14:00:07 #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:00:07 Meeting started Thu Nov 13 14:00:07 2014 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:07 Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:00:11 #meetingname Fedora Security Team 14:00:11 The meeting name has been set to 'fedora_security_team' 14:00:13 #topic Roll Call 14:00:14 * Sparks 14:00:16 .fas bvincent 14:00:17 bvincent: bvincent 'Brandon Vincent' 14:00:25 * pjp here 14:00:32 .fas mhayden 14:00:33 mhayden: mhayden 'Major Hayden' 14:00:43 .fas pjp 14:00:46 pjp: pjp '' - pjpedro 'PJ Pedro' - sandeepj 'sandeepj' 14:02:37 Okay, lets get started. 14:02:47 #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:02:55 #topic Follow up on last week's action items 14:03:12 #action Sparks to follow up with fenrus02 (via the security list) on checksec and checksec2. 14:03:18 I didn't get to that... :( 14:03:25 #topic Outstanding BZ Tickets 14:03:38 #info Wednesday's numbers: Critical 1, Important 46, Moderate 357, Low 163, Total 567, Trend +60 14:03:48 #info Current tickets owned: 209 (~37%) 14:03:55 #info Tickets closed: 154 14:05:22 Anyone have anything for this topic this morning? 14:05:58 I've been following up with the bugs that I triaged during FAD, 14:06:31 Most maintainers are non responsive, 14:06:52 one says - This package is mostly dead upstream... 14:06:52 So I need to check I can fix it myself, and if it still work. 14:07:05 Yeah, I think we might have cleaned up all the "easy" ones. 14:07:19 Oracle will be addressing a nearly decade old vulnerability in JDK which we had a ticket from 2010 about. 14:07:32 Oh boy 14:07:35 Nice 14:07:39 Better late than... 14:07:48 Yep, 14:08:06 They (Oracle) seemed pretty shocked. 14:08:31 I was surprised given the nature of Oracle products that this wasn't a common occurrence. 14:10:15 I think we need to ping periodically on these bugs, and use non-responsive maintainer policy if they remain unattended for long. 14:10:21 -> https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers 14:11:08 +1 14:11:13 Is it possible to have a Bugzilla hook to have an automated ping on old security bugs? 14:11:39 or even as newer bugs grow older than they should 14:12:15 #topic Open floor discussion/questions/comments 14:12:30 pjp: whineatnews.pl 14:13:11 There are cases wherein bugs were closed because the Fedora release reached ELS, and were reopened against latest releases 14:13:22 bvincent: okay, 14:14:09 #link http://www.bugzilla.org/docs/4.4/en/html/whining.html 14:14:17 * pjp clicks 14:14:29 It might be different now, but it would still require changes to the RH BZ, which probably wouldn't happenl. 14:14:30 bvincent: thank you. 14:14:53 Maybe a request to fedora-infra could help? 14:15:10 pjp: I think it's release engineering. 14:15:14 i love that it's called the "whining" module ;) 14:16:05 Ideally IMO, security bugs should not overlap into next new release, ie. 6 months at max. 14:16:18 mhayden: whineatnews.pl I believe is depreciated, they've renamed it to whine.pl. Still quite appropriate. 14:16:33 heh..yep, :) 14:17:56 nvm, and probably OT, I was wrong they still have two perl scripts for whining. 14:18:29 Even better, 14:19:47 Sparks: okay, I'll talk to them about it. 14:19:59 Okay, anyone have anything else? 14:20:08 * Sparks is doublebooked this morning 14:20:20 nothing for me 14:20:34 * pjp also makes a note to ping maintainer about retiring dead packages 14:21:13 Okay, I'll follow up on this stuff later this morning. 14:21:18 nothing much for me too, 14:21:30 Thanks everyone for coming. 14:21:35 Thank you. 14:21:51 #endmeeting