#fedora-meeting log

14:00:07 <Astranox> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
14:00:07 <zodbot> Meeting started Thu Feb  4 14:00:07 2021 UTC.
14:00:07 <zodbot> This meeting is logged and archived in a public location.
14:00:07 <zodbot> The chair is Astranox. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:07 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:00:07 <zodbot> The meeting name has been set to 'security_team_meeting_-_agenda:_https://fedoraproject.org/wiki/security_team_meetings'
14:00:18 <Astranox> #meetingname Fedora Security Team
14:00:18 <zodbot> The meeting name has been set to 'fedora_security_team'
14:00:27 <Astranox> #topic Roll call
14:00:50 <copperi> hello
14:00:55 <Astranox> .hello astra
14:00:55 <rnm> .hello2
14:00:56 <zodbot> Astranox: astra 'David Kaufmann' <astra@ionic.at>
14:00:59 <zodbot> rnm: Sorry, but you don't exist
14:01:15 <huzaifas> .hello huzaifas
14:01:15 <rnm> .hello rnm
14:01:15 <zodbot> huzaifas: huzaifas 'Huzaifa Sidhpurwala' <huzaifas@redhat.com>
14:01:21 <zodbot> rnm: Sorry, but you don't exist
14:01:33 <rnm> .hello robbinespu
14:01:34 <zodbot> rnm: robbinespu 'Robbi Nespu' <robbinespu@gmail.com>
14:05:49 <Astranox> I think noone else is joining, so lets start. I've prepared a few initial points to discuss (to be fair: one)
14:06:07 <Astranox> #topic Outstanding BZ Tickets (by Severity)
14:06:15 <Astranox> #info Thursday's numbers: Urgent 12, High 239, Medium 1103, Low 610, Total 1990
14:06:50 <huzaifas> resolving fedora security trackers?
14:07:00 <Astranox> this is the current state, reported by the scripts we used back then
14:07:39 <Astranox> i'm not too sure how useful these numbers are, or if they are even accurate
14:08:05 <huzaifas> yes, i know, but i have two things to say about this 1. lets leave resolving pkg issues with pkg maintainers and 2. focus on higher level things which can help with fedora security
14:08:19 <Astranox> I've run the script for I think about two years or so now, so if they are useful, I've got statistical data :)
14:09:00 <rnm> that is a lot of numbers.. 1990
14:09:30 <huzaifas> two years back i proposed a few stuff https://lists.fedoraproject.org/archives/list/security-team@lists.fedoraproject.org/thread/P3AHRBMISHM5Q75APTMXJLFRAJZOW756/
14:09:42 <huzaifas> some of it has traction, some of it is dead and needs volunteers to help
14:09:49 <Astranox> in general I agree with that, but for me the point for these numbers for me is mostly to find issues, that no one cares about, but are important issues
14:10:33 <huzaifas> a few years back fedora security team died, because it became too boring trying to chase pkg maintainers to fix their pkgs or trying to backport patches on their own
14:10:34 <Astranox> #info https://lists.fedoraproject.org/archives/list/security-team@lists.fedoraproject.org/thread/P3AHRBMISHM5Q75APTMXJLFRAJZOW756/
14:11:04 <huzaifas> in general we need a policy to kick out pkgs of the distro, if those pkgs are affected by sec. flaws ant the pkg maintainer does not really care
14:11:50 <Astranox> can you give a short overview over the points (I know the dasboard is there now, but not sure about the other points)
14:12:05 <huzaifas> sure
14:12:21 <huzaifas> https://pagure.io/fesco/issue/1935 is the biggest one
14:12:32 <huzaifas> was approved by fesco, but rel-eng refused to work on this
14:12:51 <huzaifas> i had to ask fesco to ask rel-eng, but still no progress
14:13:16 <huzaifas> basically if pkgs have X number of security flaws ,then in the next branch cycle remove the pkg using FTBS
14:13:41 <huzaifas> after giving sufficient warning to pkg maintainers
14:13:48 <huzaifas> also there is a list of critical pkgs which cannot be remoevd
14:14:07 <Astranox> so there is a policy, but no process for it?
14:14:16 <rnm> on debian, the have repo for maintainer and repo for security team fix the security bug/cve. but on fedora, everything is just on one repo. right?
14:14:19 <huzaifas> there is a policy, but no implemenatation
14:14:33 <huzaifas> rnm, yes, one repo
14:14:58 <huzaifas> rnm, also i feel maintainers are correct people to fix security issues
14:15:03 <huzaifas> they probably know their code well
14:15:22 <huzaifas> but sometimes they are either busy or other stuff and the pkg is "security orphaned"
14:15:31 <huzaifas> we are a handful of people
14:15:43 <huzaifas> we cant keep backporting stuff or rebasing stuff for them
14:16:10 <huzaifas> some time back, i ran a nag script which mailed maintainers every 10 days or so, asking them to resolve their security bug
14:16:24 <huzaifas> got a mixed response ,but did get the flaw numbers down :)
14:16:49 <huzaifas> second thing is the fedora-review tool:
14:17:03 <Astranox> that sounds like you stopped doing that - why?
14:17:27 <huzaifas> Astranox, it was semi automated and i ran it from my machine
14:17:30 <huzaifas> got busy with other stuff
14:17:34 <huzaifas> it needs to be automated
14:17:40 <huzaifas> no human interaction
14:18:26 <huzaifas> so second thing: fedora-review tool
14:18:35 <huzaifas> RH Prodsec has added a few security scanners to the tool
14:18:51 <huzaifas> last during flock in budapest i presented it
14:19:05 <huzaifas> we plan to send some of scanners upstream
14:19:26 <huzaifas> again i got busy with other stuff, but i have already started the process
14:19:30 <rnm> do you suggestion on "Fedora Security dashboard" previously exist now?
14:19:34 <rnm> (your
14:19:49 <huzaifas> rnm, the dashboard exists now, it was presented during flock in budapest
14:20:00 <huzaifas> but it was just a demo, it needs volunteers again
14:20:14 <huzaifas> i planned to get a outreachy intern to work on it
14:20:56 <huzaifas> https://pagure.io/fedora-security-dashboard
14:21:24 <huzaifas> Bojan Jovanović did a lot of work on this
14:21:32 <huzaifas> but he a professor so quite busy
14:21:37 <Astranox> is this different from https://packager-dashboard.fedoraproject.org/ ?
14:21:39 <huzaifas> he gave a demo of this last year at flock
14:21:40 <rnm> working demo? to me, it was a good idea. maybe can run some job on background to ask maintainer fix security issue
14:21:56 <huzaifas> rnm, the demo worked :)
14:22:02 <huzaifas> Astranox, yes, a security dashboard
14:22:25 <huzaifas> something liek https://pagure.io/fedora-security-dashboard/blob/master/f/mockup-images/fedora-crit-imp.png
14:22:26 <Astranox> the packager dashboard includes cve-bugs and explicitely highlights them too
14:22:48 <pjp_> Hello
14:22:56 <huzaifas> Astranox, this one intends show how secure fedora is at a glance :)
14:22:56 <Astranox> ah, this is meant as overview dashboard
14:23:04 <Astranox> hi pjp
14:23:14 <huzaifas> for example say: F34 has 4 critical, 10 important and 100 lows
14:23:23 <huzaifas> so a user can see at a glance what the distro is doing
14:23:42 <huzaifas> also it is meant to be a encouragement tool for fesco and pkg maintaienrs to fix their stuff :)
14:24:09 <ytale_> do we use same tool for regular package review and security package review? https://pagure.io/FedoraReview/tree/master or is there any different tool for security in upstream?
14:24:30 <huzaifas> ytale_, upstream = fedora right?
14:24:36 <ytale_> yes.
14:24:36 <huzaifas> currently there is security scanning tool
14:25:03 <huzaifas> most reviewers are not security folks
14:25:20 <huzaifas> so fedora review mostly checks if pkg guidelines are being followed
14:25:25 <huzaifas> thats mostly it
14:25:53 <huzaifas> and lastly fedora defensive coding guide
14:25:57 <rnm> I imagine it (fedora security dashboard) should have tracker too like https://security-tracker.debian.org/tracker/source-package/sudo (sudo package for example)
14:26:05 <huzaifas> https://pagure.io/defensive-coding-guide
14:26:27 <huzaifas> rnm, yes, but for the entire distro, some thing like "at a glance"
14:26:36 <huzaifas> so i rebooted defensive coding guide
14:26:38 <huzaifas> but two things
14:26:44 <huzaifas> 1. we need more contributors
14:26:57 <huzaifas> 2. we need a way to publish this on docs.fedoraproject.org
14:27:25 <huzaifas> https://huzaifas.fedorapeople.org/public/defensive-coding/ is the latest version i published
14:28:24 <copperi> huzaifas: just ask bcotton to add link to your repo
14:29:00 <huzaifas> copperi, add link where?
14:29:03 <rnm> that dashboard are good project for outreachy /gsoc intern
14:29:15 <huzaifas> rnm, agreed
14:29:38 <bcotton> huzaifas: see https://pagure.io/fedora-docs/docs-fp-o/c/5e0bfa7e0a6438716d9ddfd6e146a836382ea5d6?branch=prod
14:30:32 <bcotton> the main question is where to put it
14:30:53 <huzaifas> bcotton, it existed here https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/index.html
14:30:56 <bcotton> we can talk about it in #fedora-docs. pbokoc may have opinions on that
14:31:08 <huzaifas> sure
14:31:38 <bcotton> also, i'll need to look more closely before i have an opinion (in a meeting right now)
14:31:39 <huzaifas> so..
14:31:49 <huzaifas> bcotton, sure
14:31:56 <Astranox> that sounds great, can we get some tasks out of this?
14:32:08 <huzaifas> so i feel these could be some points we focus our attention on, high level stuff, should make distro more secure
14:32:31 <Astranox> (and can someone else take chair, I've got to switch to mobile)
14:33:05 <huzaifas> .chair
14:33:05 <zodbot> huzaifas: (chair <an alias, 1 argument>) -- Alias for "echo $1 is seated in a chair with a nice view of a placid lake, unsuspecting that another chair is about to be slammed into them.".
14:33:18 <huzaifas> .chair does not work?
14:33:18 <zodbot> does not work? is seated in a chair with a nice view of a placid lake, unsuspecting that another chair is about to be slammed into them.
14:33:29 <Astranox> huzaifas: can you estimate how much work is needed for these points (esp. the nagging fully automated)?
14:33:42 <Astranox> .chair huzaifas
14:33:42 <zodbot> huzaifas is seated in a chair with a nice view of a placid lake, unsuspecting that another chair is about to be slammed into them.
14:33:59 <huzaifas> Astranox, the nagging email is a few hours max, but i need to host it on a fedora server, i cant run it from my machine
14:34:11 <huzaifas> for multiple reasons
14:34:30 <huzaifas> also i want to mail fedora-devel that i am doing this first, some people get really pissed off when we nag them :)
14:35:12 <huzaifas> however some tasks are non-technical for example chasing rel-eng
14:35:32 <huzaifas> this one needs special powers, because i think even fesco gave up at one point
14:35:37 <rnm> maybe need to contact fedora infra guys if can place your nagging email script somewhere
14:35:39 <huzaifas> maybe get FPL involved
14:35:45 <huzaifas> rnm, sure
14:36:09 <huzaifas> rnm, also have some kind of exclude list, for people who hate nagging
14:36:37 <copperi> don't they have ignore rules ?
14:36:48 <ytale_> and we are nagging maintainers every 10 days again? time interval is same?
14:37:01 <huzaifas> ytale_, the internal could be configurable as well
14:37:16 <Astranox> huzaifas: can you make #action items to that? and maybe send me a link to the code, I'd like to have a look at it if I can contribute anything to it
14:37:20 <huzaifas> copperi, no this one is quite simple, get bz open flaw json , chose maintainer, mail them
14:37:30 <huzaifas> Astranox, the script?
14:37:35 <Astranox> yes
14:37:43 <huzaifas> i will need to find it first :)
14:38:03 <huzaifas> but like i mentioned its quite simple, i can maybe write a quick one and you can imporive it if you want
14:38:21 <huzaifas> #action huzaifa to commit the nagging script somewhere and pass the link to Astranox
14:38:42 <huzaifas> this is how its done right? ^
14:40:59 <Astranox> yes
14:41:14 <huzaifas> good
14:42:14 <huzaifas> i think it would be optimal to get small things done, rather than too many tasks
14:43:35 <Astranox> definitely
14:43:47 <huzaifas> cool
14:44:14 <huzaifas> i think there are a lot of initiatives here, we can take them up one by one
14:45:04 <Astranox> i've also added meeting date to the agenda - is the date and time still fine?
14:45:14 <huzaifas> fine for me
14:45:22 <rnm> +1
14:46:17 <huzaifas> anything else anyone wants to discuss, before we end the mtg?
14:46:28 <pjp_> +1
14:47:03 <Astranox> then i'd say keep it like this, so next one would be 2021-02-11 14:00 utc
14:47:03 <huzaifas> going once
14:47:22 <huzaifas> sure
14:47:31 <copperi> +1
14:47:36 <lilyx> +1
14:48:03 <rnm> how to join fedora security team? maybe mentoring stuff like someone email before on ML
14:48:35 <huzaifas> rnm, i think the best way is to start helping in one of the initiatives above or any other
14:48:36 <lilyx> yes that would helpful info
14:48:41 <lilyx> k
14:48:49 <huzaifas> once we figure out the person is helpful, we could add him to the page etc
14:48:55 <huzaifas> rather than the other way around
14:49:06 <huzaifas> we had lot of people on the page previously but not all of them were active
14:49:14 <ytale_> this sounds good idea. +1
14:49:15 <huzaifas> so having things the other way is more useful
14:49:22 <copperi> sure is
14:49:37 <rnm> I quite interested with the dashboard. Do you commit the working demo on pagure repo or somewhere?
14:49:55 <huzaifas> rnm, i think the code on that pageure link is fully updated
14:50:01 <huzaifas> you can start working from there
14:50:21 <huzaifas> also contact Bojan Jovanović
14:50:29 <huzaifas> and my be collaborate on that
14:51:06 <huzaifas> bojan Jovanovic <bojov@fedoraproject.org>
14:52:01 <rnm> to be honest i am new with python and jump straight learning django. Not sure how much I can help
14:52:29 <huzaifas> well you can talk with him and see
14:52:51 <huzaifas> anyways Astranox i may need to quit in like 5 mins, either someone takes chair or we end meeting
14:53:14 <rnm> ok I will clone and try does't demo work or not later
14:53:19 <huzaifas> sure
14:53:28 <Astranox> yes, i think we can end here, there will be another meeting here
14:54:00 <huzaifas> great
14:54:03 <huzaifas> #endmeeting
14:54:22 <Astranox> #endmeeting