19:01:06 #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 19:01:07 Meeting started Wed Sep 10 19:01:06 2014 UTC. The chair is Sparks_too. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:01:07 Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:01:09 #meetingname Fedora Security Team 19:01:09 The meeting name has been set to 'fedora_security_team' 19:01:12 #topic Roll Call 19:01:16 * Sparks_too 19:01:16 .fas bvincent 19:01:17 bvincent: bvincent 'Brandon Vincent' 19:03:18 * Sparks_too notes that he has updated the agenda which is available at https://fedoraproject.org/wiki/Security_Team_meetings#Meeting_Agenda 19:03:59 Here 19:04:19 .fas dcafaro 19:04:20 d-caf: dcafaro '' 19:05:57 Okay, lets get started. 19:07:06 #topic Outstanding BZ Tickets 19:07:14 #info Wednesday's numbers: Critical 2, Important 53, Moderate 365, Low 127, Total 547, Trend +7 19:07:20 #info Current tickets owned: 145 (~27%) 19:07:26 #info Tickets closed: 77 19:07:53 Comments or questions? 19:08:17 Just thanks again for getting editing privs sorted, very helpful 19:10:16 d-caf: Glad that fixed things 19:10:23 #topic APAC Meeting 19:10:58 Okay, a conversation was started on the list regarding the meeting time being bad for APAC contributors. 19:11:40 I agree that this is not a great time for APAC. It's also nearly impossible to get everyone together at the same time. 19:12:18 so, do we want two meetings, or alternate times every second week ? 19:12:31 So I'm going to try to do a second meeting at a better time for contributors in APAC. I'll be starting a new WhenIsGood survey later today and we'll work on that. 19:13:01 jrusnack: The meetings are super important but I think it would be nice (and less confusing) to just hold two meetings a week. 19:13:28 Sparks_too: work for me 19:13:32 *works 19:13:32 Any kind of decision or planning will be done on the list so everyone can be involved. 19:13:51 The meetings will continue to be a Q&A and update for everyone. 19:13:52 how many people from APAC timezone are interested ? 19:14:25 jrusnack: I'm not exactly sure but we'll figure it out in the survey. 19:14:49 jrusnack: From what I understand there are a few contributors over there that want to be involved. 19:15:08 awesome 19:16:13 #topic Open floor discussion 19:16:55 Anyone have anything? 19:16:56 FYI: https://fedoraproject.org/wiki/FAD_Pune_Security_1 not sure if everyone catched this 19:17:16 possibly related to APAC meeting time discussion 19:19:12 Is that duplicate work to what the Security Team is doing? 19:19:17 #info Security FAD in Pune https://fedoraproject.org/wiki/FAD_Pune_Security_1 19:20:24 d-caf: It's not duplicate work, really. Huzaifa is one of the RH folks and is contributing here in the FST. He's APAC so he can't show up for these meetings very often. 19:20:25 d-caf: certainly not. I expect some of them to get on board, once we have APAC friendly meeting time 19:21:00 jrusnack: Thanks for reminding me of the FAD. I'd forgotten about it. 19:21:10 Sparks_too: np 19:21:29 Ok, I just want to help avoid duplicate work, so if someone has somethin whiteboard tagged and working on cordinating a fix, that they don't duplicat it 19:21:51 #action Sparks to talk with Huzaifa about times for the FAD and the possibility of doing a video-teleconference with others not in Pune. 19:21:58 There are plenty of issues without a "fst_owner" tag. 19:22:05 very true 19:22:17 Yeah, we are currently working ~27% of all open cases right now. 19:22:39 I'm gonna try to push to get my bugs closed by then. 19:22:46 (much of mine are orphans in EPEL) 19:23:48 Okay, anyone have anything else? 19:24:21 If I want to orphan package, do I open a ticket ? 19:24:41 as in - package is not maintained but owner will not orphan 19:25:40 jrusnack: That's an unresponsive maintainer and should go through that process. 19:26:24 Sparks_too: thank! 19:26:30 *thanks! 19:26:45 * Sparks_too has one of those he needs to work on. 19:27:19 Anything else? 19:27:56 On upstream CLOSE WONTFIX, it if really does look like it would be a mess to backport 19:28:18 What is the procedure for tickets to start that route of closure 19:28:45 d-caf: What's the ticket? 19:30:41 bug 1039919 1039917 19:31:25 #link https://bugzilla.redhat.com/show_bug.cgi?id=1039917 19:32:02 d-caf: And Python is saying they won't fix it? 19:32:20 #link http://bugs.python.org/issue14621 19:33:28 They aren't packporting to before 3.4 and the fix is very involved 19:34:09 Well, it's unfortunate but I guess the vulnerability will be in Python 2.7 and <3.4 19:34:23 Per upstream as d-caf stated, "I think that's just WONTFIX at this point." 19:34:33 https://bugzilla.redhat.com/show_bug.cgi?id=1039915#c4 19:34:57 Yeah, the CVE tracker has been closed. The vulnerability was also downgraded to a moderate. 19:35:12 I guess we just close those tickets as WONTFIX and move on with life. 19:36:13 I can close them and state any work arounds mentioned and impact in each of the tickets (there are actually 3 linked to this CVE) 19:37:34 d-caf: +1 19:37:41 Okay, anything else? 19:40:33 Thanks everyone for coming today. There will be more coming out on the mailing list soon. 19:40:55 Ok, thanks! 19:41:11 #endmeeting