#fedora-meeting log

14:00:46 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:46 <zodbot> Meeting started Thu Jun  9 14:00:46 2016 UTC.  The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:46 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:00:46 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:00:49 <Sparks> #meetingname Fedora Security Team
14:00:49 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:51 <Sparks> #topic Roll Call
14:00:52 * Sparks 
14:02:41 <linuxmodder> .fas linuxmodder
14:02:41 <zodbot> linuxmodder: linuxmodder 'Corey W Sheldon' <sheldon.corey@openmailbox.org>
14:02:52 <linuxmodder> laggy connect today fyi
14:03:30 * zoglesby is here
14:03:57 <mhayden> .hello mhayden
14:03:58 <zodbot> mhayden: mhayden 'Major Hayden' <major@mhtx.net>
14:04:28 <jtaylor90> .fas jtaylor
14:04:29 <zodbot> jtaylor90: jraytay 'Jason Taylor' <jtaylor48@san.rr.com> - jtaylor '' <jtfas90@gmail.com> - jtaylor0175 'Jeffrey Scott Taylor' <jst293@yahoo.com>
14:04:45 <jtaylor90> lol there is more than one of me
14:06:48 <Sparks> jtaylor90: That's just scary
14:06:53 <Sparks> zoglesby: You here today?
14:06:57 <Sparks> jsmith: ^^^
14:07:04 <zoglesby> yes, I even said so
14:07:09 <Sparks> Yes, yes you did.
14:07:18 <Sparks> #chair linuxmodder mhayden jtaylor90 zoglesby
14:07:18 <zodbot> Current chairs: Sparks jtaylor90 linuxmodder mhayden zoglesby
14:07:24 <nb> I think I .hello nb
14:07:26 <nb> oops
14:07:29 <nb> .hello nb
14:07:30 <zodbot> nb: nb 'Nick Bebout' <nb@nb.zone>
14:07:36 <mhayden> howdy nb
14:07:41 * mhayden just sent out this week's stats
14:08:04 * linuxmodder looks in tb for email
14:09:19 <linuxmodder> that's alot of unowned NEW
14:10:22 <Sparks> Okay, I want to skip over all the meeting stuff and go straight into the meat of the meeting.
14:10:28 <Sparks> #topic Apprenticeship
14:10:35 <Sparks> zoglesby: Where are we on this?
14:11:15 <zoglesby> We have a plan, it  needs but into action, and I think we need to talk about how to do that.
14:11:30 <Sparks> Okay, lets talk
14:11:32 <zoglesby> It is my opinion that this has stalled because we did not have a clear next step
14:12:41 <Sparks> zoglesby: What do you propose?
14:13:12 <zoglesby> I don't have a good answer, or I would have just started to do it.
14:13:55 <zoglesby> maybe we need a ginnie pig
14:14:05 * Sparks eyes nb
14:14:13 <zoglesby> and by that I mean guinea pig
14:14:36 <jtaylor90> a guinea pig to test out the process?
14:14:41 <Sparks> yes
14:15:16 <nb> Sparks, hello
14:15:29 <nb> you were eying me?
14:15:38 <linuxmodder> missed that what we talking about atm?
14:15:52 <zoglesby> guinea pigs
14:16:07 <jtaylor90> I would be willing to be a guinea pig
14:16:07 <linuxmodder> GP for what exactly?
14:16:09 <zoglesby> they are cute, we want them. Not to eat
14:16:27 <zoglesby> For testing the Apprenticeship process out
14:16:33 <linuxmodder> c0mrad3,  you around ?
14:16:37 <linuxmodder> skamath,  same
14:16:47 <linuxmodder> I can be a GP then
14:17:46 <zoglesby> I am not saying no, but it would be best to have someone who was not a part of the setup of the process doing it.
14:17:58 <Astradeus> hi, sorry for being late
14:19:43 <Sparks> zoglesby: Okay, looks like we have a few takers here.
14:20:37 <zoglesby> sorry, trying to find the wiki page
14:21:18 <zoglesby> Okay, if you want to be a guinea pig, please start working on the items on https://fedoraproject.org/wiki/Security_Team_Apprenticeship
14:21:30 <zoglesby> At next weeks meeting we will talk about it.
14:21:41 <zoglesby> Can I now get a list of people who are going to do so?
14:22:10 <jtaylor90> zoglesby: me
14:22:43 <linuxmodder> !
14:22:50 <linuxmodder> zoglesby,  I'm in
14:24:46 <Astradeus> i can look at it again, but it's not really something i can solve as a task - i've already looked at most of the linked documents
14:24:53 <Astradeus> but i'll do that until next meeting
14:25:11 <Sparks> #action linuxmodder and jtaylor90 to test the Fedora Security Apprenticeship training and report back next week
14:25:18 <zoglesby> beat me to it
14:25:27 <Sparks> zoglesby: Sorry, I can undo it so you can do it.
14:25:32 <zoglesby> no
14:27:15 <Sparks> zoglesby: Okay, anything else on this topic?
14:27:29 <zoglesby> Nope, I think that is it.
14:27:42 <Sparks> Great, thanks.
14:27:46 <Sparks> zoglesby++
14:27:58 <Sparks> linuxmodder++
14:27:58 <zodbot> Sparks: Karma for linuxmodder changed to 15 (for the f23 release cycle):  https://badges.fedoraproject.org/tags/cookie/any
14:28:00 <linuxmodder> any  specific metrics or feedback Sparks  zoglesby  on the Apprentice track?
14:28:05 <Sparks> jtaylor90++
14:28:21 <Sparks> linuxmodder: Yes, does it make you feel prepared.
14:28:22 <Sparks> :)
14:28:28 <linuxmodder> beyond  the obvious this has dead link or  needs clarity
14:30:14 <Sparks> linuxmodder: Did you see my comment?
14:30:19 <linuxmodder> yes
14:30:29 <linuxmodder> about preparedness
14:31:22 <Sparks> Okay
14:31:25 <Sparks> Moving on
14:31:28 <Sparks> #topic Windows/OS X Tools in F25
14:31:40 <Sparks> #link https://fedorahosted.org/fedora-security-team/ticket/1
14:31:43 <Sparks> #link https://fedorahosted.org/fedora-security-team/ticket/1
14:31:48 <Sparks> I dropped the ball on this one...
14:31:59 <Sparks> I need some input from others on this.
14:34:23 <zoglesby> In the ticket?
14:35:18 <zoglesby> Not signing binaries for any platform is not acceptable in my book.
14:35:52 <zoglesby> If it costs a little money, Red Hat makes a lot of that. (and I am sure they have code signing keys already that could be used)
14:36:03 <Sparks> zoglesby: Right, and what about building them offsite (not in FP infrastructure)?
14:37:18 <zoglesby> I don't think doing it at someones desk is a good idea, but I am sure we can find a way to deal with it.
14:37:35 <Sparks> mattdm: You around?
14:37:39 <zoglesby> The issue is that it can't be built on Linux for windows correct?
14:37:46 <Sparks> I'm not sure.
14:38:53 <zoglesby> 14:35:26 <dgilmore> koji supports windows natively and it may be possible for to use mingw to cross somplie if they switch to c++
14:39:18 <Sparks> Well, that sounds like a rewrite of the software.
14:39:59 <zoglesby> https://github.com/lmacken/liveusb-creator
14:40:16 <zoglesby> python and pyqt
14:41:03 <linuxmodder> is the old FedoraUSBCreator  not still a go for Windows?
14:41:04 <linuxmodder> what infra you thinking Sparks ?
14:41:06 <linuxmodder> for offsite build
14:41:09 <zoglesby> https://bugzilla.redhat.com/show_bug.cgi?id=1310542
14:41:18 <Sparks> So I guess the overarching question for us is what should we enforce.  Everything should be signed and for things to be signed it needs to be built in-house.  That sound good?
14:41:33 <linuxmodder> cross compile is possible but  security wise a utter pita and mess
14:41:47 <zoglesby> Sparks: no
14:41:48 <linuxmodder> its presently in py  yes?
14:41:55 <Sparks> I don't think we have the resources for a code review.
14:42:13 <zoglesby> I am okay with using a 3rd party build infra for this item. I am not okay with using someones desktop pc for it
14:42:13 <Sparks> linuxmodder: I'm trying to think more generally than this specific piece of software.
14:42:47 <Sparks> I'm not sure we can validate the binary if we don't build it ourselves.
14:42:54 <Sparks> s/can/should
14:43:16 <zoglesby> As long as infra can have people checking in on the build system (or us) I think it is okay to use something else for this. Doing it on a PC at someones home/work means they are the gatekeeper.
14:43:48 <zoglesby> I would like to find out what the actual build process is.
14:44:10 <Sparks> zoglesby: Can you add these comments to the ticket?
14:44:39 <zoglesby> Its python and pyqt. I can't think you need to build on windows for that. My reading is that koji has no support for it.
14:45:07 <zoglesby> If that is the case I say they do it on a VM in fedora infra.
14:45:14 <zoglesby> Sparks: sure
14:46:41 <zoglesby> done
14:47:09 <Sparks> Okay, we're running a bit late... Lets just skip to the end.
14:47:10 <Sparks> #topic Open floor discussion/questions/comments
14:47:13 <Sparks> Anyone have anything?
14:48:13 <zoglesby> only that hour has gone by very slow
14:48:24 <Sparks> heh
14:49:25 <Sparks> Anyone else?
14:51:00 <Sparks> Okay, lets go ahead and secure the meeting, then.  Everyone have a good day!
14:51:35 <Sparks> #endmeeting