14:02:22 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:02:22 <zodbot> Meeting started Thu Nov 12 14:02:22 2015 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:02:22 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:02:25 <Sparks> #meetingname Fedora Security Team
14:02:25 <zodbot> The meeting name has been set to 'fedora_security_team'
14:02:27 <Sparks> #topic Roll Call
14:02:28 * Sparks 
14:03:35 <mhayden> .hello mhayden
14:03:36 <zodbot> mhayden: mhayden 'Major Hayden' <major@mhtx.net>
14:03:53 <Astradeus> .hello astra
14:03:54 <zodbot> Astradeus: astra 'David Kaufmann' <astra@ionic.at>
14:08:24 <Sparks> Sorry, I'm just updating the agenda
14:09:04 <mhayden> no worries
14:09:09 <d-caf> sorry late
14:09:37 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:09:44 <mhayden> #link https://lists.fedoraproject.org/pipermail/security-team/2015-November/000412.html
14:09:47 <mhayden> ^^ current report
14:09:52 <Sparks> #topic Follow up on last week's tasks
14:10:00 <Sparks> Sparks to talk with mattdm regarding private security tickets in BZ.
14:10:12 <Sparks> This was done and I'll be talking more about that today
14:10:21 <Sparks> Sparks to discuss using Bluejeans for an online GPG key signing event
14:11:05 <Sparks> This was done but we didn't get any takers.
14:11:22 <Sparks> #action pjp to give a status update on security policy in the wiki (carried over)
14:11:29 <Sparks> And pjp isn't here.
14:11:40 <Sparks> Sparks to work with PST to get our mailling list included on BZ tickets for critical and important CVEs.
14:11:54 <Sparks> I did this but it may not be possible with our current tooling.
14:12:25 <Sparks> I contintue to work on this
14:12:35 <Sparks> #action Sparks to figure out how FST members can get access to Fedora security bugs
14:12:42 <Sparks> I need to continue to work on this.
14:13:05 <Sparks> #topic Virtual GPG Key Signing Event
14:14:00 <Sparks> I sent out an email about this but no one followed through with their fingerprints.
14:14:09 <Astradeus> ah, forgot :/
14:14:18 <mhayden> i like the idea, but i'm not inclined to participate
14:14:25 <d-caf> Yes, sorry, got busy at work, doing extra hours
14:14:56 <Sparks> mhayden: No?
14:15:34 <mhayden> i'm still ancy about having my id captured via webcam
14:15:36 <mhayden> or parts of it
14:15:53 <mhayden> but, then again, i don't get terribly excited about gpg key signing in the first place, so i'm an oddball
14:15:56 <mhayden> :P
14:16:01 <Sparks> clearly
14:16:11 <mhayden> haha
14:16:15 <Sparks> The ID thing is an interesting arguement.
14:16:19 <mhayden> my wife thinks i'm an oddball as well
14:16:48 <d-caf> mhayden: I'm in the same boat (though I have mostly converted my wife over the years..)
14:16:55 <Astradeus> i'd probably go with taping something over my birthdate and unique-number probably
14:17:16 <Sparks> I mostly think it's a strawman arguement since we generally don't protect our IDs in real life (at least in the US where we have to present them for various reasons).
14:17:49 <d-caf> Sparks: "some" don't protect there IDs (the guy with an RFID blocking wallet notes...)
14:18:04 <d-caf> :-)
14:18:13 <Sparks> This is also a "private" event only open to the few of us so...  a much reduced group of people
14:18:25 <Sparks> d-caf: Do you have to provide your ID to buy alcohol?
14:18:37 <Sparks> or to use your credit card?
14:19:04 <d-caf> Sparks: sometimes ID is required, and I try to shield it.  And I have dedicated credit cards for certain types of purchases
14:19:23 <d-caf> Yeah, I add overhead to my life <shrug>
14:19:50 <Sparks> I'm not saying it's dumb to protect your ID, by the way.
14:20:48 <Sparks> Okay, moving on
14:20:51 <d-caf> I'm fine with key-signing, but yes, I will be presenting a partially redacted ID if I participate
14:20:57 <Sparks> #topic Education and Training
14:21:10 <Sparks> #link https://fedoraproject.org/wiki/Information_Security_Training
14:21:36 <Sparks> If you know of anything that should go here please let me know.
14:22:33 <d-caf> It's a good collection, I only had one thing to add at this point, nice work!
14:22:39 <mhayden> that's a good list
14:23:02 <Sparks> Hopefully it's a useful resource
14:23:05 <mhayden> i could think of some non-free things (like specific classes from SANS) that might be helpful
14:23:23 <d-caf> There is also the Security Engineering book, and there are many free Online classes that I need to track down to add
14:23:51 <d-caf> There are also free SANS webinars, but they range in quality
14:24:17 <d-caf> http://www.cl.cam.ac.uk/~rja14/book.html
14:24:25 <d-caf> #link http://www.cl.cam.ac.uk/~rja14/book.html
14:25:24 <Sparks> Cool
14:26:30 <Sparks> #topic Future of the Team
14:26:43 <Sparks> I had a nice chat with mattdm last week.
14:27:57 <Astradeus> any outcomes?
14:27:58 <Sparks> We agree that the FST is an important part of Fedora
14:28:29 <Sparks> We want FST to start working on more projects and be the go-to group for all things security
14:29:07 <Sparks> This is includes the possibility of working on embargoed vulnerabilities
14:29:23 <mhayden> doesn't that overshadow Red Hat's Product Security team work?
14:29:30 <Sparks> No,
14:29:47 <Sparks> In fact, RH PST doesn't actually work on anything Fedora.
14:30:53 <Sparks> Fedora now has to wait for an embargo to be lifted for work to begin
14:30:58 <Sparks> I want to change that
14:31:14 <d-caf> Sparks: +1
14:31:26 <Sparks> Especially on Fedora-only or EPEL-only vulnerabilities
14:31:31 <mhayden> that'd be helpful
14:31:54 <Sparks> There is much work to do here, though.
14:32:31 <Sparks> Our tool chains don't support activities that don't leak information
14:32:51 <mhayden> it seems like we need a security-minded person embedded in some of the bigger sigs/working groups, like server/workstation/cloud
14:32:56 <Sparks> So we'll need to work on that
14:33:02 <Sparks> mhayden: +12
14:33:05 <Sparks> errr
14:33:07 <Sparks> +1
14:33:12 * mhayden has the server wg covered! :P
14:33:56 <Sparks> woot!
14:34:42 <mhayden> i like the mission and i think we need to get more involved where the action is happening
14:34:57 <Sparks> agreed
14:35:33 <Sparks> #idea Apprenticeship
14:35:34 <mhayden> i'd like to find an automated way to "nag" maintainers to update their bugzilla tickets + packages
14:36:08 <Sparks> We need a way to establish trust in individuals.
14:36:36 <Sparks> And we need to provide a way to train people
14:36:48 <d-caf> Sparks: individuals?  Package maintaniners or FST members?
14:36:58 <Sparks> FST members
14:37:24 <Southern_Gentlem> i will be continueing doing updated lives for the project so if we have anymore things hit like heartbleed new users can install after the fix is pushed and not be vulnerable
14:38:05 <Sparks> +1
14:38:27 <d-caf> Southern_Gentlem: +1
14:38:38 <Southern_Gentlem> so you know whatever gets fixed at least is getting pushed
14:39:12 <mhayden> also, at a minimum, we need a talk at the next flock on the FST
14:39:30 <mhayden> and it might not hurt to try to get a post onto fedoramag once or twice per quarter
14:39:33 <Sparks> Where is the next Flock?
14:39:42 <mhayden> Sparks: i assume in Europe since it was in NA this year
14:40:07 <mhayden> i will probably need to pick between traveling for FOSDEM and Flock :|
14:40:49 <Sparks> #action Sparks to bring up apprenticeship on list
14:41:04 <d-caf> Unfortunately unless they are near where I live chances of me going or next to nill :-(
14:41:12 <Sparks> #action Sparks to talk more about the discussion with mattdm on the list
14:41:44 <Sparks> Sorry, I meant to send out a message regarding the meeting last week.
14:42:01 <Sparks> Okay, lets move on
14:42:08 <Sparks> #topic Outstanding BZ Tickets
14:42:17 <Sparks> #info Thursday's numbers: Critical 1 (0), Important 41 (+1), Moderate 454 (-3), Low 178 (+8), Total 674
14:42:30 <Sparks> #info Current tickets owned: 85
14:42:38 <Sparks> +Tickets by Priority--+-------+---------+
14:42:38 <Sparks> | Priority    | Count | Owned | Unowned |
14:42:38 <Sparks> +-------------+-------+-------+---------+
14:42:38 <Sparks> | medium      | 454   | 45    | 409     |
14:42:38 <Sparks> | low         | 178   | 14    | 164     |
14:42:40 <Sparks> | high        | 41    | 26    | 15      |
14:42:43 <Sparks> | unspecified | 3     | 0     | 3       |
14:42:45 <Sparks> | urgent      | 1     | 0     | 1       |
14:42:48 <Sparks> +-------------+-------+-------+---------+
14:42:50 <Sparks> Anyone have anything?
14:43:02 <d-caf> What's the urgent one?
14:43:25 <Sparks> IDK.  I thought I had found it and made it not urgent.  Maybe it's a new one?
14:43:53 <d-caf> wierd, nothing in bugzilla
14:43:57 <Sparks> Which is why I want better notification of urgent and high (critical and important) vulns.
14:44:18 <Sparks> mhayden: Is your script stuck?
14:44:43 <mhayden> let me print out the ticket that is causing the urgent to show
14:46:09 <mhayden> 1266404
14:46:22 <mhayden> https://bugzilla.redhat.com/show_bug.cgi?id=1266404
14:46:35 <mhayden> why is that one showing up in the Fedora list?
14:46:37 * mhayden digs
14:46:53 <d-caf> weird, well at least it's on QA :-)
14:47:03 <Sparks> It's a RHEL bug
14:47:04 <mhayden> SecurityTracking is in the keywords
14:47:12 <mhayden> that's unusual for RHEL bugs IIRC
14:47:31 <Sparks> Yeah.  Need to make sure you're limiting on Product: Fedora, too
14:48:04 * mhayden edits
14:48:16 <mhayden> haha, oh my
14:48:32 <mhayden> i wonder if limiting on Fedora drops EPEL
14:48:33 <d-caf> Fedora EPEL as well (or Fedora * )
14:49:01 <mhayden> okay, script needs tweaking :)
14:49:31 <Sparks> That's fine.
14:50:10 <Sparks> #topic FST Logo
14:50:13 <Sparks> https://fedorahosted.org/design-team/attachment/ticket/367/fst.png
14:50:31 <Sparks> I hope everyone will provide feedback
14:50:36 <d-caf> Oh, had onemore ticket question, but can cover in open discussion
14:50:48 <Sparks> Opps, sorry
14:50:55 <Sparks> #topic Open floor discussion/questions/comments
14:50:58 <Sparks> d-caf: Go
14:51:16 <d-caf> This ticket, should it be given a priority? https://bugzilla.redhat.com/show_bug.cgi?id=1220138
14:51:57 <d-caf> or severity
14:52:44 <Sparks> d-caf: I just marked it as a "high" since one of the dependencies was a "high" CVE
14:53:06 <d-caf> There is also another ticket taht is marked high, but with no priority so shows in unknown
14:53:15 <d-caf> https://bugzilla.redhat.com/show_bug.cgi?id=1209214
14:53:49 <d-caf> Wondering if we should check on priority and severity?  Or what is the true meaning between those seperate ratings?
14:53:51 <Sparks> We need to make sure that all the unspecified tickets get a severity and that if it's an actual vulnerability that it gets a CVE via secalert@redhat.com
14:53:51 <Astradeus> so the first bug #1220138 is a "add mono 4 to f22" ?
14:54:31 <d-caf> Well the first bug is they are using an old mono that has lots of issues, and there proposed fix is updating to mono 4
14:54:47 <d-caf> I have not tracked down the full status of this and how bad it may be
14:54:53 <Sparks> d-caf: I think priority is set by the project but severity of a vulnerability should be impact as provided by the CVSS score via RH PST.
14:54:54 <mhayden> correct security team report -> http://paste.fedoraproject.org/289651/73400771/raw/
14:55:12 <d-caf> Just noticed two unspecified tickets and decided to look at it this morning
14:55:20 <mhayden> #link http://paste.fedoraproject.org/289651/73400771/raw/
14:55:36 <Sparks> Oh crap
14:55:41 <Astradeus> d-caf: according to the referenced (closed) bug (#1089426) mono 4 is already in f23
14:55:59 <Sparks> We need someone to start going through the F21 bugs and see if we need to move them forward to F22 or higher.
14:56:02 * Sparks did that last time
14:56:14 <d-caf> Astradeus: Good, but F22 still may need the same update
14:56:21 <Sparks> Anyone want to handle that?
14:57:37 <Sparks> Okay, I'll send that to the list
14:58:03 <d-caf> We probably also need to udpate our links here: http://fedoraproject.org/wiki/Security_Team to go off severity and not priority?
14:58:20 <Sparks> #action Sparks to send a note to the list regarding to updating f21 tickets
14:58:41 <d-caf> Since this is comming up unknown, but is rated high severity https://bugzilla.redhat.com/show_bug.cgi?id=1209214
14:58:57 <d-caf> Also need to check reporting scripts are doing the same
14:59:22 <Sparks> ya
14:59:30 <Sparks> Okay, last few seconds... anyone have anything?
15:00:41 <Sparks> Okay, lets move these discussions to the list
15:00:52 <Sparks> Thanks, everone, for coming!
15:00:53 <Astradeus> thanks all :)
15:00:57 <d-caf> Sparks: thanks all!
15:00:59 <Sparks> #endmeeting