#fedora-meeting log

14:14:19 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:14:19 <zodbot> Meeting started Thu Jan 15 14:14:19 2015 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:14:19 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:14:22 <Sparks> #meetingname Fedora Security Team
14:14:22 <zodbot> The meeting name has been set to 'fedora_security_team'
14:14:26 <Sparks> #topic Roll Call
14:14:27 * Sparks 
14:14:45 <bvincent> .fas bvincent
14:14:47 <zodbot> bvincent: bvincent 'Brandon Vincent' <Brandon.Vincent@asu.edu>
14:16:09 <Sparks> Okay, looks like a short meeting today.
14:16:10 <Sparks> :)
14:16:23 <Sparks> #topic Outstanding BZ Tickets
14:17:15 <Sparks> #info The EPEL vulnerabilities on orphaned packages have been dealt with by Rel-Eng.  Those packages have been retired.
14:17:33 <Sparks> #info There is a play to proactively retire orphaned packages in the future.
14:17:45 <bvincent> That sounds good.
14:18:24 <Sparks> #idea We should close security tickets for those retired packages as WONTFIX with text saying that the package has been retired.
14:19:48 <Sparks> My thinking is that closing these tickets as WONTFIX will at least get them off the radar while making it easy for someone to find them if they ever want to unretire a package.
14:20:36 <bvincent> Sounds fair. Having the ticket reopened if someone wants to take ownership makes sense.
14:21:44 <Sparks> Anyone else?
14:22:09 <Sparks> #agreed We'll close retired package's tickets as WONTFIX.
14:22:40 <Sparks> Anyone have anything else ticket-related?
14:23:26 * jtaylor90 is all set
14:24:07 <Sparks> #topic Open floor discussion/questions/comments
14:24:11 <Sparks> Anyone have anything?
14:24:42 <falonso> nothing more to add, only the pjp patience with PermitRootLogin :-)
14:25:08 <bvincent> Watching my inbox grow due to that mailing list post is quite entertaining.
14:25:52 <Sparks> heh
14:26:05 <falonso> is quite complicated to have the support of users for some security reasons
14:26:53 <falonso> but we will need to learn from this thread in order to have "power of decision" about security things
14:27:05 <falonso> like firewall/PIE/whatever
14:27:42 * jsmith is late to the meeting, sorry
14:27:43 <sgallagh> Just to chime in: FESCo's ruling was that changing the PermitRootLogin in a vacuum was too disruptive.
14:28:12 <sgallagh> It needs a *lot* of surrounding work, with anaconda at a minimum, to avoid breaking common setups.
14:28:38 <sgallagh> Particularly those where having a non-root local user is unacceptable (such as domain-managed systems)
14:28:52 <sgallagh> (Where a local user account may actually overlap with domain accounts)
14:28:54 <falonso> sgallagh: I agree, we need to learn together to change the things and help to have a 'security by default' distro at least
14:29:04 <sgallagh> falonso: Yes, absolutely.
14:30:27 <Sparks> Okay, anything else?
14:31:09 <falonso> nothing else
14:31:58 <Sparks> Okay, we'll go ahead and end early, today.  I'll get to work closing bugs and will send out the latest bug counts after I do.
14:32:07 <Sparks> Thanks for coming everyone.
14:32:13 <falonso> thanks Sparks
14:32:16 <Sparks> #endmeeting