19:00:48 #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 19:00:48 Meeting started Wed Sep 24 19:00:48 2014 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:48 Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:00:51 #meetingname Fedora Security Team 19:00:51 The meeting name has been set to 'fedora_security_team' 19:00:55 #topic Roll Call 19:01:01 Who have we got today? 19:02:12 Oh boy... looks like a real short meeting today. 19:02:45 Sparks: hi 19:02:55 simo: Greetings! 19:03:08 I can rarely attend, but the stars aligned today 19:03:40 * randomuser lurks uselessly 19:04:01 .fas bvincent 19:04:02 bvincent: bvincent 'Brandon Vincent' 19:04:09 simo: Yeah, we know what you've been doing today. 19:04:17 Welcome bvincent 19:04:28 randomuser: You're never useless. 19:04:32 randomuser: Just usually asleep 19:05:06 ha! I don't sleep. 19:05:16 Okay, that's three... we'll make this a short meeting. 19:05:25 #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 19:05:25 here 19:05:31 #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 19:05:41 #topic bash vulnerability 19:05:57 #link https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ 19:06:18 * simo backs out slowly (what did I do?) 19:06:26 In the off chance you've had your head in the sand for the last few hours the above link is good fodder for wrecking the rest of your day. 19:06:57 * simo still waiting for security fixes on squeeze (wonder if they make them anymore) 19:07:08 Packages are in the repos (or moving in that direction) to fix this critical vulnerability for RHEL, Fedora, and CentOS. 19:07:17 Yes, fun one, already patched my personal stuff, work related is a little bigger task 19:07:18 simo: Good question 19:07:48 d-caf: Eh... work stuff isn't really worth worrying about. I mean, it's not your data, right? 19:08:09 seem bash is available in cdn/mirrors for centos/rhel now, fedora still lagging 19:08:30 This is probably a good time to mention that it takes a long time to get fixes into the Fedora repos. 19:08:35 I know that wheezy also got bash 19:08:48 How long did the OpenSSL fix for Heartbleed take to reach the Fedora repositories? 19:09:01 Sparks: what about plans to have a security repo ? 19:09:05 There is a fix that is being talked about but there hasn't gotten a lot of traction. 19:09:10 bvincent: too many hours 19:09:12 #link https://fedorahosted.org/rel-eng/ticket/5886 19:09:24 simo: My goodness, I'm typing as fast as I can! :) 19:09:41 not fast enough ;-P 19:10:03 Would everyone be in favor of the team making a comment of support for this? 19:10:30 the security repo ? 19:10:35 I don't think there is any downside in a separate repo. 19:10:36 I am all in! 19:10:54 bvincent: It's just added work... but yeah. 19:11:06 As long as the fixes don't break anything (too fast could be a problem). 19:11:51 bah, it's all for security! 19:11:53 * Sparks ducks 19:12:15 Who wants to write the note on the ticket? I'll do it if no one else wants to. 19:12:36 You seem like the logical choice. 19:12:45 yeah, +1 to Sparks 19:13:22 I'm fine with Sparks putting in a note of support :-) 19:15:29 logloo 19:15:46 Sorry... I was having network issues 19:15:52 :) 19:16:07 #action Sparks to comment on the releng ticket in support of a security repo 19:16:11 Okay, moving along. 19:16:19 #topic Outstanding BZ Tickets 19:16:26 #info Wednesday's numbers: Critical 2, Important 49, Moderate 358, Low 128, Total 537, Trend -10 19:16:29 #info Current tickets owned: 159 (~30%) 19:16:30 grrrr 19:16:33 #info Tickets closed: 90 19:16:34 #info Wednesday's numbers: Critical 2, Important 49, Moderate 358, Low 128, Total 537, Trend -10 19:16:39 #info Current tickets owned: 159 (~30%) 19:16:41 #info Tickets closed: 90 19:16:50 So, those numbers look good. 19:17:18 We are getting closer to having all the orphaned packages in EPEL that currently have a vulnerability removed from the repos. 19:17:59 Is that for all levels of vulnerability? 19:18:04 Releng is going to be contacting package maintainers that currently have dependencies on these packages to step up or lose out. 19:18:18 d-caf: Yes although I don't think there were many lows in that list. 19:18:29 d-caf: A lot of important. 19:18:58 Any questions? 19:19:20 Okay, moving right along! 19:19:24 Yes, torque I fear needs to be on that list if it isn't, maintainer not interested in long term anymore 19:20:08 I'm working with a couple of individuals on the epel-devel on reviewing outstanding EPEL security issues. 19:20:11 d-caf: I think that needs to go to releng 19:20:14 *mailing list that is. 19:20:22 bvincent: +1 19:20:26 * Sparks should be on that list 19:21:01 d-caf: Remind me later today and we'll work on a non-responsive maintainer process. 19:21:10 Anything else? 19:21:47 #topic APAC Meeting 19:21:53 #info Only two people took the survey to establish a new meeting. 19:22:18 Was that too establish a second meeting or a new time for the primary meeting? 19:22:23 I started a survey to create an APAC meeting time so folks in that neck of the woods wouldn't have to stay up so late to attend the meetings. 19:22:49 That was to establish a second meeting. I was hopeful to have a meeting per side of the globe. 19:23:57 If we want, we can see if an earlier time would work for everyone globally. This was the only time that would work for those that took the first survey. 19:24:00 Thoughts? 19:25:06 Well, I think a single meeeting is good, and I have no problem pushing the time up some to accomodate, I wasn't onboard for the first round of votes 19:25:28 pjp seems to really want just one meeting, just earlier for them 19:25:55 Sparks: you can't accomoidate everyone 19:26:01 In the end, the current time is fine for me, but happy to accomodate those that live in other time zones (to a point) 19:26:45 yeah. 19:27:44 Okay, so I'll work on a new survey and see if we can move it up a few hours. 19:28:31 #topic Open Floor 19:28:43 * Sparks hates to rush this but he needs to step out to another meeting 19:28:49 Does anyone have anything else? 19:29:14 Just would like to know what the procedure is once a new fixed package is submitted for QA review 19:29:38 is that a security-team job, or is that part of the overall package release process 19:29:56 d-caf: That's part of the overall package release process 19:30:21 Ok, so just get them to submit the patched package and let the process work through 19:30:26 Yep 19:30:31 Sounds good. 19:30:48 thanks, just wanted to make sure i wasn't missing something 19:30:52 d-caf: Nope 19:31:15 That's it from me 19:31:29 Okay, well thanks everyone for coming out today. 19:31:45 #endmeeting