#fedora-security log

14:59:49 <q5sys> #startmeeting Security (2022-05-19)
14:59:49 <zodbot> Meeting started Thu May 19 14:59:49 2022 UTC.
14:59:49 <zodbot> This meeting is logged and archived in a public location.
14:59:49 <zodbot> The chair is q5sys. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions.
14:59:49 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:59:49 <zodbot> The meeting name has been set to 'security_(2022-05-19)'
15:00:02 <q5sys> #meetingname security
15:00:02 <zodbot> The meeting name has been set to 'security'
15:00:17 <q5sys> #chair q5sys
15:00:17 <zodbot> Current chairs: q5sys
15:00:27 <q5sys> #link Temporary issues location : https://pagure.io/Fedora-Security-Team/issues
15:00:27 <q5sys> #topic Open floor to discuss anything security related
15:00:27 <q5sys> #info I will be away on a business trip next week, so the meeting next week on the 26th will not occur.  Next meeting will be June 2nd.
15:01:53 <mhayden> enjoy the trip!
15:02:13 <q5sys> I don't have anything on deck for today.  I got tickets made based on things from the mailing list and what we spoke about last week for us to start working on.  But since I'm away next week for a business trip, I haven't had much time to do much since I've got a lot to take care of before I go.
15:02:13 <q5sys> So this week is an open floor if anyone has anything to bring up.
15:02:16 <mhayden> so I'm a member of the cloud SIG and I brought up something on the ML this week about cloud image update guidelines
15:02:20 * mhayden digs for a link
15:02:45 <mhayden> #link https://lists.fedoraproject.org/archives/list/cloud@lists.fedoraproject.org/thread/3ZZC4HBUEM5CMUZLBKCGNOOEN6QTICQX/
15:03:08 <mhayden> the goal is to set up some guidelines to help us make more objective, less subjective, decisions about changes to cloud images
15:03:29 <mhayden> obviously, some changes to default package sets or listening services could have security implications
15:04:36 <mhayden> it looks like i'll have to suggest some kind of strawman or first draft that we can pick apart, but i'd welcome security-related feedback on the guidelines
15:04:40 <mhayden> nothing to review yet. 😉
15:06:19 <q5sys> ah service security... the reason I ended up trying to restart this team.   I'm dealing with that at work right now, and when an email to the devel mailinglist came up none of the security hardening options being enabled by default, I spoke with Matthew and Ben and decided to figure out how to move the needle on that.  But since that's definitely in the Security domain, I wanted to make sure it was done under the security umbrella so others
15:06:19 <q5sys> could give their input and the best way to proceed could be worked out with everyone's collective intelligence.
15:06:54 <mhayden> yeah, i'd like a discussion of a possible fedora security hardened cloud image at some point
15:07:04 <q5sys> While there are a lot of service hardening options, a lot are going to be very system/use-case specific.
15:07:59 <q5sys> But some just seem like no brainers to have as defaults... eg "Should nginx be able to inject code into the kernel?"  Im going to say no to that.  If someone -really- needs that they can enable that themselves.
15:08:27 <mhayden> hah, makes sense
15:11:34 <q5sys> I think the main issue is going to be... "Where should the change take place?"  In a perfect world, security defaults should be upstream for the most obvious things.   But I think we're going to convince upstream projects to make that is we show an example of doing it and there being no issues.   So Im guessing there will be a lot of conversations with the package maintainers in Fedora to convince them to implement whatever through patching
15:11:34 <q5sys> the service files.
15:13:37 <mhayden> 💯 agreed
15:13:47 <mhayden> that was really the only topic i had
15:17:05 <q5sys> Step 1: Get the band back together
15:17:05 <q5sys> Step 2: Start working towards improving things where we can.
15:17:07 <q5sys> :P
15:17:29 <mhayden> and make beautiful music
15:17:35 <mhayden> 😂
15:17:45 <q5sys> * 😛
15:19:55 <rschiron> have we already considered using the best security compiler options?
15:20:54 <q5sys> That might have been brought up in the past, but if so I'm unaware of it.
15:21:47 <rschiron> i think it was by huzaifas , let me see if i can find the link
15:22:44 <rschiron> https://fedoraproject.org/wiki/Changes/HardenedCompiler
15:22:48 <rschiron> not sure what's the current status though
15:23:11 <rschiron> but i think it is definitely a thing to consider as it improves the situation overall
15:24:25 <q5sys> Thanks for the link. I'll read through that tonight and make a ticket for me to follow up with him on it.
15:29:16 <rschiron> and i'm not sure whether it's part of that link, but i think there are 2 things: one is compile Fedora with stronger gcc options, two is make those options default even when you execute gcc, as a regular user, for your own project
15:33:19 <q5sys> sounds good to me
15:38:05 <q5sys> I wonder how long itd take me to do a full build of Fedora on one of my servers, it'd be nice to build that locally and test it out.
15:56:14 <rschiron> i think most of those options in the link above are actually used to build packages in fedora, probably they are not for user projects though
15:59:51 <q5sys> i'll need to look into it.
16:00:29 <q5sys> At any rate I'm closing out the meeting.  But as always everyone is welcome to leave comments in the channel at any point. I'll read them.  As mentioned previously no meeting next week.  Next one will be the 1st week in June, at the same time and place.
16:00:31 <rschiron> but there are others that might be interesting.. just looking at "-fstack-clash-protection" now, which seems could have protected against a bunch of systemd flaws that happened this year IIRC
16:00:46 <q5sys> #endmeeting