19:00:09 <Sparks_too> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 19:00:09 <zodbot> Meeting started Wed Jul 30 19:00:09 2014 UTC. The chair is Sparks_too. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:09 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:00:13 <Sparks_too> #meetingname Fedora Security Team 19:00:13 <zodbot> The meeting name has been set to 'fedora_security_team' 19:00:18 <Sparks_too> #topic Roll Call 19:00:20 * Sparks_too 19:02:06 <jsmith> .hellomynameis jsmith 19:02:07 <zodbot> jsmith: jsmith 'Jared Smith' <jsmith.fedora@gmail.com> 19:02:33 * thoger 19:03:03 <ignatenkobrain> hey 19:03:10 <ignatenkobrain> Sparks_too: hi 19:03:14 <ignatenkobrain> revskills: ^^ 19:03:14 <BVincent> .hellomynameis BVincent 19:03:16 <zodbot> BVincent: Sorry, but you don't exist 19:03:18 <Sparks_too> Oh good, people! :) 19:03:19 <jrusnack> here 19:03:29 <bojov> present :) 19:03:33 <BVincent> Present 19:03:59 <ignatenkobrain> I have ~15 mins 19:04:01 <ignatenkobrain> =( 19:04:16 <Sparks_too> ignatenkobrain: Anything you need to say before leaving? 19:04:41 <ignatenkobrain> I think no. I didn't have time to handle bugs 19:04:46 <ignatenkobrain> so, lets go ? 19:05:27 <Sparks_too> I've posted the link to the agenda in the meeting header. I'll be working from there today. 19:05:59 <Sparks_too> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 19:06:05 <Sparks_too> #topic Follow up on last week's action items (10 minutes) 19:06:11 <ignatenkobrain> cool 19:06:12 <Sparks_too> jrusnack to document the use of fst_owner: in the whitepages of the bugs 19:06:32 <jrusnack> yup, done. anything I missed ? 19:06:52 <Sparks_too> #info jrusnack documented the use of fst_owner at https://fedoraproject.org/wiki/Security_Team#Taking_ownership_of_tracking_bugs 19:07:15 <Sparks_too> Sparks to create a team roster with links to people's User: wiki pages. 19:07:40 <Sparks_too> I started this but I want to bring this up later as it sucked the way I was doing it. 19:07:48 <Sparks_too> It'll ultimately fail my way. 19:07:59 <Sparks_too> jrusnack to follow up with upstream 19:08:12 <Sparks_too> That was clearly an incomplete task 19:08:22 <Sparks_too> jrusnack: Was that a follow up for pwgen? 19:09:03 <jrusnack> #info sent patches that fix CVE-2014-4440 and CVE-2014-4442, analysis about CVE-2014-4441, so far no response 19:09:17 <ignatenkobrain> jrusnack: sadly 19:09:32 <Sparks_too> jrusnack: I did talk with Kurt about 4441. Lets talk about pwgen a bit later in the meeting as well 19:09:43 <Sparks_too> Sparks to follow up with Product Security regarding the validity of the CVEs. 19:09:43 <jrusnack> no problem 19:09:59 <Sparks_too> And I did my task by talking to Kurt of which we'll talk about in a few minutes. :) 19:10:07 <Sparks_too> And that was all the tasks from last week! 19:10:14 <Sparks_too> #topic Roster 19:10:29 <Sparks_too> #link https://fedoraproject.org/wiki/Security_Team_Roster 19:10:52 <Sparks_too> Okay, I started putting this together but I clearly didn't have all the information I needed. 19:11:04 <jrusnack> #info that roster needs more info. like, name, bugzilla account, irc nick at least 19:11:05 <BVincent> .hellomynameis bvincent 19:11:06 <zodbot> BVincent: bvincent 'Brandon Vincent' <Brandon.Vincent@asu.edu> 19:11:11 <Sparks_too> So with that, I'd like everyone (and I'll put this out on the list) to go to that page and add your own information there. :) 19:11:28 <Sparks_too> jrusnack: +1 19:11:47 <Sparks_too> I think it would be good to know if you are a proven packager as well. 19:12:02 <ignatenkobrain> .fasinfo BVincent 19:12:03 <zodbot> ignatenkobrain: User "BVincent" doesn't exist 19:12:22 <ignatenkobrain> BVincent: do you have FAS account ? 19:12:31 <revskills> probably have sense to have a common user profile, but not so much important. I have my from the templates 19:12:49 <BVincent> I couldn't find my old account. Username is lowercase only for FAS. 19:13:14 <Sparks_too> revskills: Yes 19:13:54 <Sparks_too> Anything else with this? 19:14:08 * jsmith is a proven packager, fwiw 19:14:18 <ignatenkobrain> jsmith: cool 19:16:16 <Sparks_too> jsmith: What's the zodbot command for tasks? #task? 19:16:19 <thoger> jrusnack: "As <owner> bugzilla login should be used", wasn't FAS login the final plan? 19:16:30 <jsmith> #action 19:16:34 <Sparks_too> TNX 19:16:56 <Sparks_too> #action Sparks to send a message to the list asking people to add themselves to the roster 19:17:03 <ignatenkobrain> ack 19:17:21 <jrusnack> thoger: well, then I am confused. I remember you arguing for bugzilla login, cause it makes easier to cc on bugs. What was the argument for FAS login again ? 19:17:42 <ignatenkobrain> jrusnack: more easy to track ? 19:18:30 <ignatenkobrain> we can use fasinfo command for zodbot and we will get all needed info 19:18:35 <ignatenkobrain> something like this 19:18:40 <thoger> jrusnack: you did not like bz login, so FAS name was proposed as alternative. you seemed to be fine with that. i'm fine either way 19:18:44 <ignatenkobrain> .fasinfo sparks 19:18:45 <zodbot> ignatenkobrain: User: sparks, Name: Eric Christensen, email: sparks@redhat.com, Creation: 2007-07-17, IRC Nick: Sparks, Timezone: US/Eastern, Locale: en, GPG key ID: 0x024BB3D1, Status: active 19:18:48 <zodbot> ignatenkobrain: Approved Groups: gitpublican-fedora sysadmin-hosted sysadmin-docs sysadmin elections gitscap-security-guide @gitcreate-tx-configuration @gitsecure-coding gitcsi cla_fedora cla_done sysadmin-keys @gitdocsglue cvsfedora @docs +gitfedora-wiki @gitfedora-cms fedorabugs packager @docs-publishers @gitweatheralert @docs-writers @gitamateur-radio-menus cla_fpca @gitkeysigning-party-manual 19:19:38 <Sparks_too> So lets just use FAS ID. You will likely already be CC'd on the BZ ticket if you added your fst_owner tag. 19:19:57 <jrusnack> Sparks_too: yup, I`ll update it 19:20:11 <Sparks_too> Okay, anything else WRT the roster? 19:20:49 <Sparks_too> Okay, moving on 19:20:55 <Sparks_too> #topic Rewards 19:21:00 <ignatenkobrain> yup yup 19:21:03 <ignatenkobrain> very interesting 19:21:23 <jrusnack> rewards already ? 19:21:30 <Sparks_too> So I want to do what I can to reward people for working towards closing security vulnerabilitles 19:21:38 <Sparks_too> vulnerabilities even 19:21:51 <Sparks_too> jrusnack: You... you will get nothing. :) 19:21:59 <ignatenkobrain> hehe 19:22:09 <jrusnack> oh damn 19:22:26 <Sparks_too> #idea Create a badge for fixing 50, 100, 200, 500, and 1000 security bugs 19:22:44 <ignatenkobrain> 1000 ?> oh 19:22:51 <ignatenkobrain> I think that's not possible 19:22:52 <ignatenkobrain> :D 19:22:55 <Sparks_too> ignatenkobrain: It could happen... :) 19:23:12 <Sparks_too> ignatenkobrain: I'm trying to think long term. 19:23:14 <jrusnack> soudns good ! 19:23:31 <Sparks_too> ignatenkobrain: I'm also hoping we never see the day when that badge gets awarded. 19:23:35 <bojov> sounds interesting 19:23:42 <ignatenkobrain> Sparks_too: huh! 19:23:43 <revskills> +1 19:24:20 <ignatenkobrain> Sparks_too: when this achievement awarded we should kill some packages in our repos I thing 19:24:22 <Sparks_too> So the problem with doing the badges is that right now it'll all be manually awarded since there isn't any real good way tie BZ to the system that awards badges. 19:24:22 <ignatenkobrain> think* 19:24:53 <Sparks_too> ignatenkobrain: Yes, we've clearly missed the opportunity to prevent the chaos that is a vulnerability. 19:24:55 <ignatenkobrain> I don't know how it can handle it automatically, BUT 19:25:09 <ignatenkobrain> can it track closed bugs with Whiteboard? 19:25:32 <Sparks_too> It cannot. The badge system has never been introduced to Bugzilla. 19:25:46 <ignatenkobrain> I think we should make a patch 19:25:47 <ignatenkobrain> :D 19:25:58 <ignatenkobrain> anyway 19:26:02 <ignatenkobrain> we can write scripts 19:26:02 <Sparks_too> Tracking the whiteboard fst_owner tag I might be able to script some of this, though. 19:26:08 <ignatenkobrain> yes 19:26:13 <ignatenkobrain> I'd like to write this script 19:26:21 <Sparks_too> ignatenkobrain: It's yours 19:26:47 <bojov> ignatenkobrain: if upstream agree 19:26:58 <Sparks_too> #action ignatenkobrain to write a script to somehow get stats from BZ and use them for the badge system 19:27:16 <ignatenkobrain> bojov: temporary we can use our custom scripts and in the future integrate BZ with badges system 19:27:21 <Sparks_too> Is everyone agreed with the badges? 19:27:36 <bojov> +1 19:27:44 <ignatenkobrain> ack 19:27:47 <jrusnack> yes 19:28:06 <jsmith> ACK 19:28:09 <revskills> ack 19:28:12 <ignatenkobrain> Sparks_too: I saw something about SWAG 19:28:15 <ignatenkobrain> in wiki 19:28:19 <ignatenkobrain> what about that ? 19:29:16 <Sparks_too> #agreed Badges for fixing 50, 100, 200, 500, and 1000 security bugs. 19:29:38 <Sparks_too> #idea Make t-shirts for FST members who close x number of cases 19:29:53 <ignatenkobrain> sounds good 19:30:20 <Sparks_too> So, I may have some moneys for t-shirts and such. I'm thinking that if we can show someone is a regular contributor to the team that we can reward them with a t-shirt. 19:30:51 <ignatenkobrain> I think any members who have badge 50 fixed sec bugs can have it 19:31:05 <Sparks_too> I have not thought anything of criteria but there are people within Red Hat that are very pleased to see this work happen and are willing to put some money into some t-shirts or the like. 19:31:14 <revskills> hall of fame too? 19:31:51 <Sparks_too> revskills: Sure, if we can script the BZ scraping we should be able to make an automated hall of fame page. 19:31:56 <ignatenkobrain> revskills: that's idea 19:32:05 <ignatenkobrain> how about wiki page 19:32:13 <Sparks_too> #idea Hall of fame webpage 19:32:16 <ignatenkobrain> which will auto-generate/auto-update 19:32:24 <ignatenkobrain> using BZ stats? 19:32:24 <bojov> for each one hundred can get a hat? :) 19:32:28 <ignatenkobrain> from first script 19:32:45 <Sparks_too> bojov: Perhaps 19:33:07 <ignatenkobrain> bojov: I'd say Red Hat. Originally Red Hat 19:33:14 <Sparks_too> ignatenkobrain: I'm wondering if we can have the script dump the numbers into a db that we can use for long-term stats AND for rewards 19:33:20 <ignatenkobrain> not сувенир 19:33:31 <ignatenkobrain> yes 19:33:37 <ignatenkobrain> I can use sqlite for example 19:33:52 <ignatenkobrain> so. I'd like to do this 19:34:11 <Sparks_too> Okay, so a t-shirt after 50 vulnerabilities get closed? 19:34:28 <ignatenkobrain> +1 19:34:46 <bojov> it's fine by me 19:34:57 <BVincent> Sounds good. 19:35:00 <ignatenkobrain> https://github.com/ignatenkobrain/fedora-security-team 19:35:00 <revskills> looks fine for me, and hall of fame 19:35:09 <ignatenkobrain> I will create scripts here 19:35:14 <ignatenkobrain> oh. there. 19:35:41 <Sparks_too> #agreed T-shirts for those closing 50 vulnerabilities (pending funding) 19:35:52 <bojov> hall of fame for people not for sec bugs? 19:36:24 <Sparks_too> bojov: ? 19:36:36 <BVincent> I would assume people... 19:37:00 <ignatenkobrain> #action ignatenkobrain to write a script to somehow get stats from BZ and use them for "hall of fame" FST wiki page 19:37:22 <bojov> I assume for people too 19:37:22 <ignatenkobrain> Sparks_too: is github is good for us? 19:37:31 <ignatenkobrain> or we want use git.fedorahosted 19:37:38 <ignatenkobrain> or git.fedorapeople ? 19:37:47 <Sparks_too> ignatenkobrain: I'd prefer to use fedorahosted 19:38:05 <Sparks_too> FOSS and all that 19:38:14 <revskills> fedora hosted 19:38:15 <ignatenkobrain> #action ignatenkobrain to request git repo for FST scripts 19:38:37 <ignatenkobrain> well 19:38:37 <Sparks_too> #agreed Hall of Fame showing FST members and their current vulnerabilities closed count 19:39:01 <Sparks_too> Anything else with this or can I move on? 19:39:19 <ignatenkobrain> 100+ badge should provide hat :D 19:39:33 <Sparks_too> I'll see what kind of money I can get. :) 19:39:54 <Sparks_too> Okay, moving on. 19:39:56 <ignatenkobrain> btw, i think i can provide some money for that if we're need 19:39:58 <ignatenkobrain> go 19:40:05 <Sparks_too> #topic Outstanding BZ Tickets 19:40:14 <Sparks_too> #info Monday's numbers: Critical 3, Important 69, Moderate 366, Low 128, Total 566, Trend -11 19:40:20 <Sparks_too> #info Current tickets owned: 4 19:40:39 <ignatenkobrain> unfortunately, I don't have time now. but I want to say some words 19:40:52 <ignatenkobrain> some bugs still has POST status 19:40:58 <ignatenkobrain> ~5-7 from me 19:41:05 <ignatenkobrain> and 1 from adamw IIRC 19:41:08 <Sparks_too> I wanted to point out that last number. I'm not sure if people aren't working cases or if they aren't owning cases but I'd like to see that "owned" number go up. 19:41:10 <ignatenkobrain> more than week 19:41:13 <revskills> I was this week working on some security related for fedora, but I will start now with this 19:41:20 <Sparks_too> ignatenkobrain: +1 19:41:43 <ignatenkobrain> I think we should poke people 19:41:50 <Sparks_too> Probably 19:41:59 <ignatenkobrain> jsmith: what do you think ? 19:42:08 <ignatenkobrain> probably you can easy fix them ? 19:42:14 <Sparks_too> Is anyone here using Eucalyptus? 19:42:20 <jsmith> I'd be happy to take a look at a few of them 19:42:27 <ignatenkobrain> jsmith: give me 5 mins 19:42:28 <jsmith> (as I have time around my $DAYJOB, of course) 19:43:07 <ignatenkobrain> #link https://bugzilla.redhat.com/query.cgi?bug_status=POST&chfield=bug_status&chfieldto=1w&chfieldvalue=POST&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&query_format=advanced 19:43:10 <jsmith> ignatenkobrain: Now just happens to be a good time for me to start looking :-) 19:43:40 <Sparks_too> jrusnack: Want to talk about your update on pwgen? 19:43:46 <jrusnack> sure 19:44:15 <jrusnack> I sent two patches that fix 4440 and 4442, Theodore has not yet responded 19:44:32 <jrusnack> as for 4441, I did some analysis and forwarded to our list and Theodore 19:45:18 <Sparks_too> jrusnack: I think 4441 was the one I talked to Kurt about (who actually issued the CVE). The data is what swayed him to issue it in the first place so it's likely good. 19:45:20 <jrusnack> the thing is, if define that pronounceable password generator is secure if distribution of passwords it generates is uniform 19:45:36 <jrusnack> (which is a sound definition) then the 4441 is valid 19:45:46 <Sparks_too> right 19:45:56 <jrusnack> the only trouble is 19:46:27 <jrusnack> if we want to fix this, we cannot just fix the algorithm, since removing the bias reduces number of password that can be possibly generated 19:46:48 <jrusnack> in such a way that bias helps attacker much *less* than the password space reduction 19:47:09 <jrusnack> so either tear the algorithm apart and start from scratch or better leave that unfixed 19:47:24 <Sparks_too> jrusnack: What's the severity of this? 19:47:55 <jrusnack> Sparks_too: medium 19:48:32 <jrusnack> Sparks_too: what did Kurt say about this ? 19:48:55 <Sparks_too> jrusnack: I really wouldn't worry too much about a medium right now. Not saying it isn't something we shoud look at but I wouldn't expend a lot of energy on this when we have lots of worse stuff out there. 19:49:07 <Sparks_too> jrusnack: Kurt said that he felt the CVE was valid. 19:49:23 <Sparks_too> jrusnack: He didn't say anything about the fix being good or bad. 19:50:55 <Sparks_too> jrusnack: So, unless the developer is going to rewrite this to make it okay I suspect our options are to remove the functionality in our package, or try to fix it ourselves (I don't like this option), or just live with it. 19:51:00 <Sparks_too> Not great options. 19:51:51 <jrusnack> I`d go with live with it, or challenge Kurt to show how this is exploitable :) 19:51:54 <ignatenkobrain> I have to go 19:51:56 <ignatenkobrain> have fun! 19:52:04 <revskills> bye ignatenkobrain 19:52:09 <ignatenkobrain> Sparks_too: jrusnack: jsmith: revskills: bye! 19:52:13 <jrusnack> I`ll wait for Theo`s response, and leave this be 19:52:16 <jrusnack> ignatenkobrain: bye ! 19:52:30 <bojov> bye ignatenkobrain 19:52:34 <revskills> jrusnack: some times not bad idea to dev a PoC 19:52:35 <Sparks_too> jrusnack: Feel free to push Kurt for better reasoning. 19:53:36 <jrusnack> Sparks_too: sure. 19:54:29 <jrusnack> Sparks_too: would it make sense to lower the severity ? 19:54:35 * Sparks_too isn't going to talk about Eucalyptus today 19:55:31 <Sparks_too> jrusnack: No, the severity is set by RH Product Security using a magic 8-ball or other scientific method. What they rate it as is correct (unless they change it later). 19:55:39 <Sparks_too> Moderate isn't awful. 19:55:55 <jrusnack> right 19:56:19 <Sparks_too> jrusnack: Okay, anything on pwgen? 19:56:25 <Sparks_too> jrusnack: Okay, anything else on pwgen? 19:56:26 <jrusnack> Sparks_too: nope, move on 19:56:34 <Sparks_too> #topic Open floor discussion 19:56:40 <Sparks_too> Anyone have anything? 19:57:19 <bojov> no 19:57:19 <BVincent> First meeting here. Any recommendations where to start on BZ? 19:58:16 <Sparks_too> BVincent: On the Security Team wiki page (https://fedoraproject.org/wiki/Security_Team) are links to the bugs. Find something you feel like you can handle and dig in. 19:58:40 <Sparks_too> BVincent: They are ranked by severity: Critical > Important > Moderate > Low 19:59:04 <Sparks_too> BVincent: I'd prefer to concentrate on the top two severities right now. 19:59:30 <BVincent> Sparks_too: Just work with upstream eh? 19:59:42 <revskills> Sparks_too: plan about CVE ttl f20/f21 20:00:11 <Sparks_too> BVincent: This may help > https://fedoraproject.org/wiki/Security_Team#Work_Flow 20:00:30 <Sparks_too> revskills: Until they are fixed or no longer being shipped. 20:00:47 <Sparks_too> revskills: I suspect many packages just get pushed into rawhide and CVEs keep going. 20:00:59 <BVincent> Sparks_too: Just what I was looking for. Sounds great! 20:01:00 <Sparks_too> Okay, it's the top of the hour. Thanks everyone for coming. 20:01:08 <Sparks_too> #endmeeting