14:00:38 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:39 <zodbot> Meeting started Thu Dec  3 14:00:38 2015 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:39 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:00:39 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:00:42 <Sparks> #meetingname Fedora Security Team
14:00:42 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:52 <Sparks> #topic Roll Call
14:00:54 * Sparks 
14:01:38 * Astradeus (more or less)
14:02:21 <Sparks> Astradeus: I feel the same way
14:05:27 * d-caf 
14:05:36 <Sparks> mhayden: Are you here?
14:05:48 <mhayden> aaah, yes
14:05:50 <mhayden> .hello mhayden
14:05:51 <zodbot> mhayden: mhayden 'Major Hayden' <major@mhtx.net>
14:06:06 * mhayden switched to evolution this week and is getting used to its quirky calendar
14:06:56 <Southern_Gentlem> mhayden, may gawd have mercy on you
14:07:47 <mhayden> Southern_Gentlem: thanks -- my work life is in MS Exchange :/
14:08:12 <d-caf> mhayden: oh, I'm so sorry
14:08:28 <Southern_Gentlem> mhayden,  i am lucky that we have not had to do that yet ( i have 5 secretaries that use exchange)
14:08:52 <mhayden> Southern_Gentlem: ah, for some reason i thought you worked for RHT
14:09:11 <mhayden> sorry for sending us wildly OT, Sparks ;)
14:09:16 <Southern_Gentlem> mhayden,  i thought you came to Fudcon Blacksburg
14:09:32 <Southern_Gentlem> ops sorry
14:09:48 <mhayden> nah, i couldn't make that one
14:10:00 <mhayden> interested to hear where fudcon will be in 2016
14:10:01 * linuxmodder here
14:10:02 <Sparks> mhayden: What'd I do?
14:10:04 <Sparks> :)
14:10:09 <Sparks> Okay, lets get started
14:10:13 <mhayden> Sparks broke bugzilla
14:10:26 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
14:10:43 * Sparks did not broke bugzilla
14:10:45 <Sparks> mhayden: https://bugzilla.redhat.com/show_bug.cgi?id=1288076
14:10:59 <Sparks> #topic Follow up on last week's tasks
14:11:15 <Sparks> And by "last week" I mean a few weeks ago
14:11:21 <Sparks> Sparks to talk with mattdm regarding private security tickets in BZ.
14:11:26 <Sparks> Yep, I did this (and more).
14:11:40 <Sparks> #link https://lists.fedoraproject.org/archives/list/security-team%40lists.fedoraproject.org/message/FVBWBSP34J7Y5CFM4TI5BF7VIHBDXZCO/
14:11:47 <Sparks> We'll talk more about this later.
14:11:55 <Sparks> #action pjp to give a status update on security policy in the wiki (carried over)
14:12:12 <Sparks> Sparks to work with PST to get our mailing list included on BZ tickets for critical and important CVEs.
14:12:43 <Sparks> #info Not sure we can dynamically add FST to crtical and important CVEs with the current tool set.
14:12:55 <Sparks> #action Sparks to figure out how FST members can get access to Fedora security bugs
14:13:04 <Sparks> Did I miss anything else?
14:14:03 <mhayden> i think that's it
14:14:45 <Sparks> #topic Education and Training
14:14:58 <Sparks> #link https://fedoraproject.org/wiki/Information_Security_Training
14:15:18 <Sparks> I don't think anyone has added any resources to this page, yet, but please do.
14:15:31 <mhayden> can we add non-free stuff?
14:15:54 <Sparks> #info The Information Security Training page is available to provide educational links to help people become more security literate.
14:16:08 <d-caf> Sparks: I had added some links regarding OWASP, but not much more than that
14:16:23 <Sparks> mhayden: Ummm...  I'd like to keep it all free if at all possible.  I want it to be easy access for people.
14:16:24 <linuxmodder> FST ?
14:16:43 <Sparks> mhayden: Books can be found at libraries but also can be purchased so I think they are okay.
14:16:47 <d-caf> linuxmodder: FST = Fedora Security Team
14:17:14 <mhayden> Sparks: got it
14:17:22 <mhayden> i added a link for STIG's
14:17:32 <Sparks> mhayden: Perhaps we have a separate area for non-free stuff?  There are some good resources out there.
14:17:36 <Sparks> mhayden++
14:17:37 <zodbot> Sparks: Karma for mhayden changed to 3 (for the f23 release cycle):  https://badges.fedoraproject.org/tags/cookie/any
14:17:39 <mhayden> that would be good
14:17:49 <mhayden> i'd like to put a relevant SANS course in there
14:17:54 <mhayden> not free, but good knowledge there
14:17:58 <Sparks> true
14:18:02 <d-caf> mhayden: was justing thinking about SANS
14:18:02 * mhayden chomps on his cookie
14:18:07 <jsmith> nom nom nom
14:18:15 <Sparks> Mmmm... cookies
14:18:16 <mhayden> also, what about RHT's relevant security course(s) as part of the RHCA track?
14:18:20 <d-caf> mhayden: they do have free webinars, though often more product pitches
14:18:20 * Sparks still hasn't had breakfast
14:18:30 <mhayden> oh their webinars make me cry
14:18:36 <Sparks> mhayden: That would probably be good to add.
14:18:51 <Sparks> mhayden: And, really, any other Linux security training courses.
14:18:56 <Sparks> jsmith: moin
14:19:08 <d-caf> mhayden: I've seen an occasional good one like webbreachers stuff
14:19:55 <d-caf> Might consider adding regional/local group links/section for in person resources?
14:20:09 <d-caf> Local security focused meetups and such
14:20:42 <linuxmodder> Linux foundation has a few
14:20:46 <Sparks> d-caf: Yeah, that's a good idea, too.
14:20:50 <linuxmodder> more  sysadmin ish but  good
14:21:04 <linuxmodder> +1 for meetup idea
14:21:33 <d-caf> I know my area around DC is littered with them, i'll get some of the better ones listed
14:22:10 <linuxmodder> d-caf,  we are both in the same locale  (have you been to the new one on Tuesday in Adams Morgan? )
14:22:38 <Sparks> d-caf: You are in DC?
14:22:49 <d-caf> linuxmodder: No, hadn't heard of anything in Adams Morgan
14:23:05 <d-caf> Sparks: Outside in the Northern Virginia area
14:23:14 <Sparks> d-caf: I'm in Maryland
14:23:21 <linuxmodder> Tysons /Falls Church
14:23:27 <Sparks> Okay, lets move on to other things...
14:23:32 <d-caf> Don't go into DC that much (prefer to keep my commute under 30 minutes..)
14:23:37 <Sparks> #topic Apprenticeship
14:23:46 <Sparks> And here's the really fun stuff
14:23:56 <linuxmodder> d-caf,  indeed metro sucks  but some good meets there
14:23:59 <Sparks> #link https://fedoraproject.org/wiki/Security_Team_Apprenticeship
14:24:20 <linuxmodder> will be  looking to join
14:24:52 <linuxmodder> also anyone who has a minute this week looking to  finish a audit /review of  security guide  for -docs
14:25:01 <Sparks> linuxmodder: Sure
14:25:13 <Sparks> So, the Apprenticeship page has been established.
14:25:24 <Sparks> It needs to be fleshed out more, though.
14:25:35 <linuxmodder> mostly the  deep dive  selinux stuff while I've gotten way better in the last few months some of  it is still klingon to me
14:26:02 <Sparks> I'd like to have the Apprenticeship ready to go by 2016
14:26:14 <linuxmodder> can take a look this week Sparks  wordpress and docs  work has  got me in  groove
14:26:33 <linuxmodder> what all still needs to be setup ?
14:27:07 <Sparks> Well, we need to figure out the framework, the work that needs to be completed, and the certification process.
14:27:35 <d-caf> Are you going to setup formal "levls" of the FST?
14:27:53 <mhayden> level 9 dungeon master
14:28:04 <d-caf> mhayden: :-)
14:28:06 <Sparks> In the [U.S.] Navy we have PQSs that involve training and OJT which is followed by some sort of certification board that meets to review your paperwork and ask you questions.  I think we should do something similar to this.
14:28:09 <linuxmodder> lol
14:28:15 <mhayden> that's a bunch of acronyms ;)
14:28:18 <Sparks> mhayden: +1
14:28:29 <linuxmodder> +1
14:28:37 <mhayden> at my company, we use empty cups of coffee and grey hair to figure out the levels of each security person :P
14:28:40 <d-caf> was thinking along the lines of apprentice/novice, normal contributors, and then those that have gotten "certified" and handle embargo stuff etc...
14:28:56 <Sparks> PQS == personnel qualification standards
14:29:04 <Sparks> OJT = on the job training
14:29:05 <mhayden> this gets tricky because Fedora doesn't legally exist as an entity, right?
14:29:11 <mhayden> thanks, Sparks
14:29:35 <linuxmodder> possible to have a  tie in with sayt rhca i'm sure
14:30:00 <d-caf> Would prefer to keep a path that is free as in beer for people to work there way up
14:30:11 <Sparks> d-caf: +1
14:30:45 <d-caf> Though that doesn't excluce rhca as a possible alternative path to meet requirements
14:30:57 <d-caf> excluce/exclude
14:31:10 <Sparks> Well, that's more of a sysadmin thing.  We're trying to work vulnerabilities.
14:32:33 <linuxmodder> make it a  training path  FOR rhca and the like then
14:33:00 <d-caf> So we need to come up with core "skills/experience" that a candidate should have 1 or more of
14:33:06 <Sparks> Can I get some volunteers to help put the apprenticeship together?
14:33:12 <Sparks> d-caf: Yes
14:33:16 <linuxmodder> donations (time or money always  welcome) -- we  train you to be secure / safe  with option to get  rhca and the like (you pay for cert )
14:33:18 <d-caf> Sparks: more than willing to hel
14:33:25 <linuxmodder> Sparks,  count me in
14:33:35 <d-caf> hel/help
14:33:36 <Astradeus> Sparks: I can try
14:33:47 <Sparks> Okay, lets talk more about this on the list, then.
14:34:00 <d-caf> I've gone through enough certification process to have an idea of what does or doesn't work
14:34:51 <Sparks> Okay, moving on
14:34:54 <Sparks> #topic Outstanding BZ Tickets
14:35:07 <Sparks> #info Thursday's numbers: Critical 0 (-1), Important 36 (-5), Moderate 424 (-30), Low 145 (-33), Total 605
14:35:19 <Sparks> #info Current tickets owned: 80
14:35:29 <Sparks> +Tickets by Priority----+-------+---------+
14:35:29 <Sparks> | Priority    | Tickets | Owned | Unowned |
14:35:29 <Sparks> +-------------+---------+-------+---------+
14:35:29 <Sparks> | medium      | 424     | 45    | 379     |
14:35:29 <Sparks> | low         | 145     | 13    | 132     |
14:35:31 <Sparks> | high        | 36      | 22    | 14      |
14:35:34 <Sparks> | unspecified | 1       | 0     | 1       |
14:35:36 <Sparks> +-------------+---------+-------+---------+
14:35:52 <Astradeus> uh, somebody did quite much work o_O
14:36:03 <Sparks> Does anyone have any questions?
14:36:17 * Sparks needs to figure out the "unspecified" ticket.
14:36:25 <d-caf> noticed some old fedora tickets got aged out
14:36:27 <linuxmodder> what is the unspec one about?
14:36:43 <linuxmodder> with 21 going eol i assume?
14:36:47 <Sparks> linuxmodder: It's likely a community ticket that got started without a CVE
14:36:48 <d-caf> Sparks: probably another severity set but priority not
14:36:50 <mhayden> i think the unspec was an epel one
14:36:57 <mhayden> something w/RHEL 6
14:36:59 <mhayden> IIRC
14:37:09 <Sparks> d-caf: I thought we were going off of severity and not priority
14:37:14 <linuxmodder> nice  :(
14:37:22 <d-caf> Sparks: not sure if the scritps got updated
14:37:23 <Astradeus> oh. was thinking of the best, but yeah, i've seen the aging-out too
14:37:26 <linuxmodder> c6.4 and c7.2  only  none  Fedora I use
14:37:30 <d-caf> and we didn't get a firm consnensus
14:37:47 <Sparks> Yeah, the drop in tickets are likely from where F21 got EOL'd.
14:38:02 * Sparks wonders how many of those tickets should have been moved forward.
14:38:04 <linuxmodder> pardon the ignorance which scripts d-caf ?
14:38:25 <d-caf> The report scripts, and the links on the FST page
14:38:31 <linuxmodder> ah
14:39:03 <d-caf> at minimum I vote to have the scripts search on severity and priority, or just move to severity only
14:39:10 <Sparks> linuxmodder: https://git.fedorahosted.org/cgit/fedora-security-team.git
14:39:44 <Sparks> d-caf: I think just severity as the priority might change based on the priorities of the project but the severity shouldn't.
14:39:55 <Sparks> ...as that should be based off of the CVSS score.
14:40:01 <linuxmodder> what is the bar  for priority ?
14:40:39 <d-caf> Sparks: true, but just in case someone miss used the tags (as there seemed to be some confusion even in our group to usage) it might be good to trigger on priority as well to catch edge cases
14:40:45 <d-caf> since security is all about edge cases
14:40:53 <Sparks> linuxmodder: The priority is usually set, by the tools, to whatever the severity is
14:41:12 <linuxmodder> which I don't see changing until EOL dates and since next is  not for what  11 months  that would be good idea in my book
14:41:40 <Sparks> d-caf: I'm just not sure how you would categorize a ticket that has mis-matched values
14:42:01 <linuxmodder> although we still run issue of  user defiuned priority /  real world with that dcmorton
14:42:03 <linuxmodder> d-caf,
14:42:11 * Sparks is a dolt
14:42:29 <Sparks> d-caf: Okay, that table is specifically "by Priority" (as indicated)
14:42:34 <Sparks> +Tickets by Severity-+-------+---------+
14:42:34 <Sparks> | Severity | Tickets | Owned | Unowned |
14:42:34 <Sparks> +----------+---------+-------+---------+
14:42:34 <Sparks> | medium   | 424     | 45    | 379     |
14:42:34 <Sparks> | low      | 145     | 13    | 132     |
14:42:36 <Sparks> | high     | 37      | 22    | 15      |
14:42:39 <Sparks> +----------+---------+-------+---------+
14:42:41 <Sparks> There's the count by severity
14:42:44 <Sparks> Ugh
14:42:48 <linuxmodder> can we still  flag for further info like other bugs in that case tho ?
14:43:26 <d-caf> Yeah, so fine with both, but would update the search links on FST page to also include something like:
14:43:31 * Sparks would like to see all unowned "high" cases picked up by next week.
14:44:21 <d-caf> Sparks: noticed a few QEMU dropped this week, was going to pick those up but wasn't on a browser I could safely log into FAS with
14:44:34 <linuxmodder> will look today on the high pri
14:44:47 <Sparks> Okay, with only a few minutes left...
14:45:04 <d-caf> Would like to update our Bugzilla links on the FST page to pick up both high severity and priority when clicking on the respective unowned links
14:45:05 <Sparks> #topic Open floor discussion/questions/comments
14:45:17 <Sparks> d-caf: Do it
14:45:28 <Sparks> Okay, does anyone have anything of general interest?
14:45:30 <d-caf> ok, willdo
14:45:50 * Sparks is thinking about a DC meet up since there are so many people around the area that could come.
14:46:13 * Sparks also wonders if we have the budget to fly mhayden in for lunch
14:46:16 <d-caf> Sparks: like the idea, good pgp signing time as well ;-)
14:46:23 <Sparks> d-caf: +1
14:47:09 <mhayden> i always love the free roller coaster ride into Reagan!
14:47:17 * mhayden tightens the seatbelt
14:47:49 <d-caf> Everyone one should get shmocon tickets and make it a meetup and sec conference at the same time
14:47:57 <mhayden> that might not be a bad idea either
14:48:00 <d-caf> assuming they get there registration process up to speed
14:48:12 <d-caf> and we get enough lucky clicks
14:48:17 <Astradeus> did the online keysigning happen and i've just missed it?
14:48:37 * d-caf already got my shmocon ticket during first round, luckily...
14:48:42 <d-caf> Astradeus: nope
14:48:43 <Sparks> shmocon++
14:48:57 <Sparks> I'm never fast enough to get tickets
14:49:16 <Sparks> Astradeus: No one showed up for it.
14:49:17 <d-caf> I've been lucky and gotten tickets every years since year 2
14:49:23 <Sparks> d-caf: Nice
14:49:30 <linuxmodder> +1 to key signing
14:49:41 <Sparks> zoglesby: ^^^
14:49:54 <Sparks> jsmith: I'm assuming you could come up as well?
14:50:21 <jsmith> Sparks: ACK!
14:50:49 <linuxmodder> Sparks,  if you set one up and I miss it  mentioned  I'm game
14:50:54 <jsmith> Sparks: (Assuming the timing and my employment situation allows it)
14:52:03 <Astradeus> Sparks: sorry for missing it :/
14:52:23 <Sparks> #idea Host a FST DC Meet Up
14:52:54 <Sparks> Okay, does anyone have anything else?
14:53:18 <Sparks> You know, we could probably use the DC library for a meeting spot for a FAD.
14:53:28 <Sparks> They have space like that available.
14:54:10 <Sparks> Okay, does anyone have anything else?
14:54:46 <d-caf> Nope
14:55:00 <d-caf> will get on documentation the next few days and grab tickets
14:55:03 <zoglesby> reading...
14:55:55 <zoglesby> I am in!
14:56:24 <jsmith> Sparks: I might have a lead on another location to meet as well...
14:56:40 <zoglesby> We could also use my office
14:56:59 <zoglesby> They tend to be very nice about this kind of stuff
14:57:21 <d-caf> Ok, so apparently a lot more in this area than I knew...
14:57:37 <Sparks> d-caf: Yep, there are quite a few of us.
14:57:49 <Sparks> There's also the Red Hat space over in Tyson's
14:57:56 <d-caf> Sparks: I had assumed you were down in NC
14:58:02 <Sparks> d-caf: I used to be
14:58:12 <Sparks> d-caf: My heart still is.
14:58:14 <d-caf> Yeah, been by the Tyson's office
14:58:27 <d-caf> I used to live down there, still a TriLUG member
14:58:39 <zoglesby> My office is on 14th and New York, near lots of metro stops
14:59:15 <Sparks> d-caf: I do miss TriLUG
14:59:43 <Sparks> #action Sparks to create a FST 2016 FAD page and start collecting info
15:00:02 <Sparks> Okay, any last minute thoughts before we run out of time
15:00:03 <Sparks> ?
15:00:09 <Sparks> s/minute/second
15:00:51 <Sparks> Okay, hearing none, we'll adjourn to #fedora-security-team and continue ranting there.
15:00:51 <linuxmodder> Sparks,  the MLK one ?
15:00:54 <Sparks> Thanks everyone!
15:00:56 <Sparks> linuxmodder: yes
15:01:04 <Sparks> linuxmodder: The one with the 3D printer!  :)
15:01:06 <linuxmodder> if so I CAN easily  help with that
15:01:09 <Sparks> #endmeeting