14:00:11 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:11 <zodbot> Meeting started Thu Feb 25 14:00:11 2016 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:11 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:00:11 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:00:14 <Sparks> #meetingname Fedora Security Team
14:00:14 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:17 <Sparks> #topic Roll Call
14:00:18 * Sparks 
14:01:33 <Astradeus> .hello astra
14:01:34 <zodbot> Astradeus: astra 'David Kaufmann' <astra@ionic.at>
14:04:20 <Sparks> Astradeus: Do you have anything in particular to discuss?
14:04:52 <Astradeus> yes, few things
14:04:57 <d-caf> hello
14:05:02 <Astradeus> ohai :)
14:05:18 <d-caf> sorry running a little late
14:05:21 <Astradeus> Sparks: in the last few meetings were a few points which you only had info
14:05:47 <Astradeus> currently there is one issue on the mailing list (urgent packages push mechanism)
14:06:49 <Sparks> Okay, lets get started.
14:07:01 <Sparks> Astradeus: What is your topic?
14:08:19 <Sparks> #info Sparks is on leave this month and hasn't been following any activities.
14:08:48 <Astradeus> i'd be interested in that fast-push-thing proposed on the mailinglist
14:09:20 <Astradeus> esp. in opinions about that
14:09:43 <Astradeus> and also the FAD, as it was planned to be in the beginning of march if i remember correctly
14:10:32 <Sparks> #topic Security FAD
14:10:57 <Sparks> #info We have space in DC for the Security FAD on March 4th.
14:11:12 <Sparks> I hope this isn't too short notice for the people that wanted to come.
14:11:33 <Sparks> zoglesby: Welcome!
14:11:37 <zoglesby> hi
14:11:49 <Sparks> Comments?
14:11:59 <d-caf> yikes Friday next week...
14:12:04 <d-caf> Is it an all day thing?
14:12:11 <d-caf> times?
14:12:12 <zoglesby> we have space, coffee, tea, soda
14:12:30 <zoglesby> i just need to know who is coming
14:12:49 <Sparks> d-caf: I think the following Friday was also good with everyone.
14:12:52 <Astradeus> i'd love to come, but for me only remotely is possible (europe..)
14:12:57 <Astradeus> but i'd have time
14:13:13 <zoglesby> we have a web came in the room as well fyi
14:13:53 <zoglesby> Sparks: do you want to setup a bluejeans meeting for remote folks?
14:14:53 <Sparks> zoglesby: Yeah, we can do that.
14:15:35 <Sparks> zoglesby: Can you pass this information to the list today?
14:15:43 <Sparks> ...regarding the FAD
14:15:47 <zoglesby> sure can
14:16:09 <zoglesby> d-caf: we have space from 9-5
14:16:22 <d-caf> March 4th, is bad for me at this point unfortunately
14:16:22 <Astradeus> which timezone would that be?
14:16:32 <d-caf> I would maybe be able to do the afternoon
14:16:33 <zoglesby> EST
14:16:42 <Sparks> UTC-5:00
14:16:50 <d-caf> the 11th is better for me, but that depends on the group I guess
14:17:01 <Sparks> zoglesby: Would your space be available on the 11th?
14:17:34 <zoglesby> we should be able to come up with something
14:18:43 <Astradeus> would be okay for me too
14:19:58 <Sparks> d-caf: Is that good for you?
14:21:03 <d-caf> Yes, I should be able to get more time on that day, I still have to get MGMT approval
14:21:24 <d-caf> I know I have a all morning meeting on the 4th I can't get out of though
14:21:30 <d-caf> but no meetings on the 11th
14:24:35 <Sparks> #agreed Move the FAD to March 11th.
14:24:44 <Sparks> Okay, anything else on this topic?
14:25:15 <zoglesby> i will confirm the move with work and send out an email with the info
14:25:32 <Sparks> zoglesby: Thank you!
14:25:47 <Astradeus> \o/
14:25:59 <Sparks> #topic Security package pushes
14:26:06 <Sparks> Astradeus: Okay, the floor is yours
14:26:33 <d-caf> zoglesby: thank you!
14:27:08 <Astradeus> everyone familiar with the emails?
14:27:34 <Sparks> Astradeus: I'm not.
14:27:35 <d-caf> Astradeus: yes, read the ticket
14:27:46 <Sparks> Astradeus: Perhaps you can provide us with an executive summary?
14:28:12 <d-caf> link: https://fedorahosted.org/rel-eng/ticket/5886
14:28:29 <Astradeus> Sparks: a year ago discussion was started to fast-push critical+urgent packages
14:28:29 <d-caf> #link https://fedorahosted.org/rel-eng/ticket/5886
14:28:38 <d-caf> always forget the method
14:29:19 <Astradeus> and for the glibc-update the push to stable to be delivered to main repos took also almost a day, as it lingered in testing
14:29:27 <Astradeus> so the discussion came up again
14:30:36 <Sparks> The rel-eng ticket seems to think we'd use this only a few times a year where I prefer the Debian model of 'if it's security put it there and the regular repos'.
14:31:36 <d-caf> I think this is going to be more than a few times a year even if it's just important/critical updates
14:31:50 <d-caf> we are seeing more and more crits comming out per year than we used to
14:32:00 <Sparks> true
14:32:22 <Astradeus> i think the idea seems to be to drastically shorten testing time for critical updates, when a updated package is already available
14:32:58 <Sparks> Astradeus: Hopefully the security fix will be well tested before hand by upstream and RH.
14:34:41 <Astradeus> exactly. i'd think that releng wants security-team to push or sign off those updates to be delivered without testing
14:35:52 <Astradeus> i'd also prefer the solution that the security-team only signs off those updates, as almost always the maintainers just are way more informed about special cases of the respective tool
14:36:58 <d-caf> Wasn't this also to address the issue of maintainers of packages with critical patches who were unresponsive?
14:36:59 <Sparks> Astradeus: I'll follow up with pfrields on the issue.
14:37:31 <d-caf> That was an FST member could push though an update when the maintaner is missing in action
14:37:54 <Sparks> d-caf: Well, a proven-packager
14:40:00 <Sparks> #action Sparks to follow up with pfrields on pushing security updates
14:40:08 <Sparks> Anything else?
14:41:10 <Sparks> #topic Open Floor
14:41:17 <Sparks> Anyone have anything they'd like to discuss?
14:41:44 <Astradeus> question about fedora-infrastructure:
14:42:31 <Astradeus> does being in the fedora-team-fas-group give more information (like discussion group only available internally or something like that)?
14:43:03 <pingou> there are very little forum/lists that are privates
14:43:15 <Astradeus> or is the channel(s) + mailing list(s) the "regular" channels?
14:43:29 <pingou> and those that are is because they handle things like subsidies or maintain some packages and thus may receive security-sensible bugs
14:44:02 <pingou> so most things are in the open and being in FAS group will grant you more access, but not to info in the sense of lists/forums
14:44:31 <Astradeus> okay, wasn't sure if i missed out on some topics or if just nothing happened in the mean time
14:44:34 <Astradeus> thanks :)
14:44:55 <pingou> I am aware of 1 irc channel with access restricted
14:45:04 <zoglesby> Well if we are going to start trying to deal with embargoed security issues we need a private list
14:45:14 <pingou> and it's the fedora-ops (iirc) where irc operators can coordinate their effort against trolls
14:45:42 <pingou> zoglesby: these and the ones handling budgets are the only lists I know that are private/restricted
14:45:44 <Astradeus> pingou: sounds useful
14:46:01 <Astradeus> zoglesby: definitely. but nothing happened there so far it seems
14:46:02 <pingou> Astradeus: sometime :)
14:46:07 <d-caf> zoglesby: we had some earlier talks about the securty email list
14:46:17 <Sparks> I'd like to use the PGP remailer thingy, too.
14:46:20 <d-caf> to deal with embargo'd tiems
14:46:22 <d-caf> items
14:47:12 <Astradeus> Sparks: that discussion also seems to have been silent for some time, but I'd also see pgp-group-encryption for security@ a really important topic
14:47:54 <d-caf> one items related to that is figuring out the "trust" structure of who is on that list and handles those issues
14:48:22 <Sparks> d-caf: Just me.  No one else.  :)
14:48:26 <zoglesby> lol
14:48:33 <Sparks> d-caf: I'll just send encrypted email to myself.
14:48:38 <zoglesby> This is all part of the FAD converstation correct?
14:48:42 <Sparks> No trust issues there!
14:49:02 <Astradeus> d-caf: yes, definitely needs to be done also. currently i'm also on security@lists.. without anyone of you really knowing me ;)
14:49:08 <Sparks> zoglesby: It should be discussed at FAD.
14:49:21 <Astradeus> Sparks: sounds good :)
14:50:11 <d-caf> Ideally we would like more than just one person getting the security embargo alerts, incase they are on month long vacations ;-)
14:50:37 <Sparks> d-caf: Who would do such a thing?
14:50:56 <d-caf> Sparks: only a lucky few...
14:52:03 <nb> .fasinfo sparks
14:52:04 <zodbot> nb: User: sparks, Name: Eric Christensen, email: sparks@redhat.com, Creation: 2007-07-17, IRC Nick: Sparks, Timezone: US/Eastern, Locale: en, GPG key ID: 024BB3D1, Status: active
14:52:07 <zodbot> nb: Approved Groups: @gitfedora-security-team gitcsi cla_fedora cla_done sysadmin-keys @gitdocsglue cvsfedora @docs +gitfedora-wiki @gitfedora-cms fedorabugs packager @docs-publishers @gitweatheralert @docs-writers @gitamateur-radio-menus cla_fpca @gitkeysigning-party-manual @gitsecure-coding @gitcreate-tx-configuration sysadmin-hosted elections sysadmin sysadmin-docs gitpublican-fedora @security-team
14:52:36 <nb> Sparks, how would you feel about provenpackager?
14:52:46 <Sparks> nb: I wouldn't.  I don't know what I'm doing.
14:52:47 * nb thinks it might be helpful if you could push security fixes to stuff
14:52:49 <nb> oh ok
14:52:58 * nb had confidence in you :)
14:53:04 <Sparks> nb: Plus we have more qualified people like jsmith
14:53:13 <nb> Sparks, when are our meetings?
14:53:17 * nb would like to get more involved
14:53:42 <Sparks> nb: Which meetings?
14:54:31 <nb> security team
14:54:32 <d-caf> nb: currently having a meeting right now
14:54:39 <Astradeus> nb: always Thursday, 14:00 UTC
14:54:48 <nb> oh shit
14:54:54 * nb thought he was in #fedora-security-team
14:54:59 <nb> sorry
14:55:03 * nb feels like idiot :)
14:55:04 <d-caf> nb: no problem
14:55:31 <stickster> Sparks: hey, not sure if I'm dialing back but I saw your ping earlier
14:55:33 <d-caf> nb: you have now attended part of your first security team meeting ;-)
14:55:36 <Sparks> Okay, anything else before we close for the day?
14:55:44 <stickster> Sparks: have you seen the log/comment I posted in rel-eng ticket 5886?
14:55:48 <nb> there is a security-private list i think
14:56:02 <Sparks> stickster: Yes and I'm going to provide some feedback soon.
14:56:22 <stickster> Sparks: Cool. I think we were thinking along the same lines, but happy to get you, mattdm, me together to discuss.
14:56:34 <nb> yes there is
14:56:40 <nb> not sure what it is currently used for
14:56:48 <stickster> Sparks: feel free to shoot me an invitation or grab for IRC
14:56:57 <Sparks> stickster: Will do.
14:58:39 <Sparks> Okay, anything else?
14:59:54 <Sparks> Thanks, everyone, for coming out to play today!  Catch you all next time.
15:00:00 <Sparks> #endmeeting