fedora_security_team
LOGS
14:02:58 <Astranox> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:02:58 <zodbot> Meeting started Thu Mar  4 14:02:58 2021 UTC.
14:02:58 <zodbot> This meeting is logged and archived in a public location.
14:02:58 <zodbot> The chair is Astranox. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:02:58 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:02:58 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:03:05 <Astranox> #meetingname Fedora Security Team
14:03:05 <zodbot> The meeting name has been set to 'fedora_security_team'
14:03:13 <Astranox> #topic Roll Call
14:03:24 <Astranox> .hello2 astra
14:03:25 <zodbot> Astranox: Sorry, but you don't exist
14:03:29 <Astranox> .fas2 astra
14:03:32 <copperi> .hello2
14:03:33 <zodbot> copperi: copperi 'Jan Kuparinen' <copper_fin@hotmail.com>
14:03:44 <Astranox> .fas astra
14:03:45 <zodbot> Astranox: astral '' <fas@lab.astral.rocks> - xubuntenor 'john lastra' <xubuntenor@gmail.com> - paulrm280 'Paul Mastrantonio' <paulrm280@yahoo.com> - sabroso 'Luis Alberto Pelaez' <charolastra@outlook.com> - ghostflower 'eric anthony sharrar' <astral_destination@yahoo.com> - thomastran 'Thomas Tran' <tho.tran@gmail.com> - oliviastrandberg 'Olivia Strandberg' <1156654@g.chelanschools.org> - katjastrauss72 'Katja Strauss'  (4 more messages)
14:03:52 <Astranox> .hello astra
14:03:53 <zodbot> Astranox: astra 'David Kaufmann' <astra@ionic.at>
14:04:03 <Astranox> finally. always get the wrong ones first..
14:06:31 <Astranox> I'd say we wait until :10, but it seems we're the only two for today
14:10:54 <copperi> so it does
14:11:19 <Astranox> #topic Follow up on last week's tasks
14:11:51 <Astranox> I'm not sure if there are open issues. there are a few items on last weeks meetings' list though
14:12:35 <jsmith> Wow, it's been a long time since I've seen a security team meeting.
14:12:37 <jsmith> I'm lurking :-)
14:12:51 <jsmith> .hello
14:12:51 <zodbot> jsmith: (hello <an alias, 1 argument>) -- Alias for "hellomynameis $1".
14:12:57 <jsmith> .hello jsmith
14:12:58 <zodbot> jsmith: jsmith 'Jared Smith' <jsmith.fedora@gmail.com>
14:13:13 <Astranox> oh, hi :)
14:14:13 <Astranox> I've checked both mentioned pages, it seems most links are fixed now
14:15:17 <Astranox> so I'd say this part is done
14:15:20 <Astranox> #topic Open floor discussion/questions/comments
14:15:40 <copperi> I think links were for the ideas of our mission. Is that up to date ?
14:16:16 <Southern_Gentlem> .hello jbwillia
14:16:17 <zodbot> Southern_Gentlem: jbwillia 'Ben Williams' <vaioof@gmail.com>
14:16:37 <Astranox> hi!
14:17:05 <Astranox> it is written in a very unspecific way, so it is difficult not to be up to date ;)
14:18:04 <Astranox> we could maybe remove the mention of "sub-teams" inside of fedora security team, as those don't really exist
14:20:50 <Astranox> fine for everyone?
14:21:21 <copperi> sure
14:21:55 <copperi> https://fedoraproject.org/wiki/Security_Team_Tasks has lots of todos
14:22:34 <Astranox> I'd keep the Vulnerability-Patching section, and remove the rest
14:22:57 <r3pek> hi guys. i didn't sign up for talking or anything, but i don't mind participating (since i do have interest)
14:23:22 <Astranox> sure, you're very welcome :)
14:23:25 <copperi> r3pek: you can talk anyways
14:24:13 <Astranox> do you know who is supposed to take care of the SecurityTracking bugs?
14:25:39 <Astranox> I'm seeing quite some SecurityTracking bugs, where the tracked bug is already closed
14:29:27 <Astranox> I'm thinking of just closing those bugs, but I'm not sure if this messes with anyone else. I also don't really know whom to ask
14:30:22 <Astranox> in the past they sometimes had the "fst_owner=" flag having someone from the security team as person, but it seems a lot of them don't get closed anymore since about 2016
14:32:02 <Astranox> (this affects both Fedora and Fedora-EPEL)
14:32:33 <Astranox> I'm also happy with any guesses, whom to ask about that. ;)
14:33:45 <copperi> Could ask bcotton and mattdm for ideas ?
14:34:47 <Astranox> sounds reasonable, I think I'll try that
14:38:09 <copperi> on security apprenticeship page we have on-the-job training:
14:38:12 <copperi> Shadow mentor through a ticket and patch process.
14:38:27 <copperi> Do we have that documented ?
14:38:54 <Astranox> I don't think so
14:39:39 <copperi> It could be a good start on documenting the flow
14:40:21 <Astranox> a bit of documentation is in https://fedoraproject.org/wiki/Security_Team_Work_Flow
14:42:27 <Astranox> there are a few hints in there too, that we are supposed to care about the tracking bugs. I'll still ask though, especially before letting a script do the cleanup
14:42:51 <copperi> Yes
14:44:44 <Astranox> #action Astra to check bugzilla for left-over SecurityTracking bugs
14:46:59 <Astranox> for the second point (shadow mentor) I think there was no real documentation necessary, this was just a "lets do a bug together"
14:47:23 <Astranox> more meant for lowering the initial hurdle
14:47:46 <mambang[m]> .hello robbinespu
14:47:47 <zodbot> mambang[m]: robbinespu 'Robbi Nespu' <robbinespu@gmail.com>
14:47:59 <Astranox> hi!
14:48:25 <mambang[m]> Hi
14:48:31 <copperi> Astranox: that is bad for likes of me: I follow well, I forget even faster ...
14:49:33 <copperi> Using checklist with following ...
14:49:58 <Astranox> I think it was less of a technical thing, more a "may I really click the save button on this bug and apply my changes, despite this not being my package"
14:50:18 <r3pek> yeah... that really depends on the amount of knowledge the apprentice already has... not that we're fixing bugs ourselfs 😇
14:50:27 <copperi> ok
14:50:40 <Astranox> usually we can't, because only the packagers have in-depth knowledge
14:52:13 <Astranox> but we can offer help and try to make sure that the bug is handled somehow and does not remain open for years
14:57:36 <Astranox> do we have anything else? (the next meeting here is in half an hour, so we'd still have some time)
14:57:43 <mambang[m]> Sorry for interrupt. Where is the page you mentioned for fedora security apprentice?
14:58:02 <copperi> https://fedoraproject.org/wiki/Security_Team_Apprenticeship
15:00:22 <mambang[m]> Thanks. Link to security team goals is missing
15:02:32 <copperi> #action updating of wiki links needed
15:03:01 <Astranox> I think that can just be removed, I'm not sure if that ever existed
15:03:23 <copperi> There are others as well ...
15:03:44 <copperi> https://fedorahosted.org/secure-coding/  does not exist etc
15:03:48 <Astranox> the mission-page is also quite redundant
15:04:14 <copperi> so general clean up
15:04:45 <Astranox> yes. I think that secure-coding only moved
15:04:51 <Astranox> https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/index.html
15:09:21 <copperi> that link was on section In addition to the Defensive Coding book the Security SIG is charged with creating training resources.
15:09:48 <Astranox> #action to update the wiki, still got a lot of broken links
15:10:00 <Astranox> ah, okay, then I think that is lost :/
15:10:17 <mambang[m]> If I recall, huzaifah said that one is outdated. The latest one are https://huzaifas.fedorapeople.org/public/defensive-coding/ correct me if I wrong
15:12:02 <Astranox> yes, that one says 2012-2018
15:12:42 <Astranox> and revision history is even newer
15:15:23 <Astranox> I think we should wait for huzaifas, maybe that can be pushed to official docs sometime
15:15:31 <Astranox> until then we should maybe link there
15:16:21 <copperi> linked there
15:16:24 <Astranox> \o/
15:18:19 <Astranox> anything else for this meeting? otherwise I'd close it in 5 minutes
15:21:13 <Astranox> #link https://huzaifas.fedorapeople.org/public/defensive-coding/
15:21:22 <Astranox> (for mentioning it in the meeting minutes)
15:23:19 <Astranox> thanks for attending!
15:23:20 <Astranox> #endmeeting