14:16:10 #startmeeting Fedora Security Team 14:16:11 Meeting started Thu Apr 21 14:16:10 2016 UTC. The chair is mhayden. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:16:11 Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:16:11 The meeting name has been set to 'fedora_security_team' 14:16:20 #meetingname Fedora Security Team 14:16:20 The meeting name has been set to 'fedora_security_team' 14:16:52 #info Use the RHEL 7 security guide as initial reading for now 14:17:27 #action Rewrite the Fedora Security Guide to be more of what we're looking for 14:18:04 What items from the information security training page is valuable? 14:18:22 #link https://fedoraproject.org/wiki/Information_Security_Training 14:19:08 #info Fedora Defensive Coding docs could be useful, but may need some updating 14:19:12 #link https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/index.html 14:19:40 Some of the publican issues may preclude the docs work 14:19:58 The content for the secure coding docs exists inside fedorahosted, not inside Red Hat 14:20:53 We may need to review our mission statement to figure out which docs should be needed 14:22:02 Need to understand CWE and CDE data (I think I spelled those acronyms correctly) :) 14:22:22 Some of the information is internal to RHT, but could be publicized possibly 14:22:28 s/CDE/CVE/ ^^ 14:22:55 #action Sparks to make it so on this CWE/CVE business 14:24:45 RHT has some internal guidelines around introducing new folks to the product security team roles/responsibilities 14:24:58 #link https://access.redhat.com/security/updates/classification 14:24:59 Some of these could be helpful 14:25:32 CVE FAQ from MITRE could be helpful 14:25:47 A writeup exists on handling embargoes 14:25:57 #link https://cve.mitre.org/about/faqs.html 14:26:13 Secure source code is important (hashing, signing code, etc) 14:26:14 #link http://www.candlepinproject.org/presentations/pki-crash-course 14:26:21 Sparks has something super hot we must look at ^^ 14:27:32 RHT has checklists internally so that people get familiar with all of the aspects of working with security issues 14:27:39 May be able to be Fedora-tized 14:28:15 #chair mhayden Sparks 14:28:15 Current chairs: Sparks mhayden 14:28:34 #info Understanding packaging is important 14:29:03 #link https://fedoraproject.org/wiki/Join_the_package_collection_maintainers 14:32:55 Astradeus suggested the Applied Crypto Hardening PDF 14:32:58 #link https://bettercrypto.org/static/applied-crypto-hardening.pdf 14:34:49 is it useful to provide some example case how we do stuff? 14:34:50 #info this should be opinioned and about how "we" do things as opposed to just security work in general 14:35:18 Astradeus: good question -- we could cover that topic next 14:40:16 #info Everything sparks touches turns to gold :) 14:40:55 just a basic "search bug -> bug maintainer -> provide / check fix -> bug maintainer again -> close bug" or something alike maybe would be useful? 14:41:19 .whoowns openssl 14:41:19 Sparks: tmraz 14:42:12 #info Would be nice to find an example of a security packaging fix done by a non RHT person 14:43:14 #agree Heartbleed was a very sad time all around 14:44:12 oops, i should have use agreed, i guess 14:44:20 #agreed Heartbleed was a very sad time all around 14:44:52 .whoowns xen 14:44:52 Sparks: myoung 14:44:59 .fasinfo myoung 14:45:00 Sparks: User: myoung, Name: None, email: m.a.young@durham.ac.uk, Creation: 2009-02-12, IRC Nick: None, Timezone: None, Locale: None, GPG key ID: None, Status: active 14:45:03 Sparks: Approved Groups: cla_fedora cla_done packager fedorabugs cla_fpca 14:46:14 #info Xen security bugs could be an example -- XSA-108 was a good one 14:48:00 #link https://access.redhat.com/sites/default/files/riskreportgraphics_branded_unbrandeedissues_final_v2.png 14:48:08 Sparks: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-7188 14:48:36 Hello Security Team :) I'm new here. 14:48:46 howdy skamath! 14:48:52 we're wrapping up 14:49:17 Ah, I must have come early 14:49:19 #action Apprentice wiki page will be updated soon 14:49:26 hi skamath, most of the meeting goes on google-hangouts, so you're currently only getting parts of conversation 14:49:37 skamath: we're having a special meeting today 14:49:43 to discuss our apprentice program 14:49:51 99.9% of our meetings are here in this channel on irc 14:50:06 99.999999% 14:50:09 Thank you for the welcome :) Sound good! 14:50:28 skamath, https://plus.google.com/hangouts/_/mhtx.net/fst-hangout 14:50:38 Err, is there a 'procedure' to join the Security Team? 14:50:50 skamath: there will be :) 14:50:58 #action Sparks will ask if he can share some of his internal security apprentice information 14:51:06 skamath, that is the bulk of the content for today 14:51:06 skamath: *that* is the topic of today's meeting 14:51:28 skamath: We usually hangout in #fedora-security-team 14:51:37 ...when we're not meeting 14:51:52 #fedora-security is different? 14:52:21 Oh and sorry for interrupting. I'll catch you people later on #fedora-security-team 14:52:27 skamath: no need to be sorry! 14:52:39 skamath: #fedora-security is a general channel. 14:52:42 we're working on some stuff to make it more straightforward for new members to join 14:53:17 mhayden++ Sparks++ Astradeus++ Cookies for all :) 14:53:19 skamath: Karma for mhayden changed to 4 (for the f23 release cycle): https://badges.fedoraproject.org/tags/cookie/any 14:53:22 skamath: Karma for sparks changed to 1 (for the f23 release cycle): https://badges.fedoraproject.org/tags/cookie/any 14:53:25 skamath: Karma for astra changed to 2 (for the f23 release cycle): https://badges.fedoraproject.org/tags/cookie/any 14:53:31 * mhayden scarfs his cookie 14:53:32 thanks skamath 14:53:41 *nom* :) 14:53:45 any other notes to add here? we're about to wrap 14:53:49 Mmmm.... chocolate chip cookie 14:54:02 * mhayden toots the meeting horn 14:54:24 okay, i'll close it up before someone mentions heartbleed again 14:54:27 thanks, everyone! 14:54:29 #endmeeting