14:09:29 #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:09:30 Meeting started Thu Jun 18 14:09:29 2015 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:09:30 Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:09:32 #meetingname Fedora Security Team 14:09:33 The meeting name has been set to 'fedora_security_team' 14:09:36 #topic Roll Call 14:09:37 * Sparks 14:10:14 * mhayden waves 14:11:08 * pjp waves too ;) 14:14:43 * Sparks updates the agenda 14:16:32 Okay, lets get going. 14:16:41 #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:16:47 #topic 90-Day Challenge 14:16:54 #link https://ethercalc.org/90-day-challenge 14:17:02 #info 90-Day Challenge has a goal to close all 2014 and prior Important CVEs in Fedora 14:17:16 #info As of 2015-06-18, of the 38 target bugs 14 have been closed, 1 is On_QA, and 23 are Open 14:17:47 #info This is three weeks in a row of stagnation. 14:18:16 how many of those are stuck due to inactive maintainers? 14:18:19 Last week I cleaned up some of the fst_owner tags if the owner hadn't actually done anything with the bugs. 14:18:30 scorneli: I'd say around 100%. 14:18:32 two of my three are unresponsive maintainers 14:18:34 For the Rubygems bugs, I was talking to the Fedora maintainer Mo Morsi, he is working on updating entire Ruby stack in EPEL, 14:18:46 and the fixes for two of mine are ~ 3-5 minutes work each 14:18:59 I found him a volunteeer who is working with him, 14:19:42 mhayden: which bugs are these? 14:19:55 mhayden: it only needs building & pushing updates? 14:20:06 I could help you with that, 14:20:38 pjp: RHBZ 1160136 and 1160137 14:20:50 updating EPEL6's python-virtualenv and python-pip will fix a few security bugs for each 14:20:53 * pjp clicks 14:20:54 (and functionality bugs) 14:21:18 latest of both from upstream seem to work fine on epel6 14:21:33 s/epel6/EL6/ 14:21:57 I see, 14:21:59 also, LXC upstream is receptive for updates to the LXC templates to eliminate predictable root passwords (BZ 1132004) 14:22:15 i'm working on the debian/ubuntu templates to see if i can wedge in randomized passwords 14:22:22 shouldn't be too difficult 14:22:47 #link https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-June/011888.html 14:23:06 Yep, true -> https://bugzilla.redhat.com/show_bug.cgi?id=1132002#c9 14:23:15 Same bug it seems, 14:23:27 Since we're slipping into general bug talk... 14:23:29 yeah, there are four for the LXC issue 14:23:36 #topic Outstanding BZ Tickets 14:23:40 BZ 1132001-1132004 are LXC 14:23:43 #info Thursday's numbers: Critical 0 (0), Important 43 (-5), Moderate 375 (+15), Low 163 (+1), Total 585, Trend +11 14:23:50 oops, jumped the gun on ticket discussions ;) 14:24:01 mhayden: That's fine. I just need to be faster! 14:24:14 * Corey84 waves and takes a backseat 14:24:50 Corey84: Welcome 14:24:55 LXC == containers no? 14:25:15 yes 14:25:19 mhayden: Yeah, I saw your discussion around the random passwords. That would be really good to implement. Have you written about this somewhere? 14:25:24 it's the templates that are bad, not LXC itself 14:25:40 Sparks: nowhere other than mailing lists and BZ's 14:25:44 should i be? 14:26:10 late for a mtg at $dayjob -- gotta run but will catch up later 14:26:15 * mhayden scurries away 14:26:23 mhayden: IDK. Might be good reading. 14:26:26 mhayden: Have fun! 14:26:40 Sparks: IDK? 14:26:48 IDK == I don't know 14:27:33 Ah, :) 14:27:36 Anyone else have anything bug-wise they'd like to talk about? 14:29:21 #topic Open floor discussion/questions/comments 14:29:38 I'm in the middle of putting out fires here so I won't hold the meeting any longer than necessary today. 14:30:16 For a news, from the last meetings action item, we now have control over security@fp.o list 14:30:18 #info Sparks will be away from keyboard for next week and then the following Thursday morning (US EDT) and needs someone to cover the meetings for him. 14:30:28 pjp: +1 14:30:41 Sparks: I'll do it. 14:30:54 I'm just surprised about so many stalled things due to inactive maintainers. I had the impression that there were mechanisms in place to deal with this - but that's not working too good. I think that needs to be investigated 14:31:41 Sparks: Please add me to the lists moderator group 14:32:23 scorneli: mechanism are mostly manual, via nonresponsive maintainer bug ... 14:32:43 scorneli: There are mechanisms but they take time and effort. 14:32:57 well, it's a terrible bottleneck and we should think about alternatives, then 14:33:06 scorneli: I'm all ears! 14:33:37 How about we not just include all the packages in the next version that was in the previous version [of Fedora]? 14:34:08 Kinda like how we do EPEL. You must manually add your package to the next version. At least we'd catch folks asleep at the wheel that way. 14:34:11 mhh, gentoo used to flag packages. you would have to override this to install them, anyways 14:34:40 but that's not a good answer. I'll have to look into this some more 14:35:12 Sparks: I think that way lot of good packages might be left behind, 14:36:40 pjp: They aren't good if they aren't maintained. 14:37:30 Heh..hmmn, :) 14:38:07 I mean, I can definitely see both sides to doing that. 14:38:18 There isn't a good answer, I don't think. 14:38:35 True, at least it's worth an experiment, 14:38:43 You could also end up with maintainers just adding their packages to the next version and then never looking again until the next next version. 14:39:00 True 14:39:23 Ahh well, someone should write a blog post about this. :) 14:39:56 * pjp makes a note, 14:40:06 * pjp has lots of notes to write about, :( 14:40:25 pjp: Yeah, you and me both. 14:40:37 the unresponsive maintainer thing is taking too long. shouldn't provenpackagers step in way earlier? the grace period can be different depending on severity 14:42:11 There's really not a process for getting provenpackagers involved. Most of it involves begging or some awareness that a problem exists. 14:42:20 scorneli: Yep, they are on it too, 14:42:58 Proven packagers have their own FAS group, correct? 14:43:03 Sparks: Yep 14:43:06 then we should try to get maybe a special security-proven-packager SBR and try to get more people into that or something 14:43:33 Sparks: That reminds me, I had applied for fst & fst-git groups, did you have chance to approve those? 14:44:01 pjp: I didn't see them (I may have ignored them) but I'll take care of that today. 14:44:15 pjp: We can email all proven packagers, then. 14:44:27 Sparks: Yes, I did that last time 14:44:28 I think it's @fp.o 14:44:32 Oh, okay, cool. 14:44:46 Sparks: Yep 14:45:50 Okay, anyone have anything else they'd like to discuss? 14:46:05 nope, I'm good. take care of your fires ;) 14:46:54 * Sparks gets his tank full of water 14:46:57 pjp: Anything? 14:47:07 Sparks: We need to think about publicising the security@fp.o address, (it's one of my notes in the list) 14:47:35 pjp: DoIT! 14:47:50 Sparks: Okay, :) 14:48:46 Maybe we'll start with announcing it across various lists -devel, -users, -announce etc. + blog definitely 14:49:01 Fedora magazine 14:49:11 +1 14:49:18 I had a note about writing to Fedora magazine about FST and our work. 14:49:44 Sparks: Have you done that already by any chance? 14:50:07 * jsmith shows up late 14:50:24 jsmith: Hello welcome! :) 14:50:26 pjp: I have not 14:50:55 Sparks: Okay, I'll work on it, 14:51:07 I think that quite a few things for me, 14:51:12 for the coming days 14:52:46 pjp: Need to keep you off the streets and out of trouble 14:52:56 Heh..he...:) 14:53:29 yes, stay in the basement like any self-respecting geek would 14:53:42 :) 14:54:29 Okay, I'm going to close this down for today. Beverages will be served in #fedora-security-team room immediately following the close of the meeting. 14:54:33 Everyone have a good day. 14:54:36 #endmeeting