#fedora-meeting log

14:00:09 <mhayden> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:09 <zodbot> Meeting started Thu Oct 22 14:00:09 2015 UTC.  The chair is mhayden. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:09 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:00:15 <mhayden> #meetingname Fedora Security Team
14:00:15 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:23 <mhayden> #topic Roll Call
14:00:26 <mhayden> o/
14:00:34 * Astradeus is mobile only unfortunately :/
14:00:43 <mhayden> Astradeus: aww, that's okay!
14:01:43 * mhayden will wait til 5 minutes after the hour to kick things off
14:03:23 <mhayden> mattdm: did i see something from you on the ML or elsewhere about joining our meeting today?
14:03:30 <mhayden> about the FESCo bat-signal ticket
14:04:08 <mattdm> mhayden: I don't remember saying that, but... maybe? :)
14:04:28 <mhayden> mattdm: ah, okay -- i may be getting my emails and tickets confused
14:04:36 <mhayden> but it's delightful to hear from ya nonetheless :P
14:05:39 <mattdm> I definitely posted about it to the mailing list. So we might as well talk about it :)
14:06:17 <mattdm> Basically, during our last few big incidents, it was hard to keep track of who should be doing what, and when
14:06:32 <mattdm> And we didn't have a good way to raise the alarm particularly to QA people
14:06:41 <mhayden> #chair Astradeus mattdm
14:06:41 <zodbot> Current chairs: Astradeus mattdm mhayden
14:07:14 <mhayden> #topic FESCo ticket about a security "bat-signal" for serious incidents
14:07:32 * mhayden hunts for ticket link
14:07:52 <mhayden> #link https://fedorahosted.org/fesco/ticket/1278
14:07:57 <mattdm> also
14:08:00 <mattdm> #link https://fedoraproject.org/wiki/User:Pfrields/Critical_security_update_SOP.
14:08:05 <mattdm> #info that's a draft
14:08:22 <mhayden> oh nice
14:08:38 <mhayden> i think this discussion originally started after heartbleed
14:08:40 <mhayden> or shellshock
14:08:57 <mattdm> errrr, let me do that again without a period in case software does that wrong
14:08:59 <mattdm> #link https://fedoraproject.org/wiki/User:Pfrields/Critical_security_update_SOP
14:09:12 <mattdm> yeah, definitely one of those times when I was up all night :)
14:09:14 <mhayden> chrome behaved itself :)
14:09:41 <mattdm> I think a flowchart would be most helpful
14:09:41 <mhayden> it feels like a two-part deal: 1) alert folks 2) once they show up, assign tasks
14:10:18 <mattdm> yeah. or have roles people can assign themselves to, and a way to let everyone know that they have done that
14:10:25 <mhayden> not a bad idea
14:10:38 <mhayden> or have pre-made expectations for each group
14:10:43 <mattdm> *nod*
14:10:52 <mhayden> so everyone shows up, hears what the incident is, and they know their place in it
14:11:47 <mhayden> man, i should have thought about doing this as a talk in Rochester :P
14:12:08 <mattdm> :)
14:13:27 <mhayden> hmm okay -- this is a big thing to tackle
14:13:35 <mattdm> Yeah. And with the F23 GA release, I probably won't have a lot of spare time for working on this in the next couple weeks
14:13:38 <mhayden> would it help to have some kind of strawman put together so we can throw darts at it?
14:13:44 <mattdm> yes it sure would
14:14:00 <mhayden> maybe i'll email the security ML and see if we can assemble something
14:14:07 <mattdm> cool, that would be awesome.
14:14:22 <mhayden> #action mhayden to email the security ML about getting a strawman together for a security incident process
14:14:37 <mhayden> #info nobody bother mattdm for the next few weeks :)
14:15:06 <mattdm> lol
14:15:27 <mattdm> thanks for working on this!
14:15:41 <mhayden> mattdm: haven't started yet, but we hopefully will soon :)
14:15:51 <mhayden> i guess we're all good on this topic (for now)
14:16:03 <mhayden> thanks, mattdm!
14:16:21 <mhayden> #topic Follow up on last week's tasks
14:16:36 <mhayden> looks like we had four tasks
14:16:46 <mhayden> 1) mhayden to kick off a ML thread about finding a foss A/V conferencing solution of some sort
14:16:56 <mhayden> no progress on this one but still open for suggestions
14:17:08 <mhayden> any other ideas on this one, Astradeus ?
14:17:09 * mattdm switches to lurking mode
14:17:47 * mattdm would love a foss solution that a) scales and b) provides recording
14:17:55 <mhayden> me too
14:18:01 <mhayden> so that action is still pending
14:18:06 <mhayden> #action  mhayden to kick off a ML thread about finding a foss A/V conferencing solution of some sort
14:18:15 <mhayden> 2) sparks and mhayden to figure out a stats script going forward
14:18:28 <mhayden> no progress here yet -- the current script seems okay for now
14:18:28 <Astradeus> 2min :)
14:18:34 <mhayden> still need to merge Astradeus' changes
14:18:53 <Astradeus> finally, computer \o/
14:19:08 <mhayden> #action mhayden to get Astradeus' changes to the stats script into the fedora-security-team git repo
14:19:20 <mhayden> 3) pjp to give a status update on security policy in the wiki
14:19:23 <Astradeus> i wanted to try out that fedrtc-thing - anyone up for trying it after the meeting?
14:19:31 <mhayden> Astradeus: i have time
14:19:48 <Astradeus> cool, lets doo this :)
14:19:49 <mhayden> since pjp isn't here, i'll punt this one to the following week
14:19:56 <mhayden> #actionpjp to give a status update on security policy in the wiki (carried over)
14:20:00 <mhayden> #action pjp to give a status update on security policy in the wiki (carried over)
14:20:03 <mhayden> there we go ;)
14:20:11 <mhayden> last one
14:20:15 <mhayden> 4) sparks to (gently) wrangle mattdm about private security-related tickets in BZ
14:20:45 <mhayden> i don't know if that conversation has happened quite yet
14:20:53 <mhayden> but since sparks is out, i'll push to next week
14:20:59 <mhayden> #action sparks to (gently) wrangle mattdm about private security-related tickets in BZ (carried over)
14:21:26 <mhayden> #topic Outstanding BZ Tickets
14:21:34 <mhayden> the current BZ stats are here:
14:21:37 <mhayden> #link https://lists.fedoraproject.org/pipermail/security-team/2015-October/000371.html
14:21:57 <mhayden> Astradeus: got anything BZ-related? i don't
14:22:12 <mhayden> i've been a bunch of nagios-related things going on lately, which is good
14:22:17 <mhayden> but we still have 8 open tickets there
14:22:36 <Astradeus> nah, nothing specific
14:22:53 <mhayden> alrighty
14:22:54 <Astradeus> isn't the number of unowned+new tickets quite high?
14:23:09 <mhayden> yes, it is :/
14:24:04 <Astradeus> i'll try if i can look at maybe some of them in the next few days - but as i haven't handled much fedora-stuff so far i might have some questions sometimes ;)
14:24:29 <mhayden> that's totally okay -- the fedora security team wiki page has a process you can follow for each ticket you snag
14:24:39 <mhayden> on how to assign yourself to it as a fst person and so on
14:26:04 <mhayden> but if you get stuck, be sure and ask
14:26:45 <mhayden> Astradeus: anything else?
14:26:47 <mhayden> i think i'm all done
14:27:24 <Astradeus> nah, nothing from my side
14:28:16 <mhayden> alrighty, well i'll close this thing up
14:28:18 <mhayden> thanks, Astradeus
14:28:22 <mhayden> #endmeeting