14:00:53 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:00:53 <zodbot> Meeting started Thu Mar 10 14:00:53 2016 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:53 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:00:53 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings' 14:00:56 <Sparks> #meetingname Fedora Security Team 14:00:56 <zodbot> The meeting name has been set to 'fedora_security_team' 14:00:57 <Sparks> #topic Roll Call 14:00:58 * Sparks 14:01:04 * d-caf 14:02:31 * d-caf could have sworn had just seen linuxmodder in this window... 14:02:35 * jsmith is here 14:02:55 <linuxmodder> .hello corey84 14:02:56 <zodbot> linuxmodder: corey84 'Corey Sheldon' <sheldon.corey@gmail.com> 14:03:02 <linuxmodder> I was lol d-caf 14:03:51 <linuxmodder> will brb drink refill 14:05:58 * linuxmodder back 14:06:06 <mhayden> .hello mhayden 14:06:07 <zodbot> mhayden: mhayden 'Major Hayden' <major@mhtx.net> 14:08:03 * Sparks was hoping zoglesby would be here today 14:08:09 <Sparks> Okay, lets get startee 14:08:10 <Sparks> Okay, lets get started 14:08:19 * mhayden is generating this week's report 14:08:56 <Sparks> #topic Fedora Security Team FAD 14:09:05 <Sparks> #link https://fedoraproject.org/wiki/Security_Team_FAD_2016 14:09:31 <d-caf> Tomorrow 14:09:44 <Sparks> #info It appears that we have five people coming to the FAD, physically, and a few more remotely. 14:09:52 <mhayden> #link http://paste.fedoraproject.org/336715/45761897/raw/ 14:10:24 <Sparks> d-caf: Yes, tomorrow! :) 14:10:37 <linuxmodder> I'll be there maybe a bit delayed (9-930) 14:10:39 * Sparks needs to figure out which trains to take to get to where I'm headed. 14:11:10 <d-caf> Yes, I'll be metroing in as well 14:11:47 * Astradeus remotely (sorry for being late) 14:12:27 <Sparks> I'll send out an email with contact information for myself and Zach as well as instructions for the keysigning event. 14:12:38 <linuxmodder> so at least 3/5 will be metroing 14:14:32 <Sparks> I still haven't received word back on funding so we may just be going Dutch 14:15:32 <jsmith> Worse comes to worse, I can probably cover lunch 14:15:33 <Sparks> I also have heard back from zoglesby regarding the video conferencing setup at his office so standby for changes. 14:15:48 <jsmith> Want me to bring a couple of extra webcams? 14:16:13 <Sparks> Umm... Well, there apparently is some sort of setup but we're not sure exactly what it supports. 14:16:38 <linuxmodder> I have a spare its only 720 p tho 14:16:48 <Sparks> I'll try to track down zoglesby today and get that figured out. We can update the wiki as needed. 14:17:26 <Sparks> #info We'll be monitoring #fedora-security-team in Freenode IRC for backup communications and notes. 14:17:42 <Sparks> We can run zodbot in there to collect our notes 14:18:04 <Sparks> But that will be our backup path if the video conference changes. 14:19:45 <jsmith> OK. 14:19:54 <Sparks> Any additional questions? 14:21:14 <d-caf> Just looking forward to seeing everyone 14:21:29 <d-caf> Unfortunately I'm going to have to miss the rest of this irc meeting, need to head out. 14:21:39 <d-caf> See everyone tomorrow! 14:22:26 <linuxmodder> Sparks, any special access concerns for the bldg itself 14:23:15 <Sparks> linuxmodder: Not that I'm aware of. 14:23:40 <linuxmodder> okay 14:23:58 <Sparks> zoglesby says to go to the front desk and say that you are here to see him (Zach Oglesby) 14:24:01 <linuxmodder> some of my dc tech stuff has them so I ask 14:24:20 <linuxmodder> noted 14:25:11 <Sparks> Okay, moving along... 14:25:17 <Sparks> #topic Missing CVE bugs 14:26:38 <Sparks> Yesterday a maintainer received a new version of a program that fixed two CVEs. Upon checking BZ there were no CVE tracker bugs for this CVE and MITRE didn't show anything either. 14:28:02 <Sparks> Turns out, the CVEs were still embargoed and thus weren't showing up publically. 14:29:02 <linuxmodder> Sparks, when do those go un-enbargoed ? 14:29:06 <Sparks> Since upstream broke the embargo we opened up the bugs as well. The update in Bodhi was properly attached to the new bug tickets and all is well. 14:29:15 <linuxmodder> I remember seeing that exchange briefly yesterday 14:29:43 <Sparks> linuxmodder: Embargoes should have expiration dates and times. 14:30:01 <Sparks> linuxmodder: Generally, this is worked out with upstream so everyone is on the same page. 14:30:28 <Sparks> Why upstream released early I'm not sure. 14:31:33 <linuxmodder> I'm familar with the process was just curious how /why the date was ignored (if known) 14:31:59 <Sparks> The takeaway to all this is we need to make sure that patched CVEs get attached to BZ bugs so we can account for all of the fixes. 14:33:15 <zoglesby> Sparks: how many people can see the list of embargoed tickets? (on fedora-security-team) 14:33:20 <zoglesby> is it just you? 14:34:04 <Sparks> If a CVE ticket does not exist then send a message to secalert@redhat.com so RH Product Security can sort it all out. 14:34:50 <Sparks> zoglesby: It is likely just me since I'm on Product Security. Embargoed CVEs that affect Fedora don't even have Fedora tickets until they are unembargoed so there isn't anything to see. 14:35:42 <zoglesby> okay, hope this is a topic for tomorrow... 14:35:48 <Sparks> If you are so inclined, messages to secalert@redhat.com can be encrypted using 9273 2337 E5AD 3417 5265 64AB 5E54 8083 650D 5882 14:36:07 <Sparks> zoglesby: It can/will be but there really isn't much of a good answer, unfortunately. 14:36:37 <Sparks> Perhaps Fabio can join us tomorrow, remotely, for that part of the discussion 14:36:59 <Sparks> Any other questions? 14:38:00 <zoglesby> No 14:38:31 <Sparks> #topic Outstanding BZ Tickets 14:38:37 <linuxmodder> imported that key for fture 14:39:23 <Sparks> #info Thursday's numbers: Critical 0, Important 69, Moderate 468, Low 178 14:39:30 <Sparks> +Tickets by Severity-+-------+---------+ 14:39:30 <Sparks> | Severity | Tickets | Owned | Unowned | 14:39:30 <Sparks> +----------+---------+-------+---------+ 14:39:30 <Sparks> | medium | 468 | 40 | 428 | 14:39:31 <Sparks> | low | 178 | 13 | 165 | 14:39:32 <Sparks> | high | 69 | 20 | 49 | 14:39:34 <Sparks> +----------+---------+-------+---------+ 14:39:43 <Sparks> Anyone have anything to talk about ticket-wise? 14:39:50 * jsmith doesn't 14:39:54 * mhayden hasn't had much time to follow up on security issues lately :/ 14:41:19 <Sparks> #topic Open floor discussion/questions/comments 14:41:20 <linuxmodder> not been active in the ticket list of late hoping to look today 14:41:25 <Sparks> Okay, anyone have anything? 14:42:34 <linuxmodder> there was a hope in docs | blog to have a revise of security docs for 23 ( seems some are back to 21) 14:42:59 <linuxmodder> can find the list link if needed but also was in server list 14:43:00 <Astradeus> anything to review before tomorrow? 14:43:58 <Sparks> linuxmodder: We can talk about that tomrorow fi you wish 14:44:11 <linuxmodder> noted 14:45:51 <Sparks> Anything else? 14:47:44 <linuxmodder> nothing comes to mind but reserving right ot add on ml if comes to mind :) 14:47:58 <Sparks> Okay, everyone have a good day and I'll be seeing you all tomorrow! 14:48:07 <Sparks> right to add on ml? 14:48:16 <Sparks> Oh 14:48:24 <Sparks> I'm with you now. :) 14:48:29 <zoglesby> slow today? 14:48:33 <Sparks> everyday 14:48:39 <Sparks> every day 14:48:56 <Sparks> #endmeeting