#meeting-3:fedoraproject.org log

<@salimma:fedora.im>

14:14:17

!startmeeting Security SIG (2026-04-02)

<@meetbot:fedora.im>

14:14:18

Meeting started at 2026-04-02 14:14:17 UTC

<@meetbot:fedora.im>

14:14:18

The Meeting name is 'Security SIG (2026-04-02)'

<@salimma:fedora.im>

14:14:22

!meetingname security-sig

<@meetbot:fedora.im>

14:14:22

The Meeting Name is now security-sig

<@thebeanogamer:fedora.im>

14:14:29

!hi

<@salimma:fedora.im>

14:14:45

!topic Init process

<@salimma:fedora.im>

14:14:56

copying the fesco playbook, since we don't have one yet :P

<@py0xc3:fedora.im>

14:14:56

!hello

<@salimma:fedora.im>

14:14:57

!hi

<@zodbot:fedora.im>

14:14:57

Christopher Klooz (py0xc3) - he / him / his

<@zodbot:fedora.im>

14:14:57

Michel Lind (salimma) - he / him / his

<@decathorpe:fedora.im>

14:14:59

!hi

<@zodbot:fedora.im>

14:15:01

Fabio Valentini (decathorpe) - he / him / his

<@thebeanogamer:fedora.im>

14:15:06

!hi

<@zodbot:fedora.im>

14:15:11

Daniel Milnes (thebeanogamer) - he / him / his

<@salimma:fedora.im>

14:16:01

hello all! looks like last week we started by linking issues and topics, so I'll do that again

<@salimma:fedora.im>

14:16:05

!link Issue Location : https://forge.fedoraproject.org/security/tickets

<@salimma:fedora.im>

14:16:13

!link Discourse security tagged topics :https://discussion.fedoraproject.org/tag/security

<@salimma:fedora.im>

14:16:34

!link https://forge.fedoraproject.org/security/tickets/issues

<@salimma:fedora.im>

14:16:41

turns out tickets is the repo :P

<@salimma:fedora.im>

14:16:54

Chris (py0xc3)want to take over?

<@salimma:fedora.im>

14:17:08

! help (no space) will give a refresher of the commands

<@py0xc3:fedora.im>

14:17:39

I can, but not sure if the one still marked for meeting must be discussed. I expect it's known and was mentioned in the channel too. I should remove the "meeting" tag I think and give it some time. Most fedora-selinux-related repos are on github anyway, so that on itself is not a reason to move the repo to forge. I would wait some more time (I need to apply first to get sponsored as packager myself anyway), and if then some +1 came up and there is a chance of wider review or contribution to the repo or feedback over time, we can move it. Otherwise, it can also stay on GitHub. With just me + g5 the decision would feel a little "unilateral" :-)

<@salimma:fedora.im>

14:18:05

what, you're not a packager yet!

<@salimma:fedora.im>

14:18:16

there's at least two of us in this meeting that can help with that

<@py0xc3:fedora.im>

14:18:18

Yeah, somehow it was not necessary so far :)

<@salimma:fedora.im>

14:19:02

imho moving anything from github/gitlab is low priority-ish... now if we still have anything at Pagure, that one obviously needs to happen

<@py0xc3:fedora.im>

14:19:51

Indeed. But no, nothing on pagure. I developed that on github as it was easier to start. So I would leave the ticket open some time to see if it makes sense to move it to security in forge, if there is wider interest about it

<@py0xc3:fedora.im>

14:20:22

Not sure if there are questions that came up? Otherwise I might shift to Daniel Milnes about his tickets if there is something to be discussed (?)

<@salimma:fedora.im>

14:20:26

let's link the ticket for anyone who's not here who might want to comment

<@salimma:fedora.im>

14:21:01

!link https://forge.fedoraproject.org/security/tickets/issues/1

<@thebeanogamer:fedora.im>

14:21:01

On which note, I had a very quick pass over Pagure for anything directly security related. https://forge.fedoraproject.org/security/tickets/issues/3 was the only one that jumped out and I think that's best left with q5sys

<@salimma:fedora.im>

14:21:23

!info those who want to weigh in on whether fedora-downstream-hardening should move to the Fedora Forge, please comment there

<@py0xc3:fedora.im>

14:21:39

I have to go over the commands etc in the next days to be prepared for the future ;)

<@salimma:fedora.im>

14:22:11

my problem is a bit of the opposite, I still remember some old zodbot iRC commands that have not been ported yet :)

<@py0xc3:fedora.im>

14:22:12

Didnt chair anything since I was in docs, years ago (and I think a different bot)

<@salimma:fedora.im>

14:22:34

yeah, the current bot is a rewrite

<@salimma:fedora.im>

14:23:05

is q5sysin both this SIG and the security lab?

<@py0xc3:fedora.im>

14:23:14

Afaik yes

<@py0xc3:fedora.im>

14:23:21

But both are not related

<@salimma:fedora.im>

14:23:26

and yeah renaming might make sense

<@py0xc3:fedora.im>

14:24:03

What do you refer to? (a renaming issue came up in two tickets ^^)

<@salimma:fedora.im>

14:25:07

oh the ticket #3 about security lab naming being a bit misleading

<@py0xc3:fedora.im>

14:25:25

Ah yeah, indeed.

<@py0xc3:fedora.im>

14:25:59

Thus I admit I'm not sure who would be responsible to change that, except ask q5sys to consider it

<@py0xc3:fedora.im>

14:26:08

Not sure if he read that part

<@salimma:fedora.im>

14:26:49

he responded after that but maybe comment again about the renaming?

<@py0xc3:fedora.im>

14:27:00

yeah, i can add a post later about it

<@salimma:fedora.im>

14:28:02

so yeah looking at other distros like Debian, 'security lab' could be mistaken for something like Tails instead of something like Kali :)

<@salimma:fedora.im>

14:28:07

I wonder if we can just reuse that name

<@py0xc3:fedora.im>

14:29:01

Yeah that was about my thought too. Given its purpose, pentesting sytems are often much worse configured in terms of user security, and thus achieve the opposite of what some users might would expect

<@py0xc3:fedora.im>

14:30:03

I would just add a post and reference it was discussed, and maybe leave it as incentive for the maintainers, then they can consider first if and what they want to use?

<@salimma:fedora.im>

14:31:38

right, it's not really for us to bikeshed

<@py0xc3:fedora.im>

14:32:07

I posted in the ticket

<@py0xc3:fedora.im>

14:33:05

Something about ticket #2 ?

<@salimma:fedora.im>

14:33:56

!link https://forge.fedoraproject.org/security/tickets/issues/2

<@salimma:fedora.im>

14:34:09

yeah ... the wiki is not great for anything that is collectively maintained

<@salimma:fedora.im>

14:34:22

something simple like how to run a meeting is fine, but something that needs review, boom

<@salimma:fedora.im>

14:34:38

i guess the questino is ... full docs, or quick docs. full docs is OK except antora is a bit janky

<@salimma:fedora.im>

14:34:45

*question

<@thebeanogamer:fedora.im>

14:34:46

Yeah so I've spent a little time on this. Think I understand how the docs.fp.o site gets built, but if we're going ahead with this then someone needs to create the repo on Forge as my permissions don't let me do that.

<@thebeanogamer:fedora.im>

14:35:58

In terms of actual content, I've started a draft on how Fedora's signing pipeline works. I'd like to run it past Jeremy Cline before submitting the draft though (to make sure I've correctly understood the relationship between Robosignatory, Sigul, and Siguldry).

<@salimma:fedora.im>

14:36:08

since we have the 'security' group does that mean we can create as many repo as needed? (I've not admin-ed anything in forge, I know that it's more restricted than Pagure but I'm assuming it's just like gitlab)

<@thebeanogamer:fedora.im>

14:36:09

Hopefully finish that on this long weekend, maybe also do one on crypto policies if I get time

<@jcline:fedora.im>

14:36:47

I'm actually in the middle of writing a bunch of docs on that front (in part for the Flock talk I've got) but yeah happy to look through it

<@thebeanogamer:fedora.im>

14:37:18

I think we're in agreement that docs.fp.o is the future then

<@py0xc3:fedora.im>

14:37:21

yes

<@py0xc3:fedora.im>

14:38:22

Don't know off the cuff the list I submitted, already some time ago, but I'm forge owner, Fabio Valentini q5sys and I think one or two more.

<@py0xc3:fedora.im>

14:38:46

Don't know off the cuff the list I submitted, already some time ago, but I'm forge group owner, Fabio Valentini q5sys and I think one or two more.

<@py0xc3:fedora.im>

14:39:26

+ siosm + nirik

<@py0xc3:fedora.im>

14:39:34

'+ siosm + nirik

<@py0xc3:fedora.im>

14:41:30

It has its own challenges (mostly entry barrier and time investment), but I guess its better than the wiki.

<@py0xc3:fedora.im>

14:41:50

Working with the team is at least straightforward. Communications works always very good with the Docs team

<@py0xc3:fedora.im>

14:42:17

When they have to switch the source of docs or so. I'm just working on that with them concerning the new rules of the Discourse.

<@thebeanogamer:fedora.im>

14:43:51

In that case then, let's pick someone to create the repo

<@thebeanogamer:fedora.im>

14:44:02

We can get some content into it so we understand the flow, then PR it to the real docs site

<@py0xc3:fedora.im>

14:44:04

If there is agreement to create a repo, I can do it

<@thebeanogamer:fedora.im>

14:44:28

We can get some content into it so we understand the flow, then PR it to the real docs site (the Ansible to tell it about the new repo)

<@salimma:fedora.im>

14:44:39

Sure, sounds good to me

<@q5sys:matrix.org>

14:44:53

Ah Europe rolled forward on time so now we're all off again...

<@py0xc3:fedora.im>

14:44:59

We have not really rules yet about how many +1 are necessary to have something approved. Not sure if it is useful to agree on a quorum or so ?

<@py0xc3:fedora.im>

14:45:12

London time :P

<@q5sys:matrix.org>

14:45:17

in trying to quickly catch up... I'm not in favor of renaming the Security Lab Spin... I'll post more info in the ticket.

<@salimma:fedora.im>

14:45:23

Could be useful to agree on procedures now rather than when something contentious comes up, yes

<@q5sys:matrix.org>

14:45:31

Michel Lind ☘ UTC+1 Yes I am in both SIGs.

<@py0xc3:fedora.im>

14:46:03

So before agreeing on more, might be useful what is a quorum? So how many +1 we need to have something approved?

<@py0xc3:fedora.im>

14:47:06

I guess given the active participants, at least if there is no -1, I guess more than 3 or maybe 4 +1 is not realistic?

<@q5sys:matrix.org>

14:47:30

Since this team isn't "formalized" in anyway official way within the Fedora decision making process... or blessed by FESCO to make or demand changes... at most we're just agreeing that we're all on the same page to then to go whoever and ask them to do something.

<@q5sys:matrix.org>

14:49:39

We're a group of people with shared concerns and who are working together to make things more secure. Things that don't impact the project as a whole are fair game for us to handle... just as if any other group of people who are making things happen would do. But any larger changes would need to still go through the formalized process.

<@q5sys:matrix.org>

14:49:39

So for any larger changes, we can get out ducks in a row and then approach with a project change request after we've refined the idea enough internally.

<@q5sys:matrix.org>

14:50:03

So for any larger changes, we can get our ducks in a row and then approach with a project change request after we've refined the idea enough internally.

<@q5sys:matrix.org>

14:50:03

<@q5sys:matrix.org>

14:50:19

Since this team isn't "formalized" in any official way within the Fedora decision making process... or blessed by FESCO to make or demand changes... at most we're just agreeing that we're all on the same page to then to go whoever and ask them to do something.

<@salimma:fedora.im>

14:51:10

I've never started a delegated team before - not sure if Fabio Valentiniknows how to do it - but I figure when needed we can probably make it happen

<@salimma:fedora.im>

14:51:29

without someone who can liaise with RH especially RH ProdSec though, I would advise against doing it prematurely

<@q5sys:matrix.org>

14:51:38

agreed

<@q5sys:matrix.org>

14:51:42

that's a ways off IMHO.

<@q5sys:matrix.org>

14:52:20

We'd need to show that the team can at least hold meetings for a year straight. Historically that's been a rare occurance. It seems to come and go as people get interested and then fall by the wayside again.

<@q5sys:matrix.org>

14:52:44

Last time I tried to start meetings up... for abotu 2 months people were active... then 4 months of it basically just being me staring at a non active channel.

<@q5sys:matrix.org>

14:53:27

So until we can show that we are serious in making consistent effort... most people are just going to think its just antoher 'flash in the pan', since that's what history shows.

<@py0xc3:fedora.im>

14:53:36

Not sure if caused this development, but I was just talking about if we want to agree on a quorum :) At the moment it can be blurred if and when to consider something approved if, e.g., just 1 or 2 are +1.

<@py0xc3:fedora.im>

14:54:32

I agree to the points that this is too premature to go into something formalized. Based on the initial elaboration we put in the wiki, a little also a derivation of the xzutils incident, this is mostly useful as place for knowledge creation & transfer, connecting those who might be not connected otherwise -> an additional channel with a clear scope.

<@salimma:fedora.im>

14:54:45

yeah, but I think q5sys was saying until we're a formal team quorum might be unnecessary. idk, I think we can do that part first

<@py0xc3:fedora.im>

14:55:02

To create an overlap of teams to trigger information flows within scope

<@py0xc3:fedora.im>

14:55:15

<@q5sys:matrix.org>

14:55:22

yea that's a better way to explain it

<@py0xc3:fedora.im>

14:55:23

I don't insist :)

<@salimma:fedora.im>

14:55:37

so yeah. I guess just hte majority of all present during the init process should be fine for decision making, provided we're above the quorum threshold -- how many people normally show up?

<@py0xc3:fedora.im>

14:55:39

Ok, then, should I create a repo for Daniel Milnes approach?

<@q5sys:matrix.org>

14:55:40

What Michel says is a better way to explain it

<@py0xc3:fedora.im>

14:55:54

same page about his idea, so to speak?

<@salimma:fedora.im>

14:56:01

yeah, I feel like it's been ... what... 15+ mins and nobody objected

<@thebeanogamer:fedora.im>

14:56:21

I love democracy

<@py0xc3:fedora.im>

14:56:31

ok. then I create one. Daniel Milnes can you add a post in the ticket and trigger me? Let me know the name I should use for the repo

<@q5sys:matrix.org>

14:56:32

and obviously we cant make a decision for other peoples work. :) No matter how many of us agree on it. At most we can just approach and make recommendations.

<@salimma:fedora.im>

14:56:43

well, yes, indeed

<@py0xc3:fedora.im>

14:56:52

sure

<@q5sys:matrix.org>

14:57:09

What repo does Daniel Milnes want?

<@thebeanogamer:fedora.im>

14:57:32

Docs site (for issue #2 )

<@q5sys:matrix.org>

14:58:06

👍

<@q5sys:matrix.org>

14:58:19

no objections from me on that one.

<@thebeanogamer:fedora.im>

14:58:37

Ok I'll stick an update on the ticket. We can close the ticket once the repo is in place and make tickets on the repo for pages to create etc.

<@py0xc3:fedora.im>

14:58:53

Sounds good.

<@py0xc3:fedora.im>

15:00:24

Anything else to discuss? Some new xzutils fun case or so? :D

<@thebeanogamer:fedora.im>

15:00:46

Other than getting depressed about npm supply chain attacks, nothing from me

<@py0xc3:fedora.im>

15:01:10

I'm sure we can find more to get depressed :)

<@q5sys:matrix.org>

15:01:38

What time are we going to use next week?

<@py0xc3:fedora.im>

15:01:50

I would stick with London time?

<@thebeanogamer:fedora.im>

15:01:59

3pm Europe/London works for me

<@q5sys:matrix.org>

15:02:16

I have meetings from 10-1030 ET and 12-1 ET... which is why I went with 11A ET... but with time zone shuffling with hours shifting I'm not sure what that works out to all you guys.

<@q5sys:matrix.org>

15:02:46

saldy businesses on the East Coast of the US dont change thier timing based on UTC... they keep local time. haha

<@thebeanogamer:fedora.im>

15:02:51

My schedule is a mess, pick a time and I'll make it work (preferably something within Europe/London's awake hours)

<@salimma:fedora.im>

15:03:10

regardless of whether we pick US Eastern or London, some of us will have an offset a few weeks a year I think

<@salimma:fedora.im>

15:03:25

this year is probably worse than normal, I think it's three weeks apart (probably since March has 5 Sundays?)

<@salimma:fedora.im>

15:03:46

yeah I'm also on London time. happily my mornings are a mess so afternoons are ok

<@q5sys:matrix.org>

15:04:07

yea, it'll happen every once in a while. I'm just trying to figure out when most of us are available.

<@q5sys:matrix.org>

15:04:26

I just happen to sit down early for this meeting to see that you had already started it.

<@q5sys:matrix.org>

15:05:33

I guess we need to check to see what the time of the infra meeting is with the time shift.

<@q5sys:matrix.org>

15:05:44

They were an hour after us.

<@q5sys:matrix.org>

15:06:08

But I dont see any complaints from them saying we're hogging their time...

<@q5sys:matrix.org>

15:06:20

They were an hour after we ended.

<@py0xc3:fedora.im>

15:06:34

If I get it right, the preferences are currently either as it was today or +1 hour. I guess both is ok for me.

<@thebeanogamer:fedora.im>

15:06:52

4pm Europe/London works for me

<@q5sys:matrix.org>

15:08:12

Michel Lind ☘ UTC+1 you able to do 11a ET? IDK where you are located these days.

<@q5sys:matrix.org>

15:08:27

Michel Lind ☘ UTC+1 you able to do 11a ET? IDK where you are located these days. (+1 hour from todays start time)

<@py0xc3:fedora.im>

15:08:38

11a ET was 8 minutes ago, right? (spares me the calculator ^^)

<@q5sys:matrix.org>

15:08:49

yup, 8 min ago

<@py0xc3:fedora.im>

15:09:02

If that is agreed, I would update the wiki

<@py0xc3:fedora.im>

15:09:15

Fabio Valentini: how about you?

<@decathorpe:fedora.im>

15:10:25

that should be fine

<@salimma:fedora.im>

15:10:49

yeah 11 am is fine too

<@salimma:fedora.im>

15:10:54

sorry, was checking something else

<@decathorpe:fedora.im>

15:11:03

somewhere between two of my regular meetings (one of which uses Europe/Germany the other is FPC which is ... US/Eastern?)

<@salimma:fedora.im>

15:11:09

I have FPC at 12 pm ET

<@q5sys:matrix.org>

15:11:32

Normally this meeting is only 15-30 min, so that shouldnt be an issue

<@q5sys:matrix.org>

15:11:53

I think my late joining is what dragged this one on... you guys seemed to be kinda wrapping up before i popped in.

<@py0xc3:fedora.im>

15:12:44

I update the wiki then to 1600 BST, 1700 GER/SWISS, 1500 UTC/GMT, 11ET :D We might reconsider how to go ahead before the next time zone change, but I add a comment about it. We have some time until the next change :)

<@q5sys:matrix.org>

15:13:28

we can discuss it in a ticket too... gives more people the ability to view and comment. Meeting times will always be more restrictive.

<@decathorpe:fedora.im>

15:14:05

fine with me. post a ticket with suggestions and we can ack/nack them

<@py0xc3:fedora.im>

15:14:16

Do you create one q5?

<@py0xc3:fedora.im>

15:14:25

Or shall I?

<@py0xc3:fedora.im>

15:14:34

I can do, I have a few minutes left anyway

<@q5sys:matrix.org>

15:14:47

I can create it... or you can...

<@q5sys:matrix.org>

15:14:57

its not a race. haha

<@q5sys:matrix.org>

15:15:22

I need to create a ticket for the security-lab forge so I'll be there shortly anyway

<@py0xc3:fedora.im>

15:15:24

We can make it one :P But yeah, don't care, I can create it now and then I post it in the channel. I wait then with updating the wiki and leave it with the ticket.

<@q5sys:matrix.org>

15:15:38

so I can handle it... if you want to enjoy the rest of your life today. haha

<@py0xc3:fedora.im>

15:15:54

😂Ok, then feel free to create one 😂

<@q5sys:matrix.org>

15:16:04

wilco

<@py0xc3:fedora.im>

15:16:04

I do not yet update the wiki then

<@py0xc3:fedora.im>

15:16:34

We juts have to ensure to not cause confusion for the next week ^^

<@thebeanogamer:fedora.im>

15:16:48

I think we're all done then, back to booking a conference trip so I feel better about spending Flock house-sitting

<@py0xc3:fedora.im>

15:17:06

Sounds good. I guess no other points?

<@py0xc3:fedora.im>

15:20:33

Let's see if I remember correctly (and if I can do it when I didn't start the meeting :P)

<@py0xc3:fedora.im>

15:20:37

!endmeeting