14:00:08 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:08 <zodbot> Meeting started Thu Apr 23 14:00:08 2015 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:08 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:00:11 <Sparks> #meetingname Fedora Security Team
14:00:11 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:15 <Sparks> #topic Roll Call
14:00:17 * Sparks 
14:00:24 * d-caf 
14:01:23 <pjp> .hellomynameis pjp
14:01:24 <zodbot> pjp: pjp 'None' <pj.pandit@yahoo.co.in>
14:03:32 * Sparks was hoping jsmith would be joining us this morning since he has news on this critical bug
14:03:44 <pjp> Oh,
14:04:08 <jrusnack> Sparks: the rubygem-activesupport ?
14:04:12 <pjp> Sparks: the fedora maintainer said he'll take look at EPEL build in the coming week
14:04:26 <pjp> Sparks: -> https://bugzilla.redhat.com/show_bug.cgi?id=1209124#c7
14:04:45 * jsmith shows up late
14:04:53 <Sparks> jsmith: Just in time!
14:04:54 <pjp> jsmith: Hi, :)
14:05:17 <Sparks> Okay, lets get started.
14:05:22 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:05:32 <Sparks> #chair jsmith pjp d-caf
14:05:32 <zodbot> Current chairs: Sparks d-caf jsmith pjp
14:05:42 <Sparks> #topic Follow up on last week's tasks
14:05:48 <Sparks> jsmith to patch rubygem-activesupport as provenpackager (BZ 905374)
14:05:51 <Sparks> jsmith: What say you?
14:06:09 <jsmith> We'll get 2.3.18 pushed to testing today or tomorrow, but without the testing
14:06:15 <jsmith> (matching what was already done in EL-5)
14:06:31 <jsmith> So far, things are looking good (with limited manual testing)
14:06:31 <Sparks> awesome?
14:06:40 <jsmith> Better than having a security problem :-)
14:06:50 <jrusnack> btw have we triaged that bug ?
14:06:57 <pjp> jsmith: That's cool! :)
14:07:17 <jrusnack> I mean, it was critical as it allowed unauthenticated  RCE in rails, but rails stack is not present in el6, so...
14:08:28 <Sparks> pjp: Whatever happened with the non-responsive maintainer on that package?
14:10:48 <pjp> Sparks: he said he no longer uses the package on from epel, so is not interested in maintaining it further,
14:11:11 <pjp> Sparks: -> https://bugzilla.redhat.com/show_bug.cgi?id=1209124#c4
14:11:31 <Sparks> pjp: Okay, what's next?
14:12:41 <pjp> Sparks: Next, the Fedora maintainer is going to look after the EPEL branches, so we need not look for another maintainer
14:13:22 <Sparks> Okay, cool
14:13:29 <Sparks> #topic 90-Day Challenge
14:13:35 <pjp> jsmith: maybe you could talk to Mo Morsi about your build issues,
14:13:36 <Sparks> #info 90-Day Challenge has a goal to close all 2014 and prior Important CVEs in Fedora
14:13:44 <Sparks> #info As of 2015-04-23, of the 38 target bugs 6 have been closed, 3 are On_QA, 29 are Open
14:13:51 <Sparks> #info Three cases need to be pushed to non-responsive packager process on Monday.
14:13:57 <Sparks> #link https://sparks.fedorapeople.org/90-day_Challenge.ods
14:14:13 * pjp clicks
14:14:44 <d-caf> Sparks: I believe several more need to be put on non-responsive next monday
14:14:52 <pjp> Sparks: why not a text file? ;)
14:15:27 * pjp can not open .ods,
14:15:47 <Sparks> Many of the cases aren't being updated.  If I don't see the assigned FST person update their tickets by next Thursday I'm going to remove them from the case.  There were many tickets that hadn't been touched this year.
14:16:01 <Sparks> pjp: How can you not open up a .ods?
14:16:34 <pjp> Sparks: Yep, got it with gnumeric
14:16:53 <pjp> Sparks: there is ethercal too -> https://ethercalc.org/
14:16:54 <d-caf> 1132022, 1170654, 1175763, 1101057 for examples
14:17:11 <Sparks> That's true.
14:17:49 <Sparks> d-caf: The cases I pointed to are the ones I specifically said in the ticket that I was going to do so because they had actually been followed up on recently.
14:18:06 <d-caf> Sparks: I have touched all these tickets this year, additionally have reached out via email with no luck
14:18:26 <Sparks> d-caf: If it's not on the ticket it didn't happen.
14:18:45 <Sparks> :)
14:19:06 <d-caf> Sparks: I updated the tickets this year as well (and got no response) though I may not have updated all of them in the last two weeks
14:19:32 <Sparks> d-caf: That's fine.  Feel free to start the non-responsive process.  I'm not saying to not do so.
14:20:12 <Sparks> I was just pointing out the ones that I felt had been "worked" enough with no response.
14:21:26 <Sparks> Overall I think there's been good progress on the Important bugs.
14:22:23 <pjp> I'll take up few to start non-responsive process with them,
14:22:40 <pjp> Sparks: Is it okay if we import the spreadsheet to ethercalc?
14:22:49 <Sparks> sure
14:23:59 <Sparks> pjp: Just give us the URL
14:24:05 <pjp> Yes,
14:24:08 <Sparks> :)
14:24:09 * pjp trying to see how to import it,
14:24:58 <Sparks> Okay, lets move on
14:25:05 <Sparks> #topic Outstanding BZ Tickets
14:25:35 <Sparks> #info Thursday's numbers: Critical 1, Important 42 (+3), Moderate 344 (+11), Low 161 (+2), Total 548, Trend +16
14:25:41 <Sparks> #info Current tickets owned: 133 (~24%)
14:25:47 <Sparks> #info Tickets closed: 289 (+11)
14:26:07 <Sparks> Looks like we had an influx of tickets since last week.
14:26:44 <jsmith> I see that a bunch of them are for drupal7-views (in various branches), but it looks like it was already updated
14:26:51 <jsmith> (back in February, if I remember correctly)
14:27:13 <jsmith> So that may have something to do with it
14:27:20 <pjp> Recently there were more drupal issues, no?
14:28:05 <pjp> -> http://www.openwall.com/lists/oss-security/2015/04/21/7
14:28:35 <Sparks> jsmith: Who is managing drupal7?
14:28:44 <jsmith> pjp: Most of those drupal modules are *not* packaged in Fedora/EPEL
14:28:55 <pjp> jsmith: Oh, I see
14:29:06 <jsmith> Sparks: Myself, Peter Borsa, Paul Frields, and Shawn Iwinski
14:29:30 <jsmith> Sparks: We're *very actively* staying on top of any Drupal issues, especially security-related ones
14:30:14 <pjp> jsmith: So, these modules need to be packaged separately as independent packages or are sub-packages of Drupal?
14:30:26 <jsmith> pjp: They're independent packages
14:30:33 <Sparks> jsmith: can you confirm (not now) if these cases can be closed?
14:30:43 <jsmith> Sparks: Will do that after the meeting...
14:30:49 <Sparks> jsmith: Cool, thanks
14:31:21 <jsmith> pjp: Peter Borsa (asrob) is working on packaging the 100 most-used Drupal modules -- but with over 30k modules for Drupal, we'll never package them all
14:31:27 <jsmith> pjp: (nor do we need/want to)
14:31:33 <Sparks> Anyone have anything else?
14:31:52 <d-caf> Torque is hopefully now with a more responsive maintainer
14:32:06 <Sparks> d-caf: +1
14:32:11 <d-caf> Was able to resolve via email with out resorting to on-response packager path
14:32:16 <jsmith> I'll take another look at the 90-day challenge list and pick off a few to work on
14:32:24 <d-caf> had to threaten that path a "little"
14:32:41 <pjp> jsmith: Right,
14:34:04 <Sparks> #topic Open floor discussion/questions/comments
14:34:09 <Sparks> Anyone have anything?
14:34:45 <jsmith> Nothing more from my side...
14:38:57 <pjp> Nope,
14:39:48 <pjp> I'm still trying to see how to import that spreadsheet to ethercalc, I'll post a URL to the list.
14:40:01 <Sparks> pjp: +1
14:40:14 <Sparks> Okay, thanks for coming out.  Everyone have a good day!
14:40:17 <Sparks> #endmeeting