19:09:41 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
19:09:41 <zodbot> Meeting started Wed Aug 13 19:09:41 2014 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:09:41 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:09:43 <Sparks> #meetingname Fedora Security Team
19:09:44 <zodbot> The meeting name has been set to 'fedora_security_team'
19:09:48 <Sparks> #topic Roll call
19:09:59 * marcdeop is present!
19:10:04 * jrusnack here
19:10:05 * jtaylor90 is present
19:10:08 <bvincent> .fas bvincent
19:10:08 <D-Caf> Here
19:10:08 <zodbot> bvincent: bvincent 'Brandon Vincent' <Brandon.Vincent@asu.edu>
19:10:18 <fabian_a> .fas fabian_a
19:10:18 <zodbot> fabian_a: fab 'Fabian Affolter' <mail@fabian-affolter.ch>
19:11:04 * Sparks 
19:11:36 * revskills present
19:11:50 <bojov> present
19:13:11 <Sparks> Okay, lets get started.
19:13:30 * Sparks appologizes for the delay in the meeting starting.
19:13:35 <Sparks> #topic Roster
19:13:41 <Sparks> #link https://fedoraproject.org/wiki/Security_Team_Roster
19:14:15 <Sparks> Looks like people are starting to populate the page.  If anyone hasn't put their name on there please do so.
19:14:29 <Sparks> #topic Rewards
19:14:30 * marcdeop hasn't. Will do right away
19:15:51 <Sparks> #link https://fedorahosted.org/fedora-badges/ticket/281
19:16:12 <Sparks> I've opened a ticket with the Badges people to establish a set of badges for our team.
19:16:42 <Sparks> If anyone would like to help with artwork please take a look at that ticket.
19:16:45 <Sparks> Any questions?
19:17:21 <Sparks> ...or comments?
19:17:47 <revskills> +1 Sparks
19:18:09 <Sparks> #topic Outstanding BZ Tickets
19:18:14 <Sparks> #topic Outstanding BZ Tickets
19:19:16 <Sparks> #info Monday's numbers: Critical 2, Important 67, Moderate 379, Low 133, Total 581, Trend +6
19:19:46 <Sparks> #info As of Monday, fourteen cases have been closed and 150 others are being worked.
19:20:10 <Sparks> Anyone have anything they want to discuss here?
19:20:23 <siddvicious> Well i do have
19:20:39 <siddvicious> siddvicious, a.k.a siddharth :)
19:20:40 <revskills> Sparks: what about dependences to take care about to remove some packages
19:21:32 <Sparks> revskills: Yeah, that's going to be interesting.  It's really a bigger problem of having packages that are dependent on orphaned packages.
19:21:40 <Sparks> siddvicious: Hiya
19:22:01 <siddvicious> i am not sure i havent attended previous meetings this is first one, i was thinking instead of backporting patches to fedora may be if possible rebase packages
19:22:18 <revskills> totally agree, I don't think so much about this before..
19:22:26 <Sparks> revskills: I would have much preferred if releng would have worked that issue differently.
19:23:05 <Sparks> revskills: But they are ultimately responsible for the gardening that takes place in the repos.
19:23:17 <revskills> yes, only is something to think for some packages and probably a good idea if we can try to say to someone hey, we need your update because your package is a dependece of .. whatever
19:23:31 <Sparks> revskills: It would seem that the easiest answer would be to have the person who needs those packages to adopt them.
19:23:51 <marcdeop> Sparks: I am not so sure that would work
19:24:44 <Sparks> marcdeop: I suspect I wouldn't be able to maintain some of the packages my packages depend on.  It's not a great solution but neither is having unmaintained bits.
19:25:47 <D-Caf> Will security trump, the packages that depend on it functioning?
19:25:48 <revskills> Sparks: do you mean to backport/embed?
19:26:12 <marcdeop> well, the package you depend on might be really complicated
19:26:19 <revskills> this will be a serious problem for us.. think about openssl..
19:26:21 <marcdeop> and maybe too much work for you to mantain them properly
19:26:51 <Sparks> D-Caf: That's up to releng.  I only informed them of packages that were orphaned that had security vulnerabilities.  Their response was to retire the packages from EPEL since they weren't being maintained.
19:27:22 <revskills> I think we have two options, discuss with the mantainer about to change the dependence because the vuln, or try to solve the vuln with the mantainer of the dependence
19:27:26 <Sparks> marcdeop: Yes, exactly what I said.  It's a bad situation but depending on orphaned packages isn't a great solution, either.
19:28:06 <Sparks> revskills: I mean, we can always as a provenpackager to push an update but I feel that's more up to releng than us asking someone to do so.
19:28:21 <revskills> +1 Sparks
19:29:44 <Sparks> I prefer providing the people that have the responsibility to maintain the bits with the information they need.
19:30:30 <Sparks> siddvicious: Sorry, what was it that you wanted to talk about?
19:30:46 <siddvicious> Sparks, is there a documented workflow for handling security issues for fedora
19:31:10 <revskills> siddvicious: yes, ask in #fedora-security-team later
19:31:12 <bojov> some kind of delegating responsibility?
19:32:07 <Sparks> siddvicious: https://fedoraproject.org/wiki/Security_Team#Work_Flow
19:32:18 <D-Caf> Getting access to work tickets?  I can comment but not edit white board or close, no luck on irc, someone/group to email?
19:32:31 <siddvicious> and what i was saying initially , was that for old security bugs we could just rebase the packages instead of backporting patches
19:32:44 <Sparks> D-Caf: I'm in so many groups in BZ I'm not sure what permissions need to happen.
19:33:10 <Sparks> #action Sparks to ask Fedora Admins or RH BZ admins what permissions are needed to edit Fedora tickets.
19:33:13 <revskills> me too, I'm using my @redhat.com account
19:33:34 <siddvicious> i am not using my @redhat.com account
19:33:56 <Sparks> Please use your FAS email address in BZ and I'll work on it.
19:33:57 <D-Caf> I don't have a red hat account ;-)
19:34:05 <revskills> siddvicious: we are talking about the permissions in bz for non redhat people to update the whiteboard
19:34:08 <Sparks> siddvicious: I think you can rebase packages without trouble in Fedora/EPEL.
19:34:23 <siddvicious> Sparks, but in EPEL there is problem
19:34:32 <Sparks> revskills: I suspect that many RH people lack the permissions in BZ as well.
19:34:47 <Sparks> siddvicious: I'm listening
19:34:49 <siddvicious> packager has to make sure that it works
19:34:55 <Sparks> yes
19:35:18 <Sparks> siddvicious: So, it's up to the packager (or the proven packager) to fix the bugs.
19:35:31 <siddvicious> i mean in those cases rebasing is not a solution always , for e.g epel 5
19:36:21 <Sparks> siddvicious: Sure, but that's up to the packager not us.
19:36:37 <Sparks> siddvicious: We just want to help get the fix into the package.
19:37:20 <jrusnack> Sparks: so you are saying rebasing for security fix is fine for EPEL. Doesn`t it violate EPEL policy ?
19:37:52 <Sparks> jrusnack: I don't think it does but I don't know for sure.
19:38:04 * Sparks rebases his EPEL packages
19:38:20 <jrusnack> https://fedoraproject.org/wiki/EPEL/GuidelinesAndPolicies#Security_Updates
19:38:30 <jrusnack> alright then
19:39:40 <Sparks> Yeah, that makes sense although when rebasing you'll likely bring in new features and bug fixes.
19:40:25 <jrusnack> certainly. How about rebasing to next major version in EPEL 5 ? :)
19:40:35 <Sparks> right
19:40:44 <Sparks> thus exists the problem
19:41:09 <Sparks> but, again, this isn't up to us.  If the packager would prefer to backport the fix and we can help get a patch then I'm fine with that.
19:42:01 <jrusnack> sure, thanks. In my experience so far they don`t want to backport
19:42:12 <Sparks> yeah, it's work.  ;)
19:42:27 <revskills> jrusnack: they don't want to backport normally
19:42:30 * Sparks hates backporting especially when upstream just does a new release
19:42:59 <revskills> my experience is the same, allways someone ask can we update?
19:45:11 <Sparks> Does anyone have anything else they'd like to talk about or other questions?
19:47:50 <Sparks> Okay, unless there are objections I'm going to go ahead and close the meeting and we can get back to our day.
19:49:13 <Sparks> Okay, thanks to everyone for coming.
19:49:21 <revskills> thanks Sparks!
19:49:29 <Sparks> #endmeeting