14:00:11 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:00:11 <zodbot> Meeting started Thu Feb 25 14:00:11 2016 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:11 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:00:11 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings' 14:00:14 <Sparks> #meetingname Fedora Security Team 14:00:14 <zodbot> The meeting name has been set to 'fedora_security_team' 14:00:17 <Sparks> #topic Roll Call 14:00:18 * Sparks 14:01:33 <Astradeus> .hello astra 14:01:34 <zodbot> Astradeus: astra 'David Kaufmann' <astra@ionic.at> 14:04:20 <Sparks> Astradeus: Do you have anything in particular to discuss? 14:04:52 <Astradeus> yes, few things 14:04:57 <d-caf> hello 14:05:02 <Astradeus> ohai :) 14:05:18 <d-caf> sorry running a little late 14:05:21 <Astradeus> Sparks: in the last few meetings were a few points which you only had info 14:05:47 <Astradeus> currently there is one issue on the mailing list (urgent packages push mechanism) 14:06:49 <Sparks> Okay, lets get started. 14:07:01 <Sparks> Astradeus: What is your topic? 14:08:19 <Sparks> #info Sparks is on leave this month and hasn't been following any activities. 14:08:48 <Astradeus> i'd be interested in that fast-push-thing proposed on the mailinglist 14:09:20 <Astradeus> esp. in opinions about that 14:09:43 <Astradeus> and also the FAD, as it was planned to be in the beginning of march if i remember correctly 14:10:32 <Sparks> #topic Security FAD 14:10:57 <Sparks> #info We have space in DC for the Security FAD on March 4th. 14:11:12 <Sparks> I hope this isn't too short notice for the people that wanted to come. 14:11:33 <Sparks> zoglesby: Welcome! 14:11:37 <zoglesby> hi 14:11:49 <Sparks> Comments? 14:11:59 <d-caf> yikes Friday next week... 14:12:04 <d-caf> Is it an all day thing? 14:12:11 <d-caf> times? 14:12:12 <zoglesby> we have space, coffee, tea, soda 14:12:30 <zoglesby> i just need to know who is coming 14:12:49 <Sparks> d-caf: I think the following Friday was also good with everyone. 14:12:52 <Astradeus> i'd love to come, but for me only remotely is possible (europe..) 14:12:57 <Astradeus> but i'd have time 14:13:13 <zoglesby> we have a web came in the room as well fyi 14:13:53 <zoglesby> Sparks: do you want to setup a bluejeans meeting for remote folks? 14:14:53 <Sparks> zoglesby: Yeah, we can do that. 14:15:35 <Sparks> zoglesby: Can you pass this information to the list today? 14:15:43 <Sparks> ...regarding the FAD 14:15:47 <zoglesby> sure can 14:16:09 <zoglesby> d-caf: we have space from 9-5 14:16:22 <d-caf> March 4th, is bad for me at this point unfortunately 14:16:22 <Astradeus> which timezone would that be? 14:16:32 <d-caf> I would maybe be able to do the afternoon 14:16:33 <zoglesby> EST 14:16:42 <Sparks> UTC-5:00 14:16:50 <d-caf> the 11th is better for me, but that depends on the group I guess 14:17:01 <Sparks> zoglesby: Would your space be available on the 11th? 14:17:34 <zoglesby> we should be able to come up with something 14:18:43 <Astradeus> would be okay for me too 14:19:58 <Sparks> d-caf: Is that good for you? 14:21:03 <d-caf> Yes, I should be able to get more time on that day, I still have to get MGMT approval 14:21:24 <d-caf> I know I have a all morning meeting on the 4th I can't get out of though 14:21:30 <d-caf> but no meetings on the 11th 14:24:35 <Sparks> #agreed Move the FAD to March 11th. 14:24:44 <Sparks> Okay, anything else on this topic? 14:25:15 <zoglesby> i will confirm the move with work and send out an email with the info 14:25:32 <Sparks> zoglesby: Thank you! 14:25:47 <Astradeus> \o/ 14:25:59 <Sparks> #topic Security package pushes 14:26:06 <Sparks> Astradeus: Okay, the floor is yours 14:26:33 <d-caf> zoglesby: thank you! 14:27:08 <Astradeus> everyone familiar with the emails? 14:27:34 <Sparks> Astradeus: I'm not. 14:27:35 <d-caf> Astradeus: yes, read the ticket 14:27:46 <Sparks> Astradeus: Perhaps you can provide us with an executive summary? 14:28:12 <d-caf> link: https://fedorahosted.org/rel-eng/ticket/5886 14:28:29 <Astradeus> Sparks: a year ago discussion was started to fast-push critical+urgent packages 14:28:29 <d-caf> #link https://fedorahosted.org/rel-eng/ticket/5886 14:28:38 <d-caf> always forget the method 14:29:19 <Astradeus> and for the glibc-update the push to stable to be delivered to main repos took also almost a day, as it lingered in testing 14:29:27 <Astradeus> so the discussion came up again 14:30:36 <Sparks> The rel-eng ticket seems to think we'd use this only a few times a year where I prefer the Debian model of 'if it's security put it there and the regular repos'. 14:31:36 <d-caf> I think this is going to be more than a few times a year even if it's just important/critical updates 14:31:50 <d-caf> we are seeing more and more crits comming out per year than we used to 14:32:00 <Sparks> true 14:32:22 <Astradeus> i think the idea seems to be to drastically shorten testing time for critical updates, when a updated package is already available 14:32:58 <Sparks> Astradeus: Hopefully the security fix will be well tested before hand by upstream and RH. 14:34:41 <Astradeus> exactly. i'd think that releng wants security-team to push or sign off those updates to be delivered without testing 14:35:52 <Astradeus> i'd also prefer the solution that the security-team only signs off those updates, as almost always the maintainers just are way more informed about special cases of the respective tool 14:36:58 <d-caf> Wasn't this also to address the issue of maintainers of packages with critical patches who were unresponsive? 14:36:59 <Sparks> Astradeus: I'll follow up with pfrields on the issue. 14:37:31 <d-caf> That was an FST member could push though an update when the maintaner is missing in action 14:37:54 <Sparks> d-caf: Well, a proven-packager 14:40:00 <Sparks> #action Sparks to follow up with pfrields on pushing security updates 14:40:08 <Sparks> Anything else? 14:41:10 <Sparks> #topic Open Floor 14:41:17 <Sparks> Anyone have anything they'd like to discuss? 14:41:44 <Astradeus> question about fedora-infrastructure: 14:42:31 <Astradeus> does being in the fedora-team-fas-group give more information (like discussion group only available internally or something like that)? 14:43:03 <pingou> there are very little forum/lists that are privates 14:43:15 <Astradeus> or is the channel(s) + mailing list(s) the "regular" channels? 14:43:29 <pingou> and those that are is because they handle things like subsidies or maintain some packages and thus may receive security-sensible bugs 14:44:02 <pingou> so most things are in the open and being in FAS group will grant you more access, but not to info in the sense of lists/forums 14:44:31 <Astradeus> okay, wasn't sure if i missed out on some topics or if just nothing happened in the mean time 14:44:34 <Astradeus> thanks :) 14:44:55 <pingou> I am aware of 1 irc channel with access restricted 14:45:04 <zoglesby> Well if we are going to start trying to deal with embargoed security issues we need a private list 14:45:14 <pingou> and it's the fedora-ops (iirc) where irc operators can coordinate their effort against trolls 14:45:42 <pingou> zoglesby: these and the ones handling budgets are the only lists I know that are private/restricted 14:45:44 <Astradeus> pingou: sounds useful 14:46:01 <Astradeus> zoglesby: definitely. but nothing happened there so far it seems 14:46:02 <pingou> Astradeus: sometime :) 14:46:07 <d-caf> zoglesby: we had some earlier talks about the securty email list 14:46:17 <Sparks> I'd like to use the PGP remailer thingy, too. 14:46:20 <d-caf> to deal with embargo'd tiems 14:46:22 <d-caf> items 14:47:12 <Astradeus> Sparks: that discussion also seems to have been silent for some time, but I'd also see pgp-group-encryption for security@ a really important topic 14:47:54 <d-caf> one items related to that is figuring out the "trust" structure of who is on that list and handles those issues 14:48:22 <Sparks> d-caf: Just me. No one else. :) 14:48:26 <zoglesby> lol 14:48:33 <Sparks> d-caf: I'll just send encrypted email to myself. 14:48:38 <zoglesby> This is all part of the FAD converstation correct? 14:48:42 <Sparks> No trust issues there! 14:49:02 <Astradeus> d-caf: yes, definitely needs to be done also. currently i'm also on security@lists.. without anyone of you really knowing me ;) 14:49:08 <Sparks> zoglesby: It should be discussed at FAD. 14:49:21 <Astradeus> Sparks: sounds good :) 14:50:11 <d-caf> Ideally we would like more than just one person getting the security embargo alerts, incase they are on month long vacations ;-) 14:50:37 <Sparks> d-caf: Who would do such a thing? 14:50:56 <d-caf> Sparks: only a lucky few... 14:52:03 <nb> .fasinfo sparks 14:52:04 <zodbot> nb: User: sparks, Name: Eric Christensen, email: sparks@redhat.com, Creation: 2007-07-17, IRC Nick: Sparks, Timezone: US/Eastern, Locale: en, GPG key ID: 024BB3D1, Status: active 14:52:07 <zodbot> nb: Approved Groups: @gitfedora-security-team gitcsi cla_fedora cla_done sysadmin-keys @gitdocsglue cvsfedora @docs +gitfedora-wiki @gitfedora-cms fedorabugs packager @docs-publishers @gitweatheralert @docs-writers @gitamateur-radio-menus cla_fpca @gitkeysigning-party-manual @gitsecure-coding @gitcreate-tx-configuration sysadmin-hosted elections sysadmin sysadmin-docs gitpublican-fedora @security-team 14:52:36 <nb> Sparks, how would you feel about provenpackager? 14:52:46 <Sparks> nb: I wouldn't. I don't know what I'm doing. 14:52:47 * nb thinks it might be helpful if you could push security fixes to stuff 14:52:49 <nb> oh ok 14:52:58 * nb had confidence in you :) 14:53:04 <Sparks> nb: Plus we have more qualified people like jsmith 14:53:13 <nb> Sparks, when are our meetings? 14:53:17 * nb would like to get more involved 14:53:42 <Sparks> nb: Which meetings? 14:54:31 <nb> security team 14:54:32 <d-caf> nb: currently having a meeting right now 14:54:39 <Astradeus> nb: always Thursday, 14:00 UTC 14:54:48 <nb> oh shit 14:54:54 * nb thought he was in #fedora-security-team 14:54:59 <nb> sorry 14:55:03 * nb feels like idiot :) 14:55:04 <d-caf> nb: no problem 14:55:31 <stickster> Sparks: hey, not sure if I'm dialing back but I saw your ping earlier 14:55:33 <d-caf> nb: you have now attended part of your first security team meeting ;-) 14:55:36 <Sparks> Okay, anything else before we close for the day? 14:55:44 <stickster> Sparks: have you seen the log/comment I posted in rel-eng ticket 5886? 14:55:48 <nb> there is a security-private list i think 14:56:02 <Sparks> stickster: Yes and I'm going to provide some feedback soon. 14:56:22 <stickster> Sparks: Cool. I think we were thinking along the same lines, but happy to get you, mattdm, me together to discuss. 14:56:34 <nb> yes there is 14:56:40 <nb> not sure what it is currently used for 14:56:48 <stickster> Sparks: feel free to shoot me an invitation or grab for IRC 14:56:57 <Sparks> stickster: Will do. 14:58:39 <Sparks> Okay, anything else? 14:59:54 <Sparks> Thanks, everyone, for coming out to play today! Catch you all next time. 15:00:00 <Sparks> #endmeeting