19:00:48 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
19:00:48 <zodbot> Meeting started Wed Sep 24 19:00:48 2014 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:48 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:00:51 <Sparks> #meetingname Fedora Security Team
19:00:51 <zodbot> The meeting name has been set to 'fedora_security_team'
19:00:55 <Sparks> #topic Roll Call
19:01:01 <Sparks> Who have we got today?
19:02:12 <Sparks> Oh boy... looks like a real short meeting today.
19:02:45 <simo> Sparks: hi
19:02:55 <Sparks> simo: Greetings!
19:03:08 <simo> I can rarely attend, but the stars aligned today
19:03:40 * randomuser lurks uselessly
19:04:01 <bvincent> .fas bvincent
19:04:02 <zodbot> bvincent: bvincent 'Brandon Vincent' <Brandon.Vincent@asu.edu>
19:04:09 <Sparks> simo: Yeah, we know what you've been doing today.
19:04:17 <Sparks> Welcome bvincent
19:04:28 <Sparks> randomuser: You're never useless.
19:04:32 <Sparks> randomuser: Just usually asleep
19:05:06 <randomuser> ha! I don't sleep.
19:05:16 <Sparks> Okay, that's three...  we'll make this a short meeting.
19:05:25 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
19:05:25 <d-caf> here
19:05:31 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
19:05:41 <Sparks> #topic bash vulnerability
19:05:57 <Sparks> #link https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
19:06:18 * simo backs out slowly (what did I do?)
19:06:26 <Sparks> In the off chance you've had your head in the sand for the last few hours the above link is good fodder for wrecking the rest of your day.
19:06:57 * simo still waiting for security fixes on squeeze (wonder if they make them anymore)
19:07:08 <Sparks> Packages are in the repos (or moving in that direction) to fix this critical vulnerability for RHEL, Fedora, and CentOS.
19:07:17 <d-caf> Yes, fun one, already patched my personal stuff, work related is a little bigger task
19:07:18 <Sparks> simo: Good question
19:07:48 <Sparks> d-caf: Eh... work stuff isn't really worth worrying about.  I mean, it's not your data, right?
19:08:09 <simo> seem bash is available in cdn/mirrors for centos/rhel now, fedora still lagging
19:08:30 <Sparks> This is probably a good time to mention that it takes a long time to get fixes into the Fedora repos.
19:08:35 <simo> I know that wheezy also got bash
19:08:48 <bvincent> How long did the OpenSSL fix for Heartbleed take to reach the Fedora repositories?
19:09:01 <simo> Sparks: what about plans to have a security repo ?
19:09:05 <Sparks> There is a fix that is being talked about but there hasn't gotten a lot of traction.
19:09:10 <simo> bvincent: too many hours
19:09:12 <Sparks> #link https://fedorahosted.org/rel-eng/ticket/5886
19:09:24 <Sparks> simo: My goodness, I'm typing as fast as I can! :)
19:09:41 <simo> not fast enough ;-P
19:10:03 <Sparks> Would everyone be in favor of the team making a comment of support for this?
19:10:30 <simo> the security repo ?
19:10:35 <bvincent> I don't think there is any downside in a separate repo.
19:10:36 <simo> I am all in!
19:10:54 <Sparks> bvincent: It's just added work... but yeah.
19:11:06 <bvincent> As long as the fixes don't break anything (too fast could be a problem).
19:11:51 <Sparks> bah, it's all for security!
19:11:53 * Sparks ducks
19:12:15 <Sparks> Who wants to write the note on the ticket?  I'll do it if no one else wants to.
19:12:36 <bvincent> You seem like the logical choice.
19:12:45 <misc> yeah, +1 to Sparks
19:13:22 <d-caf> I'm fine with Sparks putting in a note of support :-)
19:15:29 <Sparks> logloo
19:15:46 <Sparks> Sorry... I was having network issues
19:15:52 <Sparks> :)
19:16:07 <Sparks> #action Sparks to comment on the releng ticket in support of a security repo
19:16:11 <Sparks> Okay, moving along.
19:16:19 <Sparks> #topic Outstanding BZ Tickets
19:16:26 <Sparks> #info Wednesday's numbers: Critical 2, Important 49, Moderate 358, Low 128, Total 537, Trend -10
19:16:29 <Sparks> #info Current tickets owned: 159 (~30%)
19:16:30 <Sparks> grrrr
19:16:33 <Sparks> #info Tickets closed: 90
19:16:34 <Sparks> #info Wednesday's numbers: Critical 2, Important 49, Moderate 358, Low 128, Total 537, Trend -10
19:16:39 <Sparks> #info Current tickets owned: 159 (~30%)
19:16:41 <Sparks> #info Tickets closed: 90
19:16:50 <Sparks> So, those numbers look good.
19:17:18 <Sparks> We are getting closer to having all the orphaned packages in EPEL that currently have a vulnerability removed from the repos.
19:17:59 <d-caf> Is that for all levels of vulnerability?
19:18:04 <Sparks> Releng is going to be contacting package maintainers that currently have dependencies on these packages to step up or lose out.
19:18:18 <Sparks> d-caf: Yes although I don't think there were many lows in that list.
19:18:29 <Sparks> d-caf: A lot of important.
19:18:58 <Sparks> Any questions?
19:19:20 <Sparks> Okay, moving right along!
19:19:24 <d-caf> Yes, torque I fear needs to be on that list if it isn't, maintainer not interested in long term anymore
19:20:08 <bvincent> I'm working with a couple of individuals on the epel-devel on reviewing outstanding EPEL security issues.
19:20:11 <Sparks> d-caf: I think that needs to go to releng
19:20:14 <bvincent> *mailing list that is.
19:20:22 <Sparks> bvincent: +1
19:20:26 * Sparks should be on that list
19:21:01 <Sparks> d-caf: Remind me later today and we'll work on a non-responsive maintainer process.
19:21:10 <Sparks> Anything else?
19:21:47 <Sparks> #topic APAC Meeting
19:21:53 <Sparks> #info Only two people took the survey to establish a new meeting.
19:22:18 <d-caf> Was that too establish a second meeting or a new time for the primary meeting?
19:22:23 <Sparks> I started a survey to create an APAC meeting time so folks in that neck of the woods wouldn't have to stay up so late to attend the meetings.
19:22:49 <Sparks> That was to establish a second meeting.  I was hopeful to have a meeting per side of the globe.
19:23:57 <Sparks> If we want, we can see if an earlier time would work for everyone globally.  This was the only time that would work for those that took the first survey.
19:24:00 <Sparks> Thoughts?
19:25:06 <d-caf> Well, I think a single meeeting is good, and I have no problem pushing the time up some to accomodate, I wasn't onboard for the first round of votes
19:25:28 <d-caf> pjp seems to really want just one meeting, just earlier for them
19:25:55 <simo> Sparks: you can't accomoidate everyone
19:26:01 <d-caf> In the end, the current time is fine for me, but happy to accomodate those that live in other time zones (to a point)
19:26:45 <Sparks> yeah.
19:27:44 <Sparks> Okay, so I'll work on a new survey and see if we can move it up a few hours.
19:28:31 <Sparks> #topic Open Floor
19:28:43 * Sparks hates to rush this but he needs to step out to another meeting
19:28:49 <Sparks> Does anyone have anything else?
19:29:14 <d-caf> Just would like to know what the procedure is once a new fixed package is submitted for QA review
19:29:38 <d-caf> is that a security-team job, or is that part of the overall package release process
19:29:56 <Sparks> d-caf: That's part of the overall package release process
19:30:21 <d-caf> Ok, so just get them to submit the patched package and let the process work through
19:30:26 <Sparks> Yep
19:30:31 <bvincent> Sounds good.
19:30:48 <d-caf> thanks, just wanted to make sure i wasn't missing something
19:30:52 <Sparks> d-caf: Nope
19:31:15 <d-caf> That's it from me
19:31:29 <Sparks> Okay, well thanks everyone for coming out today.
19:31:45 <Sparks> #endmeeting