======================================================================================================
#fedora-meeting: Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
======================================================================================================
Meeting started by Sparks at 14:00:57 UTC. The full logs are available
at
http://meetbot.fedoraproject.org/fedora-meeting/2015-09-24/fedora_securit...
.
Meeting summary
---------------
* Roll Call (Sparks, 14:01:02)
* LINK:
https://lists.fedoraproject.org/pipermail/security-team/2015-September/00...
(mhayden, 14:06:07)
* Participants are reminded to make liberal use of #info #link #help
in order to make the minutes "more better" (Sparks, 14:09:53)
* Follow up on last week's tasks (Sparks, 14:09:59)
* Outstanding BZ Tickets (Sparks, 14:12:01)
* Thursday's numbers: Critical 0 (0), Important 42 (-2), Moderate 409
(+7), Low 152 (-4), Total 603 (Sparks, 14:12:10)
* The recent BZ upgrade has broken my script so I'll need to get that
worked out OR I can just start using/relying on mhayden's script.
(Sparks, 14:12:42)
* IDEA: Use mhayden's script to create a dashboard and host it
somewhere (fedorapeople?) (Sparks, 14:16:54)
* IDEA: Somehow push information to fedmsg (Sparks, 14:17:18)
* LINK:
https://github.com/major/fedora-meeting-report (mhayden,
14:17:57)
* LINK:
https://github.com/major/fedora-meeting-report (Sparks,
14:18:06)
* ACTION: Sparks to add "issues" to fedora-meeting-report on github
(Sparks, 14:19:25)
* Handling embargoed issues (Sparks, 14:23:25)
* We now have security(a)fp.o going to security-private(a)l.fp.o and we
have a few people subscribed to security-private(a)l.fp.o. (Sparks,
14:24:19)
* FabioOlive Started a discussion on security-team(a)l.fp.o regarding
moving the FST into a more proactive role of handling security bugs.
(Sparks, 14:25:33)
* 1,639 views on the fedoramag blog post about the security team
(mhayden, 14:26:54)
* It appears we *could* create a GPG key and put it on several
Yubikeys and hand those out. (Sparks, 14:27:17)
* ACTION: Sparks to talk with mattdm regarding private security
tickets in BZ. (Sparks, 14:38:19)
* Open floor discussion/questions/comments (Sparks, 14:51:06)
*
https://sparkslinux.wordpress.com/?s=keysigning (Sparks, 14:57:00)
* ACTION: Sparks to start a discussion on the FST list regarding an
online video GPG key signing event. (Sparks, 14:57:51)
Meeting ended at 15:00:08 UTC.
Action Items
------------
* Sparks to add "issues" to fedora-meeting-report on github
* Sparks to talk with mattdm regarding private security tickets in BZ.
* Sparks to start a discussion on the FST list regarding an online video
GPG key signing event.
Action Items, by person
-----------------------
* Sparks
* Sparks to add "issues" to fedora-meeting-report on github
* Sparks to talk with mattdm regarding private security tickets in BZ.
* Sparks to start a discussion on the FST list regarding an online
video GPG key signing event.
* **UNASSIGNED**
* (none)
People Present (lines said)
---------------------------
* Sparks (97)
* FabioOlive (24)
* mhayden (22)
* Astradeus (20)
* zodbot (5)
* threebean (3)
* d-caf (2)
* Southern_Gentlem (2)
* CRob (1)
14:00:57 <Sparks> #startmeeting Security Team Meeting - Agenda:
https://fedoraproject.org/wiki/Security_Team_meetings
14:00:57 <zodbot> Meeting started Thu Sep 24 14:00:57 2015 UTC. The chair is
Sparks. Information about MeetBot at
http://wiki.debian.org/MeetBot.
14:00:57 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link
#topic.
14:01:00 <Sparks> #meetingname Fedora Security Team
14:01:00 <zodbot> The meeting name has been set to 'fedora_security_team'
14:01:02 <Sparks> #topic Roll Call
14:01:04 * Sparks
14:01:06 * d-caf
14:01:09 * Astradeus
14:02:50 * mhayden
14:03:19 <Sparks> Oh good, the BZ upgrade broke my script.
14:03:52 <Sparks> mhayden: Does your script still work?
14:04:00 * mhayden looks
14:04:08 <Sparks> mhayden: Mine is coming back as "2" for each category.
14:04:20 <Sparks> Oh which I'm assuming is incorrect.
14:04:33 <mhayden> sorry, forgot to send out the summary today
14:05:28 <mhayden> Sparks: sent to ML just now
14:05:32 <Sparks> TU
14:06:07 <mhayden>
https://lists.fedoraproject.org/pipermail/security-team/2015-September/00...
14:07:53 <Sparks> Okay, the agenda has been updated.
14:09:53 <Sparks> #info Participants are reminded to make liberal use of #info
#link #help in order to make the minutes "more better"
14:09:59 <Sparks> #topic Follow up on last week's tasks
14:10:06 <Sparks> mhayden to work with Ryan to get the article published
14:10:19 <Sparks> mhayden: This happened. Anything you'd like to say here?
14:10:32 <mhayden> thanks for the help in getting that together, everyone
14:10:35 * mhayden will go check the stats
14:11:04 <Sparks> FabioOlive to write up a summary of the embargo discussion
and send it to the security team list.
14:11:23 <Sparks> This happened as well. I haven't responded, yet, but I have
some ideas.
14:11:52 * Sparks thinks FabioOlive is not feeling well this morning and won't
be joining us.
14:12:01 <Sparks> #topic Outstanding BZ Tickets
14:12:10 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 42 (-2),
Moderate 409 (+7), Low 152 (-4), Total 603
14:12:42 <Sparks> #info The recent BZ upgrade has broken my script so I'll
need to get that worked out OR I can just start using/relying on mhayden's
script.
14:13:01 <Sparks> Anyone have anything regarding BZ tickets?
14:13:05 <mhayden> i just merged in Astradeus' sqlite changes in github
14:13:48 <Astradeus> and i just verified, that that version still works with
bugzilla
14:13:49 <Sparks> mhayden: I wonder how difficult it would be to use your script
to create a web "dashboard" with pretty charts and such.
14:13:51 <mhayden> i'll give it a test
14:14:09 <mhayden> Sparks: if we have a database accessible, not terribly
difficult
14:14:17 <mhayden> could even generate static html with it
14:14:20 <Sparks> We can still report basic numbers here but I've always
wanted something better.
14:14:42 <Sparks> mhayden: I'll happily help out but I'm not really sure how
to get from here to there.
14:15:31 <Sparks> mhayden: Maybe show how many FST members have how many
tickets and their trends (how many tickets have each FST member helped close,
etc).
14:16:04 <Sparks> mhayden: And it would be really nice if we could somehow
feed that kind of data into fedmsg
14:16:08 <mhayden> totally
14:16:21 <mhayden> i'd be glad to help but $dayjob is heating up for the next
1-2 months :/
14:16:41 <Astradeus> i'd have some time, but i'd need requests ;)
14:16:54 <Sparks> #idea Use mhayden's script to create a dashboard and host it
somewhere (fedorapeople?)
14:17:17 <threebean> where is this script?
14:17:18 <Sparks> #idea Somehow push information to fedmsg
14:17:32 <Sparks> mhayden: Should we just use github for devel?
14:17:43 <Sparks> mhayden: And, if so, could you post the URL?
14:17:57 <mhayden>
https://github.com/major/fedora-meeting-report
14:17:58 <Astradeus> and i'd need someone to assist me a little bit with
fedora infrastructure
14:18:06 <Sparks> #link
https://github.com/major/fedora-meeting-report
14:18:19 <Sparks> mhayden: What's it written in?
14:18:28 <mhayden> python
14:18:36 * Sparks goes to find his python book
14:18:58 * mhayden has his head in openstack all day ;)
14:18:59 <threebean> ty. FYI, we expect to have fedmsg messages from bugzilla
in early 2016 (like, January). but the date has been pushed back many times
now..
14:19:15 <mhayden> threebean: i will buy you a breakfast taco when that's
working :)
14:19:23 <mhayden> (that's like currency in south texas)
14:19:25 <Sparks> #action Sparks to add "issues" to fedora-meeting-report
on
github
14:19:26 <threebean> I will totally eat it, mhayden.
14:20:05 <Sparks> threebean: That will be awesome when that happens.
14:21:57 <Sparks> Okay, anything else on this?
14:22:59 <d-caf> nope, I'm still slammed at work so not much progress
14:23:10 <Sparks> d-caf: Understood
14:23:18 * Sparks summons FabioOlive to the room
14:23:25 <Sparks> #topic Handling embargoed issues
14:23:33 <Sparks> Sorry, I just added this to the agenda
14:23:44 <FabioOlive> .fas fleite
14:23:44 <zodbot> FabioOlive: fleite 'Fabio Olive Leite'
<fabio.olive(a)gmail.com>
14:23:59 <FabioOlive> hmm that should have changed to fabio(a)olive.pro.br by
now
14:24:19 <Sparks> #info We now have security(a)fp.o going to security-
private(a)l.fp.o and we have a few people subscribed to security-private(a)l.fp.o.
14:24:52 <Sparks> FabioOlive:
https://admin.fedoraproject.org/accounts
14:25:33 <Sparks> #info FabioOlive Started a discussion on security-
team(a)l.fp.o regarding moving the FST into a more proactive role of handling
security bugs.
14:25:47 <Sparks> Does anyone have anything they'd like to discuss regarding
that?
14:26:36 <FabioOlive> how do we manage a private key for encrypted reports?
14:26:48 <Sparks> FabioOlive: I spoke with bress the other day...
14:26:54 <mhayden> #info 1,639 views on the fedoramag blog post about the
security team
14:27:11 <Sparks> It appears we *could* create a GPG key and put it on several
Yubikeys and hand those out.
14:27:17 <Sparks> #info It appears we *could* create a GPG key and put it on
several Yubikeys and hand those out.
14:28:23 <Sparks> There would be a cost for the Yubikeys but, to me, that's
the best way to handle distributing keys.
14:29:06 <Sparks> s/best/better
14:29:19 <FabioOlive> that is interesting, considering there is a cost, do we
want to limit the participation in the private list?
14:29:27 <Sparks> There is likely a best way but it involves using
hard/software that's proprietary
14:29:35 <FabioOlive> like 3 or 4 people at most, and obviously without too
much turnover
14:29:48 <Sparks> That was my thought.
14:30:20 <Sparks> The responsibility of those people should be to open/manage
a BZ ticket that's "private" and use that to keep upstream and packagers
informed.
14:30:25 <Sparks> IMO
14:31:29 <FabioOlive> yeah. any ideas for how we handle the BZs? if we can't
have private BZs, do we want to have "empty" BZs or something?
14:32:12 <Sparks> I wonder if we *could* have private BZs in this case. We'd
end up making the entire ticket public at some point in the future is that
still bad?
14:32:17 <Sparks> mattdm: ^^^
14:32:27 * Sparks ponders who to talk with regarding that.
14:33:49 <Astradeus> what use do 'empty' BZs have?
14:35:00 <FabioOlive> yeah, they would just signal "a bug in component X",
so
it would be dumb
14:35:27 <FabioOlive> and if we open an empty bug and later on fill it with
security stuff, it becomes obvious for the future "empty" bugs
14:35:46 <FabioOlive> sorry, I'm feeling particularly stupid today, been a bit
sick
14:36:06 <Sparks> I don't like that idea. We need a sane place to do work.
14:36:06 <Astradeus> so it would be for statistics?
14:36:20 <FabioOlive> yeah, forget I ever mentioned "empty" bugs
14:37:25 <Sparks> FabioOlive: I mean, it's an idea but I don't think
it's very
useful for what I feel we need.
14:37:30 <FabioOlive> yeah
14:37:46 <Sparks> Okay, I'll talk with mattdm OOB and see what he thinks.
14:37:50 <Sparks> Anyone have anything else?
14:37:56 <Astradeus> anyone has an idea on the traffic on those security@-lists?
14:38:19 <Sparks> #action Sparks to talk with mattdm regarding private
security tickets in BZ.
14:38:32 <Sparks> Astradeus: What's the question?
14:38:52 <Astradeus> i mean if it's 4 embargo-worthy tickets a months i'd
say
just keep it without a BZ-ticket until it is public
14:39:22 <Sparks> Astradeus: Well, how do we communicate, securely, with
upstream and the packager?
14:39:39 <Sparks> Astradeus: And if we don't then what's the purpose of
knowing about an embargoed issue ahead of time?
14:41:15 <FabioOlive> Sparks: can we use the private list only for getting the
notification and assigning a responsible FST member to deal with it? then this
FST member emails the maintainer privately, using their GPG key, and the
maintainer talks to the upstream project, privately, to obtain the fix?
14:41:30 <Astradeus> so the idea is that only a few people have the private
gpg key and have some means to distribute the issue to a bigger group
(=security team or something alike) if necessary?
14:41:48 <FabioOlive> so the security-private list would serve only as a
central point of contact and "dispatching" the work to the right maintainer
14:42:11 <FabioOlive> and maybe taking over the work in case of a non-
responsive maintainer
14:42:25 <Astradeus> more or less what FabioOlive said^^
14:42:27 <Sparks> FabioOlive: Assuming that's all possible...
14:42:56 <FabioOlive> yeah, I'm trying to think of the workflow, and then we
figure out the resources needed given the workflow
14:43:17 <Sparks> FabioOlive: Which is why I liked the idea of using BZ...
It's a fairly common, secure means of communicating with all parties involved.
14:43:26 <FabioOlive> the goal being that we can prepare a security update
during embargo in order to build and approve immediately after unembargo
14:43:55 <FabioOlive> Sparks: yeah, but can Fedora use private bugs? I don't
know that, my only use of BZ has been with my Red Hat credentials.
14:44:27 <Astradeus> Sparks: what stops us from getting the same method for
private tickets in BZ as the RH people?
14:44:37 <Sparks> FabioOlive: Assuming we can. I'm going to talk with mattdm
and then whomever he says I should talk with to get an answer on that.
14:44:55 <Sparks> Astradeus: Trust
14:45:18 <Astradeus> Sparks: so there is only one kind of private tickets?
14:45:46 <Sparks> Astradeus: Well, there are private and there are public.
The private tickets are private to a specific group.
14:46:16 <Sparks> Astradeus: Well, the specific group and whomever you add onto
that ticket.
14:47:39 <Astradeus> i thought of asking for a tickettype whose tickets are
private to e.g. the group "fedora-security"
14:48:00 <FabioOlive> yeah, we would need a fedora-security group in bugzilla,
and having the people in the private security list be on that group
14:48:13 <Sparks> Yes.
14:48:15 <Sparks> That
14:48:42 <Astradeus> but lets see, what new info we'll have next week :)
14:49:05 <Sparks> Okay, we'll carry this over to next week with a hopeful
update on the listserv.
14:49:05 <FabioOlive> :)
14:49:11 <Sparks> Anyone have anything else before we move on?
14:51:06 <Sparks> #topic Open floor discussion/questions/comments
14:51:12 <Sparks> Anyone have anything?
14:51:38 <Astradeus> is it interesting in any way that medium-severity-tickets
are growing?
14:51:52 <Sparks> Astradeus++ For his db work on mhayden's script
14:51:58 <Astradeus> thx :)
14:52:03 <Sparks> Astradeus++
14:52:05 <mhayden> Astradeus++
14:52:05 <zodbot> mhayden: Karma for astra changed to 2 (for the f22 release
cycle):
https://badges.fedoraproject.org/tags/cookie/any
14:52:11 <mhayden> MACAROONS FOR EVERYONE
14:52:15 <Sparks> What the heck?
14:52:17 <Astradeus> oha :)
14:52:30 <mhayden> wut
14:52:39 <CRob> yum
14:52:41 <Sparks> Astradeus: Medium-severity tickets will always be growing.
14:53:01 <Sparks> Astradeus: We can attack them as soon as we get all the
Important ones out of the way. :)
14:53:45 * Sparks contemplates an online video GPG key signing event for FST
14:54:47 * Sparks notes no one took the bait
14:54:50 <Sparks> Okay then
14:55:08 <Astradeus> i did think about it in terms like "what is this" ^^
14:55:34 <FabioOlive> Sparks: like people gather in a videoconf and speak
their key fingerprints and people sign each others keys?
14:55:35 <Sparks> Astradeus: Ever participated in a key-signing event?
14:56:04 <Sparks> FabioOlive: I was thinking that if we all wrote them down
and provided ID then it would be like doing it face-to-face
14:56:39 <Astradeus> Sparks: yes, standard key signing
14:56:39 <FabioOlive> yeah, as long as we can confirm the fingerprints in a way
that is not easy to tamper with, like online video, maybe it will work :)
14:56:48 <Astradeus> never with video so far
14:56:52 * Sparks contemplates a blog post
14:57:00 <Sparks> #info
https://sparkslinux.wordpress.com/?s=keysigning
14:57:11 <Sparks> Shameless plug
14:57:16 <FabioOlive> Sparks: let's try it out, wouldn't hurt
14:57:51 <Sparks> #action Sparks to start a discussion on the FST list
regarding an online video GPG key signing event.
14:57:58 <Sparks> Anyone have anything else?
14:57:59 <Southern_Gentlem> Sparks, as long as its a live video of theperson
14:58:05 <Sparks> Southern_Gentlem: Right
14:58:23 <FabioOlive> then show a piece of paper with the ID printed out and
spell it out
14:58:35 * Sparks figured putting something on his blog might yield someone's
input of why it wouldn't be a good idea
14:58:37 <FabioOlive> multiple redundant confirmations of the information that
would be hard to tamper with
14:58:52 <Southern_Gentlem> upload keys and eveyone display there keys
14:59:23 <Sparks> Okay, anything else before we sign off for the day?
14:59:33 * Sparks notes there is another meeting starting immenently
15:00:05 <Sparks> Okay, thanks for coming out! See you all on the interwebz.
15:00:08 <Sparks> #endmeeting