#fedora-meeting log

14:00:21 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:21 <zodbot> Meeting started Thu Nov  5 14:00:21 2015 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:21 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:00:24 <Sparks> #meetingname Fedora Security Team
14:00:24 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:26 <Sparks> #topic Roll Call
14:00:29 * Sparks 
14:01:50 * Astradeus 
14:03:11 <Sparks> mhayden: ping
14:03:11 <zodbot> Sparks: Ping with data, please: https://fedoraproject.org/wiki/No_naked_pings
14:03:22 <mhayden> Sparks: aaaaack, DST
14:03:28 <mhayden> :P
14:03:35 <Sparks> mhayden: We're on zulu time!
14:03:42 * mhayden scurries over to his calendar to adjust the invitation
14:03:48 <Sparks> mhayden: Could you run your script for numbers, please?
14:03:51 <mhayden> on it
14:03:56 <Sparks> TU
14:04:01 <Sparks> mattdm: You around?
14:05:21 <mhayden> #link https://lists.fedoraproject.org/pipermail/security-team/2015-November/000401.html
14:05:23 <mhayden> ^^ stats
14:08:01 <Sparks> Hmmm, I thought I took care of that Critical last week.
14:09:04 <rishi> fg
14:09:07 <rishi> sorry
14:10:56 <Sparks> Sorry for the delay, I'm still tweeking the minutes.
14:11:01 * Sparks is running behind this morning
14:13:15 <mhayden> DSt made all of my meetings scoot up
14:14:32 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:14:48 <Sparks> mhayden: Just put the TZ for this meeting as UTC and it'll always be correct.  :)
14:14:53 <Sparks> Okay, lets get started.
14:15:03 <Sparks> #topic Follow up on last week's tasks
14:15:13 <mhayden> figured out how to do that in android -- makes up for Exchange's shortcomings :P
14:15:26 <Sparks> #action Sparks to talk with mattdm regarding private security tickets in BZ.
14:15:42 <Sparks> #info This was started but hasn't really moved forward.
14:15:50 <Sparks> #action Sparks to discuss using Bluejeans for an online GPG key signing event
14:16:04 <Sparks> I haven't done this but does anyone have a problem with doing this?
14:16:12 <mhayden> i did my first gpg key signing at the last flock, it was fun!
14:16:45 <mhayden> i'm not sure how some folks might feel about their identification cards/passports/licenses being on screen
14:16:52 <mhayden> someone could screenshot it and do nefarious things
14:17:17 <Sparks> Well, lots of people could do lots of things...  I'm not sure that it requires a screenshot.
14:17:26 <mhayden> haha
14:18:05 <Sparks> #info This isn't mandatory so if you don't feel comfortable participating or don't feel comfortable with not holding an ID in your hands then you don't have to participate.
14:18:18 <mattdm> Sparks: I'm around for, like, 11 minutes
14:18:51 <Sparks> mattdm: Can I get on your calendar for later today to discuss furthering the mission of the FST?
14:19:05 <Astradeus> i think in that case hiding the passport number should be enough to make it a little bit protected - the rest of the security features is the same on all other identification-things
14:19:51 <Astradeus> e.g. the hologram and the name needs to be visible i think, the passport number does not need to be
14:20:04 <Sparks> Okay, I'll try to send something to the list just after the meeting while it's fresh on my mind.
14:20:15 <Sparks> Astradeus: True
14:20:24 <mhayden> i think sgallagh arranged the last signing at flock
14:20:42 <Sparks> Astradeus: I suspect that most Customs folks are using the RFID chip for auth now anyway.
14:20:59 * mhayden is one of the few without a chipped passport at the moment :P
14:21:09 <mattdm> Sparks: -- yes... maybe 3pm (US/Eastern)?
14:21:15 <Sparks> mhayden: Yeah, likely.  I've usually done them at events around here.
14:21:41 <Sparks> mattdm: 3pm ET works for me.  I'll send you info.  Thanks!
14:22:20 <Sparks> mhayden: What?!?  How can you survive without the little chip thingy?  :)
14:22:25 <Sparks> Okay, moving on...
14:22:29 <Sparks> #action mhayden to get Astradeus' changes to the stats script into the fedora-security-team git repo
14:22:38 <Sparks> mhayden: ^^^ did this happen?
14:23:15 <mattdm> Sparks: cool
14:23:20 <mhayden> nah, but i am going to look at it right now ;)
14:23:37 <Sparks> #action pjp to give a status update on security policy in the wiki (carried over)
14:23:42 <Sparks> #topic Education and Training
14:23:49 <Sparks> #link https://fedoraproject.org/wiki/Information_Security_Training
14:23:57 <Sparks> (From last week...)
14:24:31 <Sparks> I've started compiling training aids for learning about information security.  I've created the above wiki page to list them.
14:25:08 <Astradeus> i've been skipping over a few entries already - nice page :)
14:25:27 <fenrus02> https://benchmarks.cisecurity.org/downloads/multiform/index.cfm - should it be there?
14:26:29 <Sparks> fenrus02: IDK.  Is that educational or just benchmark information?
14:26:43 <fenrus02> how / why to make alterations
14:27:05 <Sparks> It could be.  Feel free to add it.
14:27:21 <fenrus02> ditto for https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ ?
14:27:53 <fenrus02> https://wiki.mozilla.org/Security/Server_Side_TLS  .. and .. https://mozilla.github.io/server-side-tls/ssl-config-generator/ ?  or too much detail ?
14:27:59 <mhayden> #info Astradeus' changes for the script are now merged ;)
14:28:30 <Sparks> fenrus02: Yes, but use a WorldCat URL for books.  https://www.worldcat.org/title/bulletproof-ssl-and-tls/oclc/889874499
14:28:47 <fenrus02> ok.  why worldcat instead of the publisher page?
14:29:09 <Sparks> Worldcat shows where to get the book (and not just from Amazon) like libraries
14:29:27 <Sparks> I want to make it easier for folks to find the materials.
14:29:37 <Sparks> Especially if they can get them for free.
14:31:29 <Sparks> #topic Outstanding BZ Tickets
14:31:36 <Sparks> #info Thursday's numbers: Critical 1 (0), Important 40 (0), Moderate 457 (+11), Low 170 (+8), Total 668
14:31:42 <Sparks> #info Current tickets owned: 85
14:31:55 <Sparks> +Tickets by Priority--+-------+---------+
14:31:55 <Sparks> | Priority    | Count | Owned | Unowned |
14:31:55 <Sparks> +-------------+-------+-------+---------+
14:31:55 <Sparks> | medium      | 457   | 45    | 412     |
14:31:56 <Sparks> | low         | 170   | 14    | 156     |
14:31:58 <Sparks> | high        | 40    | 26    | 14      |
14:32:00 <Sparks> | unspecified | 4     | 0     | 4       |
14:32:03 <Sparks> | urgent      | 1     | 0     | 1       |
14:32:05 <Sparks> +-------------+-------+-------+---------+
14:32:09 <Astradeus> i didn't have the time to look at tickets unfortunately :/
14:32:16 <Sparks> Anyone have anything ticket-wise to discuss?
14:34:26 <Sparks> Oh, I have something.
14:34:49 <Sparks> #idea FST gets copied on critical and important CVEs that come to Fedora/EPEL.
14:35:03 <fenrus02> +1
14:35:43 <Sparks> I figure that way we will get notified immediately instead of finding out something has been there after a few days/weeks.
14:37:01 <Sparks> mhayden: ^^^
14:37:17 <mhayden> that'd be nifty
14:39:03 <Sparks> #action Sparks to work with PST to get our mailling list included on BZ tickets for critical and important CVEs.
14:40:32 <Sparks> #info Apparently FST members can't look at security bugs.  This is likely a problem if we're supposed to be fixing such things.
14:40:47 <Sparks> #action Sparks to figure out how FST members can get access to Fedora security bugs
14:41:32 <Sparks> #info Anyone finding a security bug in Fedora that doesn't have a CVE should let PST know so we can get a CVE issued.  secalert@redhat.com
14:42:08 <Sparks> Anyone have anything else?
14:42:14 * jsmith shows up late, and has nothing :-(
14:42:27 <Sparks> jsmith: Welcome!
14:43:34 <Sparks> #topic Open floor discussion/questions/comments
14:43:45 <Sparks> Okay, does anyone have anything before we close for the day?
14:45:16 <Sparks> Nothing?
14:45:52 <Sparks> Okay, I'm going to go ahead and close the meeting and try to update next week's agenda now (for a change) and start working on my action items.
14:45:57 <Sparks> Thanks, all, for coming out!
14:46:11 <Astradeus> thank you for managing the meeting :)
14:46:52 <Sparks> #endmeeting