14:09:54 #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:09:54 Meeting started Thu Jan 7 14:09:54 2016 UTC. The chair is d-caf. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:09:54 Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:09:54 The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings' 14:10:24 #meetingname Fedora Security Team 14:10:24 The meeting name has been set to 'fedora_security_team' 14:10:35 #topic Roll Call 14:11:00 * d-caf who of course chose the miss named meeting start line to use... 14:11:41 heh 14:13:54 Anyone else? mhayden ? 14:14:40 yo! 14:14:47 :-) 14:15:06 Buehler? Buehler? 14:15:43 #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:15:52 #topic Follow up on last week's tasks 14:16:21 So tasks from several weeks ago... 14:16:35 I did a little update to the security training/apprentice wiki pages 14:16:43 but nothing major 14:17:48 Not sure Sparks got all his PS Certification information up to the wiki yet either 14:18:08 Anyone else have tasks? 14:18:38 i haven't had a chance to dig into that page quite yet :/ 14:18:39 #link https://fedoraproject.org/wiki/Information_Security_Training 14:19:39 not me, I have been horribly out of touch as of late.. 14:19:50 #link http://fedoraproject.org/wiki/Security_Team_Apprenticeship 14:20:20 there's still talk of an in-person meetup, right? 14:20:21 Yeah, been busy last few weeks with end of year stuff as well. 14:20:57 #topic Security Team Fedora Activity Day 14:21:13 Yeah, that was next thing i was going to mention 14:21:32 #link http://whenisgood.net/8fshcdf/results/9czp49s 14:21:58 looks like we are narrowed down to March 4th or 11th now 14:22:22 based on those that have filled out "When is Good" 14:23:17 I try and ping Sparks via email to see if we can't choose a day this week, so if you haven't added availability to that, please do so soon 14:24:21 #action d-caf to email sparks about picking a date for the Security team in person in the DC Metro area 14:25:13 Sparks was also looking into video conference options, but no idea where that is 14:26:11 #topic Security Bugs Status 14:26:31 Sorry, I don't have the scripts for the bug status reports 14:26:35 * mhayden is running it now 14:26:47 Anyone have any questions/concerns? 14:27:17 oh - uhm - meeting? anyone already sent out the weekly report? 14:27:28 There are still 14 unowned Important security bugs in the queue 14:27:36 http://paste.fedoraproject.org/308192/45217684/ <-- this week's report 14:28:10 #link http://paste.fedoraproject.org/308192/45217684/ 14:28:51 Interesting that says 18 unowened, but going to the site shows only 14 14:29:05 #link https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=priority&f2=bug_severity&j_top=OR&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=4282241&o1=substring&o2=substring&query_format=advanced&status_whiteboard=fst_owner%3D&status_whiteboard_type=notregexp&v1=high&v2=high 14:29:49 hmm, the webpage search assumed they have a status of new or assigned 14:33:13 Well other than needing to push on some bug fixes, and that Tomcat is finally seeing an update on EPEL, I don't have much to report. 14:33:17 Anyone else? 14:33:40 * d-caf mhayden thanks for running the report :-) 14:33:56 my script somehow sees one urgent and one unspecified prio bug, which i can't verify via the web interface.. need to debug.. 14:34:02 no problemo 14:34:20 Astradeus: i think i put in a fix for that a while back -- excluding some RHEL/CentOS stuff 14:34:48 Astradeus: may also be related to checking priority field vs severity field 14:35:18 Though, I think it more likely what mhayden said, looking at the report... 14:35:55 looks like it. will check until next week 14:36:50 anything else bug related? 14:37:58 * mhayden yields 14:40:54 #topic Open floor discussion/questions/comments 14:41:47 I don't really have anything else, other than the general need to pick up on bug work 14:42:32 i'd still like to get automation and/or auto-nagging set up for security bugs that exist in bugzilla 14:45:36 Wasn't there someone else who had some scripts or work related to that? 14:45:42 as well 14:47:22 i'm not quite sure 14:47:28 but i'd be willing to build something 14:48:31 I'm all in favor of auto-nagging :-), but question, do we have to manually start the auto-nagging? 14:49:33 What I mean is that some tickets get labeled security and fix it, but if you do the review it might actually not be an issue or it's not a security issue 14:49:58 Would we want the auto-nagging starting before that review is complete? 14:50:00 i feel like that's the pkg maintainer's job, to be honest 14:51:00 I don't know, I've had package maintaners tell me it's not a security issue, and then when I go through the process of outlining how I would take advantage of the bug they changed there mind... 14:51:43 hmm, that may be something we can talk about in person perhaps 14:52:10 True, and doesn't change the needing of the script, just how that script starts it's work 14:54:09 mhayden: do you want to take an action to looking into coding up some form of auto-nag nanny? 14:54:20 can do 14:54:54 #action mhayden to look into coding up some form of auto-nagging system for security tickets in bugzilla 14:56:07 Almsot out of time, anything else? 14:56:18 nothin for me 14:56:35 I'd blame my typing on my new keyboard tray, but it happens all the time... 14:58:52 ok, that's it then, see you next week and on the list... 14:59:00 #endmeeting