#fedora-meeting log

13:00:42 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
13:00:42 <zodbot> Meeting started Thu Oct 30 13:00:42 2014 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:00:42 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
13:00:45 <Sparks> #meetingname Fedora Security Team
13:00:45 <zodbot> The meeting name has been set to 'fedora_security_team'
13:00:58 <pjp> Sparks: Hi,
13:00:59 <Sparks> #topic Roll call
13:01:54 <pjp> Hi!
13:02:22 * mhayden hops in
13:05:13 * jrusnack here
13:06:19 <Sparks> Okay... lets get started.
13:06:26 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
13:06:32 <Sparks> #topic Meeting time
13:06:42 <Sparks> #info Currently we meet at 13:00UTC. After daylight savings expires this weekend (US) we'll change to 14:00UTC.
13:06:50 <Sparks> Anyone have any problems with this?
13:07:07 <mhayden> that sounds good to me
13:07:12 <jrusnack> fine for me
13:07:21 * mhayden is horrible at TZ conversions :/
13:07:26 <pjp> Yep, good for me too.
13:07:36 <pjp> mhayden: :)
13:07:42 <pjp> same here,
13:08:47 <Sparks> Okay, moving on.
13:08:51 <Sparks> #topic Outstanding BZ Tickets
13:08:58 <Sparks> #info Wednesday's numbers: Critical 1, Important 44, Moderate 337, Low 125, Total 507, Trend -8
13:09:06 <Sparks> #info Current tickets owned: 182 (~36%)
13:09:11 <Sparks> #info Tickets closed: 144
13:09:24 <Sparks> Any questions or comments?
13:10:00 <mhayden> i'd like to get more involved with reducing those numbers, but i'm not sure about the best approach
13:11:11 <Sparks> mhayden: Beating the drums is always encouraged.
13:11:19 <mhayden> hah :) i'm familiar with that
13:11:30 <mhayden> is there a BZ search link i can use to find those tickets?
13:11:34 <pjp> mhayden: take one of the open ones by assigning it to yourself,
13:12:24 <Sparks> https://fedoraproject.org/wiki/Security_Team#Contact
13:12:51 <mhayden> that's perfect -- thanks Sparks
13:13:32 <Sparks> #topic Open floor discussion/questions/comments
13:13:37 <Sparks> Anyone have anything?
13:13:43 <pjp> Yep,
13:14:00 <pjp> We plan to cover these basic of how to triage open security bugs, day after tomorrow at FAD
13:14:16 <Sparks> pjp: Cool
13:14:45 <fenrus02> Sparks, is openscap absent from the wiki above, or just forgotten?
13:15:48 <pjp> any suggestions for the FAD, as to which details are good to be shared, if anything we should avoid  or if we should focus on any specific package/product?
13:16:11 <Sparks> fenrus02: ummm.. not forgotten but not really useful to us at the moment.
13:16:38 <pjp> in the beginning I plan to brief the attendees about Fedora Security team, it's mission, and how we operate, and then proceed towards collective bug triaging
13:16:49 <Sparks> pjp: +1
13:16:50 <mhayden> pjp: that sounds useful
13:17:16 <pjp> Not sure if you've seen it, I sent it to fedora-security list too -> https://pjps.wordpress.com/2014/10/18/fedora-activity-day-1-nov-2014-theme-security/
13:17:34 <mhayden> i'd like to circle back on this thread here and talk about notifications -> https://lists.fedoraproject.org/pipermail/security/2014-October/001990.html
13:17:43 <fenrus02> Sparks, same with 'checksec' ?
13:17:59 <Sparks> fenrus02: I'm not familar with checksec.  Tell me about it.
13:18:28 <mhayden> fenrus02: i assume you mean checksec.sh, not the company?
13:18:29 <pjp> IMO, we need to groom group of people who could regularly do Fedora package audits
13:18:59 <fenrus02> Sparks, in theory, all running daemons or long-running procs have relro / pie / and several other compile time options set.  checksec locates those items. it could be classified as a bug if they dont
13:19:23 <Sparks> fenrus02: That sounds useful.
13:19:39 <fenrus02> Sparks, yes, it's a .sh - but packaged without the extension
13:20:02 <pjp> fenrus02: please feel free to add it to the wiki,
13:20:12 <bvincent> fenrus02: That's the script that checks for NX, etc. Right?
13:20:17 <fenrus02> yes.
13:20:55 <Sparks> fenrus02: Heard of checksec2?
13:21:02 <fenrus02> no?
13:21:13 <fenrus02> not packaged?
13:21:31 <jrusnack> links ?
13:21:54 <fenrus02> pjp, added.
13:22:07 <pjp> fenrus02: thank you.
13:23:29 <Sparks> fenrus02: Looking
13:23:31 <pjp> The tools/resources sections is meant to collate useful security tools, anything that fits that bill is good to be listed there
13:24:06 <Sparks> https://github.com/kholia/checksec
13:24:07 <mhayden> Sparks: dang, checksec2 is handy
13:24:37 <pjp> Sparks: http://jacekalex.sh.dug.net.pl/checksec2 ?
13:25:25 <Sparks> pjp: Yes!
13:26:35 <fenrus02> seems that http://jacekalex.sh.dug.net.pl/checksec2 is older than http://www.trapkit.de/tools/checksec.html (which is packaged)
13:30:24 <Sparks> fenrus02: I think checksec2 has some added features.
13:30:46 <pjp> So, any suggestions for the upcoming FAD, if you'd like me to cover anything specific or triage bugs for any package/product etc. please let me know,
13:30:54 <Sparks> fenrus02: But I haven't been following that.  I just happened to have a Product Security ninja on the phone when you asked.
13:31:01 <fenrus02> Sparks, that would be odd.  the trapkit version lists the jacekalex as a predecessor
13:31:53 <Sparks> fenrus02: What would be odd?
13:32:53 <fenrus02> Sparks, the url above listed as 'checksec2' (v1.3) is listed in the history changelog of the url above labeled as 'checksec' (v1.5).
13:33:44 <Sparks> fenrus02: Oh, maybe they came together.  I really don't know.
13:34:45 <bvincent> For anyone who uses Drupal. #link https://www.drupal.org/PSA-2014-003
13:34:58 <fenrus02> Sparks, nor i. just reading the urls changelogs above. your ninja would know more
13:35:05 <bvincent> The EPEL packages are a little behind, but it looks like they're in testing.
13:35:33 <Sparks> bvincent: People still use Drupal?
13:35:35 * Sparks runs
13:35:44 <pjp> :)
13:36:07 <bvincent> Sparks: A certain university does.
13:36:29 <Sparks> bvincent: A certain open source company does, too.
13:37:00 <Sparks> fenrus02: I'll see if I can find out anything.
13:37:06 <bvincent> Sparks: Drupal becomes so over customized, I never can pick the sites out anymore.
13:37:21 <bvincent> Sparks: Typically the fixed header should have given it away. Ha.
13:38:55 <Sparks> #action Sparks to follow up with fenrus02 (via the security list) on checksec and checksec2.
13:39:03 <Sparks> Anyone have anything else?
13:39:56 <pjp> Not me,
13:43:29 <mhayden> i'll defer on my mailing list topic until i can figure out a suggested solution
13:44:34 <pjp> mhayden: I guess those are the security update announcements via bodhi, right?
13:44:59 <mhayden> right -- just trying to think of something a bit more consumable for companies and individual users who depend on fedora daily
13:45:11 * mhayden is building a product at $dayjob on fedora ;)
13:45:23 <pjp> Cool!
13:45:32 <pjp> mhayden: they have RSS feeds too I think,
13:45:59 <mhayden> i had originally tied the RSS feeds from https://admin.fedoraproject.org/updates/ to a twitter account (@fedorasecurity)
13:46:13 <mhayden> but then the script fell apart and someone from RHT's sec team asked for the account -- i transferred it
13:46:34 <Sparks> Oh,
13:46:42 <Sparks> err.
13:46:56 <Sparks> nevermind.  I'll need to see how feasible this is first.
13:46:57 <Sparks> :)
13:47:10 <Sparks> Okay, I'm closing it up unless someone has something else.
13:47:11 <jrusnack> mhayden: I think that would be revskills ?
13:47:24 <mhayden> jrusnack: you might be right, i'd have to dig through emails ;)
13:47:38 <mhayden> Sparks: feel free to close, i'm just rambling
13:48:10 <Sparks> Okay, we can ramble over in #fedora-security-team
13:48:16 <Sparks> Everyone have a good day!
13:48:17 <pjp> :)
13:48:22 <pjp> Thank you.
13:48:22 <Sparks> #endmeeting