#fedora-meeting log

14:09:29 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:09:30 <zodbot> Meeting started Thu Jun 18 14:09:29 2015 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:09:30 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:09:32 <Sparks> #meetingname Fedora Security Team
14:09:33 <zodbot> The meeting name has been set to 'fedora_security_team'
14:09:36 <Sparks> #topic Roll Call
14:09:37 * Sparks 
14:10:14 * mhayden waves
14:11:08 * pjp waves too ;)
14:14:43 * Sparks updates the agenda
14:16:32 <Sparks> Okay, lets get going.
14:16:41 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:16:47 <Sparks> #topic 90-Day Challenge
14:16:54 <Sparks> #link https://ethercalc.org/90-day-challenge
14:17:02 <Sparks> #info 90-Day Challenge has a goal to close all 2014 and prior Important CVEs in Fedora
14:17:16 <Sparks> #info As of 2015-06-18, of the 38 target bugs 14 have been closed, 1 is On_QA, and 23 are Open
14:17:47 <Sparks> #info This is three weeks in a row of stagnation.
14:18:16 <scorneli> how many of those are stuck due to inactive maintainers?
14:18:19 <Sparks> Last week I cleaned up some of the fst_owner tags if the owner hadn't actually done anything with the bugs.
14:18:30 <Sparks> scorneli: I'd say around 100%.
14:18:32 <mhayden> two of my three are unresponsive maintainers
14:18:34 <pjp> For the Rubygems bugs, I was talking to the Fedora maintainer Mo Morsi, he is working on updating entire Ruby stack in EPEL,
14:18:46 <mhayden> and the fixes for two of mine are ~ 3-5 minutes work each
14:18:59 <pjp> I found him a volunteeer who is working with him,
14:19:42 <pjp> mhayden: which bugs are these?
14:19:55 <pjp> mhayden: it only needs building & pushing updates?
14:20:06 <pjp> I could help you with that,
14:20:38 <mhayden> pjp: RHBZ 1160136 and 1160137
14:20:50 <mhayden> updating EPEL6's python-virtualenv and python-pip will fix a few security bugs for each
14:20:53 * pjp clicks
14:20:54 <mhayden> (and functionality bugs)
14:21:18 <mhayden> latest of both from upstream seem to work fine on epel6
14:21:33 <mhayden> s/epel6/EL6/
14:21:57 <pjp> I see,
14:21:59 <mhayden> also, LXC upstream is receptive for updates to the LXC templates to eliminate predictable root passwords (BZ 1132004)
14:22:15 <mhayden> i'm working on the debian/ubuntu templates to see if i can wedge in randomized passwords
14:22:22 <mhayden> shouldn't be too difficult
14:22:47 <mhayden> #link https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-June/011888.html
14:23:06 <pjp> Yep, true -> https://bugzilla.redhat.com/show_bug.cgi?id=1132002#c9
14:23:15 <pjp> Same bug it seems,
14:23:27 <Sparks> Since we're slipping into general bug talk...
14:23:29 <mhayden> yeah, there are four for the LXC issue
14:23:36 <Sparks> #topic Outstanding BZ Tickets
14:23:40 <mhayden> BZ 1132001-1132004 are LXC
14:23:43 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 43 (-5), Moderate 375 (+15), Low 163 (+1), Total 585, Trend +11
14:23:50 <mhayden> oops, jumped the gun on ticket discussions ;)
14:24:01 <Sparks> mhayden: That's fine.  I just need to be faster!
14:24:14 * Corey84 waves and  takes a  backseat
14:24:50 <Sparks> Corey84: Welcome
14:24:55 <Corey84> LXC == containers no?
14:25:15 <mhayden> yes
14:25:19 <Sparks> mhayden: Yeah, I saw your discussion around the random passwords.  That would be really good to implement.  Have you written about this somewhere?
14:25:24 <mhayden> it's the templates that are bad, not LXC itself
14:25:40 <mhayden> Sparks: nowhere other than mailing lists and BZ's
14:25:44 <mhayden> should i be?
14:26:10 <mhayden> late for a mtg at $dayjob -- gotta run but will catch up later
14:26:15 * mhayden scurries away
14:26:23 <Sparks> mhayden: IDK.  Might be good reading.
14:26:26 <Sparks> mhayden: Have fun!
14:26:40 <pjp> Sparks: IDK?
14:26:48 <Sparks> IDK == I don't know
14:27:33 <pjp> Ah, :)
14:27:36 <Sparks> Anyone else have anything bug-wise they'd like to talk about?
14:29:21 <Sparks> #topic Open floor discussion/questions/comments
14:29:38 <Sparks> I'm in the middle of putting out fires here so I won't hold the meeting any longer than necessary today.
14:30:16 <pjp> For a news, from the last meetings action item, we now have control over security@fp.o list
14:30:18 <Sparks> #info Sparks will be away from keyboard for next week and then the following Thursday morning (US EDT) and needs someone to cover the meetings for him.
14:30:28 <Sparks> pjp: +1
14:30:41 <pjp> Sparks: I'll do it.
14:30:54 <scorneli> I'm just surprised about so many stalled things due to inactive maintainers. I had the impression that there were mechanisms in place to deal with this - but that's not working too good. I think that needs to be investigated
14:31:41 <pjp> Sparks: Please add me to the lists moderator group
14:32:23 <pjp> scorneli: mechanism are mostly manual, via nonresponsive maintainer bug ...
14:32:43 <Sparks> scorneli: There are mechanisms but they take time and effort.
14:32:57 <scorneli> well, it's a terrible bottleneck and we should think about alternatives, then
14:33:06 <Sparks> scorneli: I'm all ears!
14:33:37 <Sparks> How about we not just include all the packages in the next version that was in the previous version [of Fedora]?
14:34:08 <Sparks> Kinda like how we do EPEL.  You must manually add your package to the next version.  At least we'd catch folks asleep at the wheel that way.
14:34:11 <scorneli> mhh, gentoo used to flag packages. you would have to override this to install them, anyways
14:34:40 <scorneli> but that's not a good answer. I'll have to look into this some more
14:35:12 <pjp> Sparks: I think that way lot of good packages might be left behind,
14:36:40 <Sparks> pjp: They aren't good if they aren't maintained.
14:37:30 <pjp> Heh..hmmn, :)
14:38:07 <Sparks> I mean, I can definitely see both sides to doing that.
14:38:18 <Sparks> There isn't a good answer, I don't think.
14:38:35 <pjp> True, at least it's worth an experiment,
14:38:43 <Sparks> You could also end up with maintainers just adding their packages to the next version and then never looking again until the next next version.
14:39:00 <pjp> True
14:39:23 <Sparks> Ahh well, someone should write a blog post about this.  :)
14:39:56 * pjp makes a note,
14:40:06 * pjp has lots of notes to write about, :(
14:40:25 <Sparks> pjp: Yeah, you and me both.
14:40:37 <scorneli> the unresponsive maintainer thing is taking too long. shouldn't provenpackagers step in way earlier? the grace period can be different depending on severity
14:42:11 <Sparks> There's really not a process for getting provenpackagers involved.  Most of it involves begging or some awareness that a problem exists.
14:42:20 <pjp> scorneli: Yep, they are on it too,
14:42:58 <Sparks> Proven packagers have their own FAS group, correct?
14:43:03 <pjp> Sparks: Yep
14:43:06 <scorneli> then we should try to get maybe a special security-proven-packager SBR and try to get more people into that or something
14:43:33 <pjp> Sparks: That reminds me, I had applied for fst & fst-git groups, did you have chance to approve those?
14:44:01 <Sparks> pjp: I didn't see them (I may have ignored them) but I'll take care of that today.
14:44:15 <Sparks> pjp: We can email all proven packagers, then.
14:44:27 <pjp> Sparks: Yes, I did that last time
14:44:28 <Sparks> I think it's <fas_group>@fp.o
14:44:32 <Sparks> Oh, okay, cool.
14:44:46 <pjp> Sparks: Yep
14:45:50 <Sparks> Okay, anyone have anything else they'd like to discuss?
14:46:05 <scorneli> nope, I'm good. take care of your fires ;)
14:46:54 * Sparks gets his tank full of water
14:46:57 <Sparks> pjp: Anything?
14:47:07 <pjp> Sparks: We need to think about publicising the security@fp.o address, (it's one of my notes in the list)
14:47:35 <Sparks> pjp: DoIT!
14:47:50 <pjp> Sparks: Okay, :)
14:48:46 <pjp> Maybe we'll start with announcing it across various lists -devel, -users, -announce etc. + blog definitely
14:49:01 <pjp> Fedora magazine
14:49:11 <Sparks> +1
14:49:18 <pjp> I had a note about writing to Fedora magazine about FST and our work.
14:49:44 <pjp> Sparks: Have you done that already by any chance?
14:50:07 * jsmith shows up late
14:50:24 <pjp> jsmith: Hello welcome! :)
14:50:26 <Sparks> pjp: I have not
14:50:55 <pjp> Sparks: Okay, I'll work on it,
14:51:07 <pjp> I think that quite a few things for me,
14:51:12 <pjp> for the coming days
14:52:46 <Sparks> pjp: Need to keep you off the streets and out of trouble
14:52:56 <pjp> Heh..he...:)
14:53:29 <scorneli> yes, stay in the basement like any self-respecting geek would
14:53:42 <pjp> :)
14:54:29 <Sparks> Okay, I'm going to close this down for today.  Beverages will be served in #fedora-security-team room immediately following the close of the meeting.
14:54:33 <Sparks> Everyone have a good day.
14:54:36 <Sparks> #endmeeting