14:00:01 #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:00:02 Meeting started Thu May 12 14:00:01 2016 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:02 Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:00:02 The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings' 14:00:05 #meetingname Fedora Security Team 14:00:05 The meeting name has been set to 'fedora_security_team' 14:00:07 #topic Roll Call 14:00:08 * Sparks 14:01:46 .fasinfo astra 14:01:47 Astradeus: User: astra, Name: David Kaufmann, email: astra@ionic.at, Creation: 2013-11-27, IRC Nick: Astradeus, Timezone: Europe/Vienna, Locale: en, GPG key ID: 5CBED71B23D2450E, Status: active 14:01:50 Astradeus: Approved Groups: fedorabugs security-team cla_fpca cla_done 14:04:17 .fasinfo linuxmodder 14:04:52 .fas linuxmodder 14:05:18 * zoglesby is here 14:05:24 linuxmodder: User: linuxmodder, Name: Corey W Sheldon, email: sheldon.corey@openmailbox.org, Creation: 2016-04-24, IRC Nick: linuxmodder, Timezone: US/Eastern, Locale: en, GPG key ID: 8C5079D6C62BC78F 8B4E89435A88E539 59276298D2264944, Status: active 14:05:28 linuxmodder: Approved Groups: freemedia docs fedora-join security-team magazine commops marketing ambassadors fedorabugs qa fi-apprentice cla_done cla_fpca 14:05:31 linuxmodder: linuxmodder 'Corey W Sheldon' 14:06:14 * Sparks updates the agenda for today 14:06:20 damn zodbot is laggy today :( 14:07:35 * Sparks waves at zodbot 14:07:38 * Sparks waves at zoglesby 14:07:54 zoglesby: Welcome, nice that you could join us today. :) 14:08:17 I was in jury duty last week. Judge tends to not like people on phone 14:08:37 damn judge :) 14:08:47 zoglesby: That's why you bring a laptop 14:10:25 or tell the judge I can't do things for this 1 hr block cool? 14:10:26 :) 14:10:44 Okay, lets get started 14:10:53 #chair zoglesby linuxmodder Astradeus 14:10:53 Current chairs: Astradeus Sparks linuxmodder zoglesby 14:11:01 #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:11:06 #topic Follow up on last week's tasks 14:11:16 #action pjp to give a status update on security policy in the wiki (carried over) 14:11:26 #action Sparks to figure out how FST members can get access to Fedora security bugs (carried over) 14:11:36 #action zoglesby to update the reading list for the Apprenticeship (carried over) 14:11:43 I did that! 14:11:46 Woot 14:11:51 https://fedoraproject.org/wiki/Security_Team_Apprenticeship#Training 14:11:51 #undo 14:11:51 Removing item from minutes: 14:12:15 #info zoglesby completed his update to the reading list for the Apprenticeship 14:12:26 still need to do the securityguide rewrite myself :( 14:12:30 #action Sparks to garden the Koji wiki pages to standardize the pages and add a category or two. (carried over) 14:12:41 #action d-caf to continue working on private builds in koji, bodhi, and distgit. (carried over) 14:12:53 #action Sparks to follow up on the shipping of non-Linux binaries of the USB ISO tool. 14:12:57 #info In Progress 14:13:11 #action Sparks to get stats on the number of vulns that were embargoed that affected Fedora/EPEL. (carried over) 14:13:19 Okay, I think that's all from last week. 14:13:38 #topic Apprenticeship 14:13:43 zoglesby: You have the floor 14:14:14 Um, please check the link I posted above, and make sure I did not miss anything. 14:14:39 That is all that I have on that topic for today 14:14:54 #link https://fedoraproject.org/wiki/Security_Team_Apprenticeship#Training 14:15:00 Well, that was anti-climatic. 14:15:28 I try 14:15:43 heh 14:15:55 #topic Windows/OS X Tools in F25 14:16:03 #link https://fedorahosted.org/fedora-security-team/ticket/1 14:16:11 mattdm: You around? 14:17:29 I've not had a chance to dive into this topic as much as I wanted to... 14:18:25 Basically, there is a desire to ship a Windows and a OS X binary. The question is what security rules need to apply to such a binary. 14:19:02 I think at a minimum the binaries should be built in a trusted environment (e.g. Koji) and be signed. 14:19:05 Anyone else? 14:20:31 windows will need 2 singing keys one from M$ and ours 14:21:01 or we will need users to use 'test mode' 14:22:08 Right, and I don't think that's a good thing to do 14:23:22 same 14:23:56 how was the current liveUSBcreator legal then don't remember it needing 'testmode' 14:24:08 Is it compiled for Windows? 14:25:26 * Sparks dodm 14:25:28 grrr 14:25:32 * Sparks didn't think it was 14:26:24 Okay, lets move on. I encourage everyone interested in this to follow the ticket. 14:26:39 #topic Outstanding BZ Tickets 14:26:48 #info No new numbers for this week. 14:27:02 Does anyone have anything regarding tickets to discuss this week? 14:29:04 no 14:29:50 #topic Open floor discussion/questions/comments 14:29:59 Okay, anyone have anything they want to discuss? 14:30:03 yes 14:30:25 please don't spend much time on the security guide << linuxmodder 14:30:49 heh 14:30:56 zoglesby: And your reasoning is??? 14:30:59 The whole book needs to be redone, we are going to move docs to asciidoc, and moving to a topical based format as well 14:31:30 mostly doing stuff for 24 release stuff I remember all that 14:32:34 I think there's a tool to take DocBookXML and turn it into asciidoc. 14:33:37 Sparks: yes, but we are not going to be doing things in the big read from front to back style any more. 14:33:43 zoglesby, re: trainign wiki attach or sign with ? 14:34:05 zoglesby: Got some information you can point us to? 14:34:18 linuxmodder: don't know what you are asking 14:34:27 Sparks: should be on the community blog today 14:34:37 okay 14:34:43 zoglesby, in intro here: https://fedoraproject.org/wiki/Security_Team_Apprenticeship#Training 14:34:46 Sparks: sorry missed ping earlier (In another meeting) 14:34:54 attach gpg to email or sign email with said gpg key 14:35:16 I ask as I sign all but rarely attach a copy 14:35:57 mattdm: Just talking about the binaries for Windows and OS X 14:36:09 We are only talking about the Training section, that other stuff was old, but the point was telling people what your GPG key is. I don't care how you go about it 14:36:19 and what was needed for legalities 14:37:06 Sparks: yeah. Have you heard a plan from the team working on that? They'd like to do something more lightweight than getting full support set up in koji 14:37:33 I'd say we change that to say: upload gpg to FAS profile / gpg keyserver(s) of choice, keys.fedoraproject.org preferred, and sign emails within team 14:37:37 mattdm: I've not heard anything. Perhaps someone could update https://fedorahosted.org/fedora-security-team/ticket/1? 14:37:59 Sparks: I'll check in with them 14:38:27 mattdm: I'd prefer to have a specific question asked. 14:38:59 Sparks: yep that's fair. I don't think we're expecting *you* to devise a plan 14:39:06 Right 14:39:37 FWIW, I added some information regarding signing. 14:40:54 Okay, anything else? 14:41:39 nothing meeting specific 14:43:48 Okay, I guess we can adjourn here and move back to #fedora-security-team for some light refreshments. 14:43:55 Thank, all, for coming out and joining us today! 14:43:58 #endmeeting