14:00:09 #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:00:09 Meeting started Thu Oct 1 14:00:09 2015 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:09 Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:00:12 #meetingname Fedora Security Team 14:00:12 The meeting name has been set to 'fedora_security_team' 14:00:14 #topic Roll Call 14:00:16 * Sparks 14:00:55 .fas fleite 14:00:55 FabioOlive: fleite 'Fabio Olive Leite' 14:01:03 .fas astra 14:01:04 Astradeus: astralstorm 'Radosław Szkodziński' - netman 'Andrey Krasukov' - rustomafs 'Rustom Irani' - astrand 'Peter Åstrand' - astra 'David Kaufmann' - astrawin 'Dick Chapman' - ambyte 'Sergey Gulyaev' - astratik 'Alexandre Stratikopoulos' (3 more messages) 14:01:12 o_O 14:01:24 Yeah, that doesn't work great 14:04:12 Hi, 14:04:51 Ugh, I forgot my script is in fail mode for ticket status 14:05:15 mhayden: You here? 14:06:40 #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:06:43 * mhayden stumbles in 14:06:51 sorry, had a 7-9AM meeting that ran over :/ 14:07:14 mhayden: Well, you need to tell them that you have a hard stop! :) 14:07:32 #topic Follow up on last week's tasks 14:07:58 Okay, I totally failed to update the agenda so I'll just keep the tasks for next week. 14:09:33 #topic Outstanding BZ Tickets 14:10:06 mhayden: Could you provide the stats? I never fixed my script. 14:10:45 * mhayden digs 14:11:30 full report: https://lists.fedoraproject.org/pipermail/security-team/2015-October/000371.html 14:12:13 608 total tickets, 82 owned 14:12:40 cacti is back to lead the security bug list again, but it's a two way tie with bugzilla ;) 14:12:48 #info Thursday's numbers: Critical 0 (0), Important 43 (+1), Moderate 408 (-1), Low 153 (+1), Total 604 14:12:52 mhayden: Thank you 14:12:54 followed by nagios (which is being worked by swilkerson) 14:13:30 Anyone have anything ticket-related? 14:13:58 i still would like to write some kind of "verifier" script that checks to see if the issue in the ticket has been addressed 14:14:08 so maybe the packager fixed it but forgot to put the bug # in their bodhi update 14:14:19 or they bumped a version not knowing that it closed some bugs 14:14:40 that's gonna be insanely tricky :) 14:14:54 but we could check for packages which have any type of update on a date *after* the bug ticket was opened 14:14:57 and investigate those 14:15:01 they could be low-hanging fruit 14:15:17 Sparks: sorry, need to leave the meeting now. I'll catch up with you later. 14:15:18 thoughts? 14:15:52 mhayden: I think it would be useful but I think we'd have to talk to releng to implement something like that. 14:16:21 Sparks: couldn't i pull data from bugzilla and then query bodhi? 14:16:26 or are you worried about overloading bodhi 14:16:50 mhayden: How will we know what the update fixed? 14:17:16 mhayden: RPM changeLog ? 14:17:22 mhayden: I'm not worried about anything. :) 14:17:42 mhayden: You could do that, I was talking about integrating it into bodhi during the build. 14:18:07 pjp: that might take some manual investigation :/ 14:18:12 until we figure out some way to correlate 14:18:19 but it would be a much shorter list to review :) 14:18:32 mhayden: Yes, packagers don't always include the bugid in the changeLog 14:20:46 Some outright refuse to do so 14:21:19 Sparks: Refuse ? 14:21:46 Sparks: saying what? why woudln't they include a bug-id ? 14:22:03 pjp: Saying that it's too much of a hassle to do and they won't do it. 14:23:02 pjp: I think it's more of a "you're telling me how to do something and I don't like that". 14:23:12 Yeah, 14:23:18 That's more of it, 14:25:01 hah 14:25:24 i prefer to consider the best intentions until proven otherwise ;) 14:25:29 "Trust but verify" :) 14:25:45 heh 14:26:00 (that seems to get harder to do the longer you work in infosec) 14:27:14 Okay, anything else ticket-related? 14:28:33 #topic Open floor discussion/questions/comments 14:28:48 * Sparks has some additional hurricane prep things to do... 14:30:18 Sparks: i wish you luck there 14:31:05 hurricane prep, not for a real hurricane, is it? 14:31:36 pjp: http://www.wunderground.com/hurricane/atlantic/2015/hurricane-Joaquin 14:31:51 * pjp checks 14:32:15 Oh boy, 14:32:20 just seen that on a weathermap a colleague had open half an hour ago^^ 14:32:28 and i'm in europe.. 14:32:32 small world^^ 14:32:40 best wishes from me too 14:32:53 pjp: I think I've got a front-row seat for this show 14:33:19 http://www.nhc.noaa.gov/#JOAQUIN 14:33:35 Sparks: Yep, all the best. 14:35:15 I'm guessing that I'll lose power and Internet and cellular service and will have time to catch up on my reading and maybe enjoy a nice star party with all the lights off. 14:35:38 * Sparks is from Eastern North Carolina where we get jittery if we don't have at least one major hurricane a year. 14:35:53 Heh, sounds like a silver lining, :) 14:36:07 could use some of that rain here in TX :) 14:38:08 mhayden: We got ~6 inches of rain the other night. 14:41:47 Okay, anyone have anything else? 14:41:58 nothing for me 14:42:48 nope, not this week, hope to do some catch-up by next one 14:43:02 Okay, then I'm going to go ahead and close up shop, here. 14:43:57 Yep, thank you all. 14:44:22 Thanks all! 14:44:24 #endmeeting