14:00:43 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:43 <zodbot> Meeting started Thu Apr  2 14:00:43 2015 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:43 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:00:46 <Sparks> #meetingname Fedora Security Team
14:00:46 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:49 <Sparks> #topic Roll Call
14:00:50 * Sparks 
14:04:00 <pjp> .hellomynameis pjp
14:04:01 <zodbot> pjp: pjp 'None' <pj.pandit@yahoo.co.in>
14:04:20 <Sparks> Oh good, we have someone.
14:04:24 <bvincent> .fas bvincent
14:04:25 <zodbot> bvincent: bvincent 'Brandon Vincent' <Brandon.Vincent@asu.edu>
14:04:31 <pjp> Sparks: He..he...:)
14:08:09 <pjp> bvincent: whas is ASU ?
14:08:15 <pjp> s/whas/what
14:08:47 <bvincent> pjp: Largest public university in the United States by enrollment.
14:09:03 <Sparks> Okay, lets get going.
14:09:13 <pjp> bvincent: Arizona state ?
14:09:17 <pjp> Sparks: Yep,
14:09:18 <bvincent> pjp: Correct.
14:09:21 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:09:29 <Sparks> #topic Outstanding BZ Tickets
14:09:39 <Sparks> #info Thursday's numbers: Critical 1, Important 48 (+2), Moderate 379 (+3), Low 170 (+7), Total 598, Trend +12
14:09:45 <Sparks> #info Current tickets owned: 169 (~28%)
14:09:49 <Sparks> #info Tickets closed: 249 (+2)
14:10:03 <Sparks> That one critical bug has been there for a while.
14:10:10 * Sparks goes to update
14:10:15 * pjp checks what it is
14:10:28 <Sparks> rubygem-activesupport
14:10:48 <Sparks> jsmith: PING
14:10:58 <jsmith> Sparks: PONG
14:11:17 <pjp> Wow, there is -> http://fedorasecurity.com/ :)
14:11:25 * pjp didn't know
14:11:53 <Sparks> jsmith: Can you take a look at https://bugzilla.redhat.com/show_bug.cgi?id=905374 and see if this is something you could take care of?
14:12:36 <Sparks> jsmith: There appears to be a fix available from upstream.
14:12:42 <jsmith> Sparks: I can easily apply the patch -- but I don't know how to test, etc.
14:12:59 * Sparks shrugs.
14:13:14 <Sparks> I guess you can apply the patch and see who yells if it breaks something.
14:13:17 <bvincent> jsmith: PoC exists.
14:13:24 <jsmith> WORKSFORME.... I'll take care of it
14:13:36 <bvincent> #link http://ronin-ruby.github.io/blog/2013/01/28/new-rails-poc.html
14:17:32 <Sparks> #action jsmith to patch rubygem-activesupport as provenpackager (BZ 905374)
14:18:30 <Sparks> jsmith: Should we also start a non-responsive maintainer request as well?
14:18:38 <jsmith> Sparks: Please :-)
14:18:53 <Sparks> Who want to handle that?
14:19:45 <pjp> Sparks: non responsive maintainer against rubygem-activesupport ?
14:19:51 <Sparks> yes
14:20:00 <pjp> Sparks: okay, I'll do that
14:20:20 <Sparks> #action pjp to start non-responsive maintainer against rubygem-activesupport in EPEL6
14:21:24 <Sparks> It looks like the majority of the Important (priority HIGH) cases are owned (54 of 63) but these are the cases that should all be owned and being actively worked.
14:22:21 <Sparks> I'm as much at fault for letting these fester.  Can we set a goal of the beginning of June to have all old (circa 2014 and before) Important CVEs completed?
14:23:56 <pjp> Sparks: I think June end is good,
14:24:13 <Sparks> pjp: Okay, so three months.
14:24:20 <pjp> Sparks: Yep,
14:25:01 <Sparks> #action Team Goal: All important CVEs from 2014 and before should be fixed by the end of June.
14:25:15 <Sparks> #action Sparks to talk about the team goal to the list.
14:25:36 <Sparks> #action Sparks to complete the tickets of packages removed from EPEL earlier this year.
14:26:26 <Sparks> Anything else for the tickets?
14:26:40 <pjp> None for me,
14:27:58 <Sparks> #topic Open floor discussion/questions/comments
14:28:05 <Sparks> Anyone have anything?
14:29:11 <striker> Can I ask a question about Luks?
14:29:28 <Sparks> striker: Sure
14:30:08 <striker> Is it possible to have the default Luks encryption that Anaconda uses changed to a tougher cipher?
14:30:32 <Sparks> striker: Yes.
14:30:55 <Sparks> striker: Are you asking for the default cipher to be stronger or that you just want it to be on your systems?
14:31:04 <Sparks> striker: And what cipher do you think it's using?
14:32:59 <striker> Asking that it be stronger on the ISOs - I think the default is aes-xts-plain64?
14:33:49 <bvincent> striker: That is the default for cryptsetup - aes-xts-plain64:sha256 with 512-bit keys.
14:33:56 <pjp> striker: on the ISOs ?
14:35:02 <striker> I am sorry - I think I misunderstood what I was looking at.
14:35:09 <striker> Apologies for the noise.
14:35:24 <pjp> striker: No problem, :)
14:35:25 <Sparks> striker: No worries.  It's good to know.
14:36:26 <Sparks> Anyone have anything else?
14:38:19 * pjp none
14:39:31 <Sparks> Okay, we'll go ahead and end.  I'll try to follow up on the action items early next week before the meeting.
14:39:36 <Sparks> Thanks everyone.
14:39:39 <Sparks> #endmeeting