#fedora-meeting log

14:02:26 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:02:26 <zodbot> Meeting started Thu Aug  6 14:02:26 2015 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:02:26 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:02:29 <Sparks> #meetingname Fedora Security Team
14:02:29 <zodbot> The meeting name has been set to 'fedora_security_team'
14:02:32 <Sparks> #topic Roll Call
14:02:34 * Sparks 
14:02:37 * d-caf 
14:03:09 * mhayden 
14:04:04 * scorneli 
14:04:48 * zoglesby 
14:05:45 * Sparks updates meeting agenda
14:06:27 <Sparks> Okay, lets get started.
14:06:57 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:07:05 <Sparks> #topic Outstanding BZ Tickets
14:07:13 <Sparks> #info Thursday's numbers: Critical 0 (0), Important 45 (0), Moderate 373 (+12), Low 148 (-1), Total 520, Trend +11
14:07:19 <Sparks> #info Current tickets owned: 96 (~18%)
14:07:25 <Sparks> #info Tickets closed: 355 (+3)
14:07:36 <Sparks> Anyone have anything regarding tickets?
14:08:02 <mhayden> i think d-caf's tickets moved a bit
14:08:20 <d-caf> I've had a few move, after pestering people more
14:08:32 <d-caf> I feel like I'm nagging my kids sometimes...
14:08:54 <d-caf> jwb is moving patches for nagios-plugins which is good
14:09:03 * mhayden wonders if folks have these bugzilla notices auto-filtered into a directory that gets ignored ;)
14:09:13 <d-caf> though I'm still unclear as to what the eventual resolution is going to be longterm for that package
14:09:39 <d-caf> Would be nice if bugzilla let us knwo when messages bounced to email
14:09:54 <scorneli> I do filter bugzilla quite a lot. 90% is garbage, hard to find the good 10%
14:10:23 <pjp> Hello,
14:10:30 <d-caf> pjp: hi
14:10:36 <scorneli> yo!
14:10:53 <d-caf> I tend to go out of bugzilla and email people direct, but it still can involve a lot of nagging on both fronts
14:11:17 <d-caf> but, then my actions are outside the tracking of bugzilla..
14:11:34 <scorneli> yes. i still think we need a change of policy there
14:11:55 <Sparks> If people are ignoring BZ then they aren't being maintainers since they are likely ignoring other problems.
14:12:07 <d-caf> On the numbers info, would it be possible to break out the Important and maybe moderate with the precent owned?  Vs just the overallowned percentage?
14:12:19 <Sparks> d-caf: Yes
14:12:19 <d-caf> Sparks: agree!
14:12:52 * Sparks to update the FST_numbers script to show the %age of tickets owned for each category.
14:13:20 <mhayden> i wonder if we can automate some notifications based on that script
14:13:26 <Sparks> #action Sparks to update the FST_numbers script to show the %age of tickets owned for each category.
14:13:41 <Sparks> mhayden: ?
14:13:48 <d-caf> I think there are still like 8-12 unowned important tickets
14:13:54 <d-caf> I picked up a few more this week
14:14:13 <mhayden> well i wonder if we could run a script monthly to roll through BZ and email maintainers about tickets w/CVE's that haven't moved in > 30 days
14:14:29 <mhayden> it would help if they have their BZ notifications filtered off somewhere
14:14:34 <mhayden> and we'd get bounces
14:14:39 <pjp> mhayden: I have one script for that,
14:14:49 * jsmith shows up late, sorry
14:14:56 <pjp> mhayden: it pings people after > 90 days of inactivity
14:15:24 <Sparks> jsmith: Welcome
14:15:24 * pjp would commit it to the fst security.git repo today
14:15:28 <pjp> jsmith: Hi,
14:15:40 <mhayden> pjp: that's awesome!
14:16:02 <d-caf> pjp: You currently run that against your own tagged tickets or all?
14:16:08 <pjp> Sparks: is the FST_numbers script available some place?
14:16:27 <Sparks> pjp: It's in the fedora-security-team repo
14:16:36 <pjp> d-caf: all security bugs which haven't seen activity for > 90 days
14:16:53 <Sparks> pjp: And could probably be written much better but, instead, is just cobbled together bash
14:16:55 <pjp> I started with that script as part of automating non-responsive maintainer policy
14:17:18 <pjp> Sparks: Okay, I'll take a look
14:17:29 <d-caf> Ok, so if the only activity was FST members commenting, then it would run against those (so not ping the maintaners)
14:17:43 <d-caf> would/wouldn't
14:18:39 <pjp> d-caf: Yeah that's where it gets a little tricky, when I ran it first time, some maintainers responded with comments about why bugs have not moved further,
14:19:13 <pjp> d-caf: parsing and interpreting human comments is tricky, to script any further actions on that
14:19:50 * pjp looks for a sample bug
14:20:27 <d-caf> pjp: I would probably just set it to ignore the fst_owner=USER tagged comments/actions
14:20:56 <pjp> d-caf: ?
14:21:27 * Sparks wonders if we should subscribe a mailing list to all security bugs so we can actually see comments like "I'm not going to fix this because your process sucks" so our automated tools won't count that as activity.
14:21:46 <d-caf> take the username mentioned in fst_owner and exclude comments from that user so that it only counts others comments as "refreshing" the ticket
14:22:04 <pjp> d-caf: ex -> https://bugzilla.redhat.com/show_bug.cgi?id=1132002#c2
14:22:25 <pjp> d-caf: #c2 was added by a script
14:23:10 <pjp> d-caf: no-no, these comments were from bug owners
14:23:40 <d-caf> that's fine, if bug-ownders are commenting it means they know about it (but may just be dragging their feet)
14:23:54 <d-caf> that's a whole nother problem
14:24:14 <pjp> d-caf: yes,
14:24:54 <pjp> d-caf: I started with an idea that we ping them 3 times in a row, and if there is still no response, we open a non-responsive policy bug and automatically send an email to the -devel list
14:24:55 <Sparks> d-caf: Or ignoring the problem.
14:25:08 <Sparks> pjp: +1
14:25:24 <d-caf> if the script can email the assigne if no comments have been placed in the ticekt (exluding the fst_ownder comments) outside bugzilla
14:25:36 <pjp> d-caf: But when they respond with some comments, that's tricky to parse
14:26:04 <pjp> d-caf: Sure, email could be sent
14:26:15 <d-caf> Well if they responde then again we no they know about it, then it's about "pushing" them to fix it
14:26:25 <d-caf> respond then again we know...
14:26:29 <d-caf> ugh my typing sorry
14:26:37 <pjp> :)
14:27:26 <pjp> Another problem was, I got flooded with Bugzilla emails with the comments script added and what the bug owner responded
14:27:29 <d-caf> Things i would like to workaround: people ignoring bugzilla emails, peole with broken email addresses
14:28:00 <pjp> Yep, those can be handled neatly, as there is not comment from them
14:28:11 <d-caf> Yeah, even with out your script i can get flooded with bugzilla emails
14:28:18 <pjp> :)
14:35:24 <Sparks> #topic Open floor discussion/questions/comments
14:35:44 <Sparks> Anyone have anything else they'd like to discuss.
14:35:45 <Sparks> ?
14:36:14 <mhayden> i've considered trying to adapt the CIS benchmarks for fedora and build an image and/or an ansible playbook
14:36:23 <d-caf> Did we ever get that security@fedora email thing figured out?
14:36:23 <mhayden> not sure if that excites anyone else
14:37:26 <pjp> d-caf: Yes, we now have control over the list and address, and I'm to some publicity work for it
14:37:37 <pjp> s/to/to do some...
14:37:53 <d-caf> pjp: cool, thanks
14:37:58 <pjp> d-caf: we need to let people know that such address exists and we are actively monitoring it
14:39:00 <d-caf> would want it to be easily found via google if you search for "fedora security"
14:39:48 <pjp> Yes, true
14:41:34 <d-caf> mhayden: i haven't looked into those much before, will need to add it to my reading list
14:42:01 <mhayden> d-caf: CentOS/RHEL 6 is done --> https://github.com/major/cis-rhel-ansible
14:42:14 <mhayden> planning to expand that to RHEL 7 soon, but figured i might add logic for Fedora too
14:44:05 <d-caf> Cool work, I'm familiar with a couple other tools like this (like NIST) but hadn't really looked into CIS
14:47:36 * pjp checks
14:48:50 <pjp> Heh...WAIT! DANGER! :)
14:52:16 <pjp> I think we are reaching a closing time,
14:52:26 <mhayden> could we make a badge for folks who close CVE-related tickets?
14:52:30 <d-caf> yes I have nothing else
14:52:41 <pjp> mhayden: There is a ticket open for that
14:52:51 <mhayden> oh that'd be fantastic
14:52:59 * mhayden has nothing else for the meetin'
14:53:15 <pjp> mhayden: -> https://fedorahosted.org/fedora-badges/ticket/373
14:53:40 <pjp> There is one for the logo too, which is in progress
14:54:20 <pjp> mhayden: -> https://fedorahosted.org/fedora-badges/ticket/262
14:54:56 <pjp> Please add comments to those tickets with any inputs if you have.
14:55:47 <d-caf> So that's for people who found and reported a CVE, not closed
14:56:21 <pjp> d-caf: Yes, other one is for folks who contribute to FST activities, which could involve closing a CVE bug
14:56:40 <pjp> If we want a separate one, then we'll need a ticket for it
14:57:01 * Sparks notes 4 minutes remain
14:57:06 * Sparks notes 3 minutes remain
15:00:30 <Sparks> Okay, we'll continue this discussion on the mailing list.  Thanks everyone~!
15:00:33 <Sparks> #endmeeting