Meeting started at 2026-05-28 15:00:36 UTC

The Meeting name is 'Fedora Meeting 3'

The Meeting Name is now security-sig

!hi

Chris (py0xc3): Christopher Klooz (py0xc3) - he / him / his

derp

!hi

Fabio Valentini: Fabio Valentini (decathorpe) - he / him / his

Unless the author is here and has a point, I see no need to discuss the ticket about the TPM issue. I left a note there: it's worth to be kept open and to keep it updated with what happens upstream, follow the case and help/test/feedback when related builds reach Fedora, or earlier if someone has and wants to invest time.

But see no need to do more about it for now (unless someone has different thoughts about it?)

Yeah I don't think we need to do anything here. If you want to use TPM-backed disk encryption you're on your own anyway since that's not supported by our installer(s) AFAIK

Agreed

Even if people use it, an exploitation has noteworthy requirements. If people work with best practices, an average user of Fedora is not likely to end up in a practical attack scneario

an average Fedora user doesn't use TPM-backed FDE 😆

the tautologies are back 😵‍💫

I don't think there's even documentation for how to do this

ha

Not from us, at elast nothing official. But some magaze articles I think

Did anyone read Adam Williamson's email yesterday to the dev mailling list titled 'Inaccurate and apparently-unsupervised actions by agentic AI system under your control'

Not from us, at least nothing official. But some magazine articles I think

yeah

I think that's the case of a packager whose credentaisl ahve been stolen ?

I think that's the case of a packager whose credentials have been stolen ?

that was one claim, but as Adam points out, there's several possibilities that we have no way to confirm.

cause... to be fair... that's exactly what an attacker woudl say to hand wave away suspicion.

Ok, yeah, I skimmed the last two emails. Not the whole case.

right

well he did say he's gonna treat us to dinner at Flock, so ... I think we'd notice if it's 12 roombas in a trenchcoat

he'll have the roombas at home pushing PRs why he's wining and dining you all night long. haha

(They were not a packager, only in the qe group)

I just wanted to check to see if everyone was aware, since apparnetly some of those PRs hit the installer and it's possible that we might get some questions from others about it.

AI and agentic stuff is an issue all projects are going to have to take a stance on at some point. I dont personally mind AI as long as its HITL, and everything is getting reviewed well before it ever hits a git forge

the PR for anaconda was reverted

Alright, since it seems to be a slower week, I'm going to go ahead and call the meeting here. As always, continue the conversation in the security channel.