed that put it in the regular location
14:58:41 <dgilmore> as thats where the tooling that makes repos would need it
14:59:10 <Sparks> Moar tools!
14:59:16 <linuxmodder> dgilmore,  couldn't we  just  make the  /embargo RO to 'world' users til some expiry date?
14:59:18 <Sparks> Okay, we're getting to the end of our hour
14:59:28 <linuxmodder> or  would that still require  more code / tools
14:59:50 <dgilmore> so in summary what d-caf looked at is just a small part of how it could be implemented
15:00:14 <dgilmore> but I guess that is more than dist-git and bodhi have
15:00:31 * linuxmodder still doesn't get  dist-git fully
15:01:00 <dgilmore> linuxmodder: dist-git is a few seperate things
15:01:10 <dgilmore> cgit just reads whats on disk
15:01:36 <sct> Time for modularity WG meeting, is the previous meeting still running?
15:01:38 <Sparks> Okay, lets take this to the list or #fedora-security-team.
15:01:52 <sct> Thanks!
15:01:53 <Sparks> Thanks everyone for coming.  Catch you all on the tubez!
15:01:56 <Sparks> #endmeeting