Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Tobias Heinlein (keytoaster)" <keytoaster@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/proj/en/security/meeting-logs: gentoo-security-meeting-2010-09-01.txt
Date: Thu, 02 Sep 2010 13:15:04
Message-Id: 20100902131452.BDDAC20051@flycatcher.gentoo.org
1 keytoaster 10/09/02 13:14:52
2
3 Added: gentoo-security-meeting-2010-09-01.txt
4 Log:
5 Adding a3li's log.
6
7 Revision Changes Path
8 1.1 xml/htdocs/proj/en/security/meeting-logs/gentoo-security-meeting-2010-09-01.txt
9
10 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/security/meeting-logs/gentoo-security-meeting-2010-09-01.txt?rev=1.1&view=markup
11 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/security/meeting-logs/gentoo-security-meeting-2010-09-01.txt?rev=1.1&content-type=text/plain
12
13 Index: gentoo-security-meeting-2010-09-01.txt
14 ===================================================================
15 [2010/09/01 20:29:30] @ Log started by gen2
16 [2010/09/01 20:29:30] @ Joined channel #gentoo-security
17 [2010/09/01 20:29:30] @ Topic is "Project Meeting 2010-09-01 18:30 UTC in here | This channel is only for coordinating vulnerabilities and GLSA releases. For an end-user support channel, see #gentoo | http://security.gentoo.org | New recruits: http://www.gentoo.org/security/en/padawans.xml"
18 [2010/09/01 20:29:30] @ Topic set by vorlon078!~vorlon@gentoo/developer/vorlon on Mon Aug 30 22:16:23 +0200 2010
19 [2010/09/01 20:29:30] @ Mode +cntz by kornbluth.freenode.net
20 [2010/09/01 20:29:38] <vorlon078> bye _Craig_ :P
21 [2010/09/01 20:29:39] <a3li> three loggers now
22 [2010/09/01 20:29:41] <a3li> at leat
23 [2010/09/01 20:29:42] <a3li> *least
24 [2010/09/01 20:29:52] <_Craig_> I'm against data retention!
25 [2010/09/01 20:29:53] <p-y> that should be enough :)
26 [2010/09/01 20:30:01] * _Craig_ logs, too
27 [2010/09/01 20:30:02] <keytoaster> hi
28 [2010/09/01 20:30:12] <vorlon078> hi everyone
29 [2010/09/01 20:30:12] * a3li deletes _Craig_
30 [2010/09/01 20:30:27] <vorlon078> since it's time now... could we have a short roll call
31 [2010/09/01 20:30:30] * vorlon078 is here
32 [2010/09/01 20:30:30] <Chainsaw> Do we have an agenda?
33 [2010/09/01 20:30:42] * Chainsaw is present(ly awaiting an agenda link!)
34 [2010/09/01 20:30:44] <a3li> http://archives.gentoo.org/gentoo-security/msg_69f93c889d9aaeeb3a13d679f1abde8c.xml
35 [2010/09/01 20:31:12] <underling> I am here, hey folks.
36 [2010/09/01 20:31:18] <vorlon078> http://dev.gentoo.org/~vorlon/security/meeting-20100901.xml
37 [2010/09/01 20:31:27] <a3li> underling: great
38 [2010/09/01 20:31:44] * rbu here
39 [2010/09/01 20:31:46] * jaervosz is here too
40 [2010/09/01 20:31:54] <vorlon078> Falco: ping
41 [2010/09/01 20:31:55] <a3li> if there's anyone who doesn't know underling yet. he's that very active @cisco.com dude who files bugs in bugzilla :)
42 [2010/09/01 20:31:58] * p-y is here
43 [2010/09/01 20:33:25] <vorlon078> _Craig_ keytoaster solar: meeting ping
44 [2010/09/01 20:33:31] <_Craig_> yo
45 [2010/09/01 20:33:57] <keytoaster> yo
46 [2010/09/01 20:34:15] <vorlon078> great
47 [2010/09/01 20:34:30] <vorlon078> so we are more or less complete I guess and ready to start
48 [2010/09/01 20:35:41] <vorlon078> well
49 [2010/09/01 20:35:53] <_Craig_> 1) project status
50 [2010/09/01 20:35:54] <vorlon078> nobody added anything to the proposed agenda
51 [2010/09/01 20:36:12] <vorlon078> so we should just start and add anything that still comes up to point 5
52 [2010/09/01 20:36:33] <vorlon078> could someone give a short overview of where we stand right now
53 [2010/09/01 20:36:49] <vorlon078> besides the existance of an enormous backlog
54 [2010/09/01 20:37:12] <_Craig_> Current status from my point of view: we file bugs, but we're slow sometimes. Sometimes we miss bugs.
55 [2010/09/01 20:37:25] <_Craig_> Things like firefox and browsers generally are a huge PITA
56 [2010/09/01 20:37:49] <_Craig_> lots of bugs, hard to trace, no one really likes doing that kind of work
57 [2010/09/01 20:38:11] <Chainsaw> The Mozilla trademark issues don't help.
58 [2010/09/01 20:38:37] <_Craig_> and there are times when no one files anything, because we're busy, e.g. with studies
59 [2010/09/01 20:38:44] <p-y> or real life
60 [2010/09/01 20:38:46] <vorlon078> yeah
61 [2010/09/01 20:39:04] <_Craig_> as the team is rather small, it can quickly happen that no one does anything for a week on critical bugs.
62 [2010/09/01 20:39:07] <vorlon078> so the problem is not just drafting/reviewing but also filing bugs in time
63 [2010/09/01 20:39:17] <p-y> what about the new glsamaker?
64 [2010/09/01 20:39:31] <_Craig_> IMHO, yes. High-priority gets attention, but lower ones not always.
65 [2010/09/01 20:39:32] <a3li> p-y: maybe we talk about that later on
66 [2010/09/01 20:39:35] <p-y> ok
67 [2010/09/01 20:39:58] <rbu> _Craig_: but that's alright then. use the time you have as wise as you can. :-)
68 [2010/09/01 20:40:00] <a3li> in terms of bugs we usually do the easy stuff first. but we're already running at capacity while dealing with the easy stuff.
69 [2010/09/01 20:40:05] <a3li> so the hard things don't get done.
70 [2010/09/01 20:40:20] <_Craig_> (like the gazillion of browser bugs)
71 [2010/09/01 20:40:25] <a3li> on a larger scale, we're scratching on the surface of the amount of bugs and advisories we need to send
72 [2010/09/01 20:40:33] <vorlon078> yeah
73 [2010/09/01 20:40:37] <rbu> what is easy vs. hard? firefox, etc.. i heard. what else?
74 [2010/09/01 20:40:50] <_Craig_> webkit
75 [2010/09/01 20:40:50] <a3li> and with the current active (not on the list) team, we're not getting the numbers lower, we're rather growing further apart from 0 open bugs
76 [2010/09/01 20:40:51] <p-y> php, java...
77 [2010/09/01 20:41:21] <rbu> ok.. so large packages are not easy. because they have so many issues?
78 [2010/09/01 20:41:35] <a3li> it's the quantity as well as the list of affected packages
79 [2010/09/01 20:41:36] <vorlon078> sidenote: I would like to add team membership to topic 4
80 [2010/09/01 20:42:07] <a3li> rbu: as in 1 CVE affects xulrunner, firefox, thunderbird, seamonkey and several versions of these
81 [2010/09/01 20:42:12] <a3li> and that >100 times
82 [2010/09/01 20:42:20] <_Craig_> or sometimes not all bugs get fixed, so we cannot send the glsa yet.
83 [2010/09/01 20:42:27] <keytoaster> rbu: not only because of many issues, but also because some issues are fixed in one version, some in another only, some in both
84 [2010/09/01 20:42:43] <a3li> and more importantly, bugs that are not readily researched are completely left aside.
85 [2010/09/01 20:42:49] <p-y> and seometimes it's hard to know whether it's fixed or not
86 [2010/09/01 20:43:17] <keytoaster> ok, so our job sucks because most upstreams suck :)
87 [2010/09/01 20:43:24] <p-y> heh
88 [2010/09/01 20:43:37] <rbu> are we gathering problems first, and discussing solutions later, or do we do both in parallel?
89 [2010/09/01 20:43:42] <vorlon078> so in summary we are very low on active ressources and have some more trouble with the usual troublesome packages
90 [2010/09/01 20:43:55] <rbu> keytoaster: i guess because upstream sucks, our job exists
91 [2010/09/01 20:44:23] <vorlon078> according the the very short agenda I proposed this is the short status overview and we look at solutions later ;)
92 [2010/09/01 20:44:41] <rbu> vorlon078: full ack
93 [2010/09/01 20:44:58] <rbu> what's the status besides bug reporting?
94 [2010/09/01 20:45:34] <a3li> it's the same wrt GLSA sending and CVE tracking.
95 [2010/09/01 20:45:46] <keytoaster> a huge backlog with drafting, because noone wants to draft with the old glsamaker anymore
96 [2010/09/01 20:45:55] <keytoaster> i personally am waiting till the new one is ready
97 [2010/09/01 20:46:15] <a3li> all-in-all I'd say we're functional, but running on low flame.
98 [2010/09/01 20:46:19] <Chainsaw> I must admit, I was shown the glsamaker and it made me lose the will to live.
99 [2010/09/01 20:46:43] <p-y> Chainsaw: the interface, or the backlog?
100 [2010/09/01 20:46:52] <keytoaster> both probably
101 [2010/09/01 20:46:53] <Chainsaw> p-y: Both. They combine.
102 [2010/09/01 20:47:36] <vorlon078> so actually it seems we have the problems we always had, just a even worse this time
103 [2010/09/01 20:47:39] <keytoaster> we have some new functions in the new glsamaker to quickly draft all those old, low severity issues within minutes
104 [2010/09/01 20:47:48] <keytoaster> that would decrease the backlog partly
105 [2010/09/01 20:48:19] <Chainsaw> Could we adopt a rule that we kick out any advisory that is no longer relevant because newer software has already been stabled for another GLSA?
106 [2010/09/01 20:48:33] <vorlon078> are there any status related questions left? else we should discuss the possible backlog soluions later on
107 [2010/09/01 20:48:33] <Chainsaw> (This kept happening for Asterisk)
108 [2010/09/01 20:48:42] <a3li> vorlon078: yes. I think that is due to the reason that we're basically three active people plus one trainee
109 [2010/09/01 20:48:52] <keytoaster> Chainsaw: people might still be running the vulnerable software
110 [2010/09/01 20:49:01] <keytoaster> oh, for another GLSA
111 [2010/09/01 20:49:04] <keytoaster> hrm..
112 [2010/09/01 20:49:15] <keytoaster> well, that's just corner cases i guess
113 [2010/09/01 20:50:00] <vorlon078> then I believe we should get on to topic 2
114 [2010/09/01 20:50:06] <keytoaster> yes.
115 [2010/09/01 20:50:07] <vorlon078> if nobody objects
116 [2010/09/01 20:50:24] <rbu> one question still
117 [2010/09/01 20:50:34] <rbu> what about new recruits, team maintenance?
118 [2010/09/01 20:50:45] <rbu> what is the status there
119 [2010/09/01 20:51:01] <a3li> I started working with Chainsaw, but I've sent him to the council where his works is just as needed.
120 [2010/09/01 20:51:01] <keytoaster> we had a few requests from different people, both devs and non-devs
121 [2010/09/01 20:51:20] <keytoaster> those non-devs never returned because we just didn't have enough time to train them
122 [2010/09/01 20:51:28] <keytoaster> (apart from underling :)
123 [2010/09/01 20:51:36] <a3li> underling is doing a good job with filing bugs, I shall introduce him to the magic of drafting soon
124 [2010/09/01 20:51:43] <rbu> good
125 [2010/09/01 20:51:46] <vorlon078> yeah
126 [2010/09/01 20:51:58] <_Craig_> keytoaster: chiiph got trained a bit too, but stopped filing.
127 [2010/09/01 20:51:58] <rbu> underling: sounds great what you do, i saw some bugmail
128 [2010/09/01 20:52:05] <rbu> porps
129 [2010/09/01 20:52:09] <keytoaster> _Craig_: yes, that's my fault too
130 [2010/09/01 20:52:18] <underling> rbu: thanks, I am looking forward to "magic"
131 [2010/09/01 20:52:25] <keytoaster> i'll ask him again when the new glsamaker is done
132 [2010/09/01 20:52:46] <a3li> keytoaster: it'll be never done, just v1.0 :p
133 [2010/09/01 20:52:51] <rbu> vorlon078: feel free to go to #2 then from my side
134 [2010/09/01 20:52:52] <chiiph> keytoaster: well... not really... I'm with my hands full with other things apart from gentoo atm...
135 [2010/09/01 20:52:54] <keytoaster> yeah yeah
136 [2010/09/01 20:53:01] <keytoaster> chiiph: oh, ok then :(
137 [2010/09/01 20:53:01] <vorlon078> ok
138 [2010/09/01 20:53:09] <vorlon078> then lets get to topic 2
139 [2010/09/01 20:53:15] <chiiph> keytoaster: but don't count me out just yet...
140 [2010/09/01 20:53:25] <vorlon078> lead election, simply because it is supposed to happen every year
141 [2010/09/01 20:54:05] <keytoaster> i for one don't think we even need leads
142 [2010/09/01 20:54:16] <Chainsaw> keytoaster: Someone has to cast the deciding voice.
143 [2010/09/01 20:54:20] <vorlon078> it has always been more or less a formality for us
144 [2010/09/01 20:54:25] <rbu> keytoaster: hah.. you're not serious?
145 [2010/09/01 20:54:27] <Chainsaw> keytoaster: Running things by committee will turn you into Debian.
146 [2010/09/01 20:54:37] <a3li> no swearing please :)
147 [2010/09/01 20:54:38] <keytoaster> ok, then what have our leads done in the last two years?
148 [2010/09/01 20:54:39] <vorlon078> and in rare cases decisions have to be made
149 [2010/09/01 20:54:43] <p-y> keytoaster: at least for the CERT mails
150 [2010/09/01 20:54:45] <keytoaster> i don't recall there has been any decision
151 [2010/09/01 20:54:48] <p-y> and that kind of stuff
152 [2010/09/01 20:55:29] <Chainsaw> keytoaster: The best managers are the ones you don't see (micro!)managing stuff all the time.
153 [2010/09/01 20:55:44] <jaervosz> back then leads just meant taking in the lead in doing the hard work and ensuring some progress
154 [2010/09/01 20:55:45] <p-y> keytoaster: not that much, I have to admit :(
155 [2010/09/01 20:55:57] <vorlon078> well there used to be administrative stuff like rights for bugzie, v-sec etc.
156 [2010/09/01 20:56:00] <keytoaster> p-y: it wasn't meant to be an insult
157 [2010/09/01 20:56:04] <p-y> I know
158 [2010/09/01 20:56:08] <p-y> but still
159 [2010/09/01 20:56:10] <keytoaster> more like there simply was no need for them
160 [2010/09/01 20:56:17] <vorlon078> leads were the points of contact for cert and encrypted mail etc
161 [2010/09/01 20:56:35] <rbu> Chainsaw: we don't need micro management. but we also need someone who understands the state of the group, and keeps them together
162 [2010/09/01 20:56:42] <keytoaster> vorlon078: ok, that's about it
163 [2010/09/01 20:56:49] <a3li> rbu: ++
164 [2010/09/01 20:56:54] <rbu> i do not feel i can currently do that, so i'd be happy if new (old) faces could step up
165 [2010/09/01 20:57:02] <rbu> old=known
166 [2010/09/01 20:57:16] <vorlon078> lol
167 [2010/09/01 20:57:26] <vorlon078> anyway
168 [2010/09/01 20:57:37] <vorlon078> is there anyone willing and able to do it?
169 [2010/09/01 20:57:38] <a3li> well if you want a newish face, I'd be happy to help out
170 [2010/09/01 20:57:46] <keytoaster> me too
171 [2010/09/01 20:57:51] * Chainsaw votes for a3li
172 [2010/09/01 20:57:57] <keytoaster> simply because we're the few active people
173 [2010/09/01 20:57:58] * _Craig_ points at a3li, too
174 [2010/09/01 20:58:29] <rbu> just don't do it like py and me did.. afer the vote, disappear!
175 [2010/09/01 20:58:34] <vorlon078> I would have said me too, but since I can't guarantee a fixed amount of dedicated time yet, that would not be the best choice
176 [2010/09/01 20:58:41] <p-y> rbu++
177 [2010/09/01 20:59:15] <rbu> ok.. anyone else who wants to be nominated?
178 [2010/09/01 20:59:29] <vorlon078> Chainsaw and a3li so far
179 [2010/09/01 20:59:33] <keytoaster> i would nominate craig on top of that
180 [2010/09/01 20:59:40] <_Craig_> Oo
181 [2010/09/01 20:59:41] <Chainsaw> vorlon078: What? No. keytoaster & a3li.
182 [2010/09/01 20:59:44] <a3li> vorlon078: you mean keytoaster and me :)
183 [2010/09/01 20:59:51] <vorlon078> oops type and tab completions, sorry
184 [2010/09/01 21:00:03] <Chainsaw> The sound herd pulled that trick last time.
185 [2010/09/01 21:00:06] <vorlon078> so keytoaster and a3li with _Craig_ on top
186 [2010/09/01 21:00:12] * Chainsaw is not falling for that again
187 [2010/09/01 21:00:13] <a3li> erm *cough*
188 [2010/09/01 21:01:15] <a3li> so anyone else?
189 [2010/09/01 21:01:56] <rbu> ETIMEOUT
190 [2010/09/01 21:02:01] * Chainsaw points at a3li
191 [2010/09/01 21:02:11] <vorlon078> _Craig_: want to be nominated?
192 [2010/09/01 21:02:56] <rbu> do we have one or two votes per team member?
193 [2010/09/01 21:03:09] <vorlon078> next question... how many leads
194 [2010/09/01 21:03:11] <_Craig_> uhm, I'd prefer being a full dev before leading anything
195 [2010/09/01 21:03:14] <a3li> we did some combined vote last time
196 [2010/09/01 21:03:18] <vorlon078> we used to have 2 and had 3 for some time too
197 [2010/09/01 21:03:29] <_Craig_> let's have 2 votes
198 [2010/09/01 21:03:41] <_Craig_> should we vote on that? ;)
199 [2010/09/01 21:03:55] * keytoaster votes for 2 votes
200 [2010/09/01 21:04:00] <vorlon078> arghhhhh
201 [2010/09/01 21:04:06] * p-y seconds keytoaster
202 [2010/09/01 21:04:15] <rbu> _Craig_: you do not have to be an ebuild dev to be a team lead
203 [2010/09/01 21:04:23] <vorlon078> rbu: ++
204 [2010/09/01 21:05:13] <rbu> _Craig_: in fact, it may even help you keep focus not to be distracted by latest release of $software
205 [2010/09/01 21:05:33] <vorlon078> so if we simply have 2 or 3 nominees we could vote for all en bloc
206 [2010/09/01 21:06:11] <vorlon078> if nobody objects to that, or give votes and take the 2? with the highest amount of votes
207 [2010/09/01 21:06:12] <_Craig_> rbu: I know that, but still. I'm know I'm just too busy right now and for the next months.
208 [2010/09/01 21:06:40] <_Craig_> So, next time. ;)
209 [2010/09/01 21:07:34] <rbu> _Craig_: too bad.. but i appreciate your anticipation
210 [2010/09/01 21:07:35] <vorlon078> ok
211 [2010/09/01 21:07:40] <vorlon078> yeah
212 [2010/09/01 21:08:01] <_Craig_> so, two votes.
213 [2010/09/01 21:08:04] <vorlon078> then if nobody objects I say we simply vote on accepting the two nominees
214 [2010/09/01 21:08:12] <rbu> vorlon078: ++
215 [2010/09/01 21:08:13] <a3li> yes. one vote
216 [2010/09/01 21:08:17] <p-y> yep
217 [2010/09/01 21:08:20] <_Craig_> okok
218 [2010/09/01 21:08:24] <rbu> i want a3li and keytoaster as leads
219 [2010/09/01 21:08:31] <a3li> _Craig_: what would happen if one would be not accepted? :)
220 [2010/09/01 21:08:32] <_Craig_> me, too.
221 [2010/09/01 21:08:44] <vorlon078> I vote for a3li and keytoaster as well
222 [2010/09/01 21:08:49] <p-y> me too
223 [2010/09/01 21:08:55] <jaervosz> me too:)
224 [2010/09/01 21:09:02] <_Craig_> a3li: damocles sword will hit someone.
225 [2010/09/01 21:09:06] <keytoaster> so can a3li and me vote for ourselves?
226 [2010/09/01 21:09:11] <Chainsaw> I confirm, a3li as primary, keytoaster as secondary.
227 [2010/09/01 21:09:13] <vorlon078> sure you can
228 [2010/09/01 21:09:46] <rbu> you should! or do you not trust yourselves?
229 [2010/09/01 21:09:56] <keytoaster> ok, i vote for a3li and me :)
230 [2010/09/01 21:10:13] <a3li> I vote against not being team lead together with keytoaster
231 [2010/09/01 21:10:23] <vorlon078> then so it will be
232 [2010/09/01 21:10:23] <keytoaster> shit, now we're screwed
233 [2010/09/01 21:10:33] <keytoaster> oh wait, "against not"
234 [2010/09/01 21:10:39] <a3li> haha
235 [2010/09/01 21:10:44] <keytoaster> you got me there :(
236 [2010/09/01 21:11:00] <_Craig_> haha
237 [2010/09/01 21:11:00] <vorlon078> i count many votes for and none against a3li and keytoaster as the new team leads
238 [2010/09/01 21:11:13] <rbu> congrats
239 [2010/09/01 21:11:17] <Chainsaw> vorlon078: "Unanimous" is shorter.
240 [2010/09/01 21:11:19] <a3li> well I want to thank our two predecessors. especially rbu for always replying to my enquiries about the content of the CERT emails I couldn't read :)
241 [2010/09/01 21:11:38] <keytoaster> ++
242 [2010/09/01 21:11:39] <vorlon078> congrats a3li and keytoaster
243 [2010/09/01 21:11:50] <vorlon078> in case you accept the voting of course
244 [2010/09/01 21:11:52] <vorlon078> ;-)
245 [2010/09/01 21:11:56] <rbu> first action duty as new leads: buy old leads beer
246 [2010/09/01 21:12:01] <p-y> ++
247 [2010/09/01 21:12:16] <a3li> rbu: sure, if you show up here :)
248 [2010/09/01 21:12:20] <vorlon078> and two bear for the leads before the old leads
249 [2010/09/01 21:12:22] <_Craig_> rbu: ...if they show up and file bugs :P
250 [2010/09/01 21:12:26] <vorlon078> beer even
251 [2010/09/01 21:12:29] <keytoaster> bear
252 [2010/09/01 21:12:32] <a3li> vorlon078: here, have a pedobear
253 [2010/09/01 21:12:33] <keytoaster> sec, gonna shoot some
254 [2010/09/01 21:12:46] <vorlon078> yeah just keep hitting
255 [2010/09/01 21:12:58] <vorlon078> :-P
256 [2010/09/01 21:13:00] <vorlon078> ok
257 [2010/09/01 21:13:04] <a3li> agenda++;
258 [2010/09/01 21:13:09] <vorlon078> if there are no objections again, then lets go on
259 [2010/09/01 21:13:21] <vorlon078> # Population of several mail aliases, bugzilla groups etc.
260 [2010/09/01 21:13:56] <vorlon078> we need to go through the v-sec alias to see, cert mails and bugzilla security group
261 [2010/09/01 21:13:58] <keytoaster> what is meant by that exactly?
262 [2010/09/01 21:14:01] <vorlon078> -to see
263 [2010/09/01 21:14:24] <vorlon078> who is supposed to be receiving cert mails at the moment
264 [2010/09/01 21:14:34] <vorlon078> who should be on v-sec, which is pretty crowded right now
265 [2010/09/01 21:14:50] <a3li> To: Matthias Geerdsen <vorlon@g.o>, Raphael Marichez <falco@g.o>, Pierre-Yves Rofes <py@g.o>, Robert Buchholz <rbu@g.o>
266 [2010/09/01 21:14:51] <vorlon078> and who should be on the bugzilla group for security bugs and be able to set that membership
267 [2010/09/01 21:14:54] <a3li> Cc: Gentoo Security Team <security@g.o>, CERT Coordination Center <cert@××××.org>
268 [2010/09/01 21:14:57] <a3li> that is CERT as-is
269 [2010/09/01 21:15:02] <keytoaster> ok, cert: is it policy by them that only the leads (or only 2?) people may receive the mails?
270 [2010/09/01 21:15:16] <_Craig_> who should be on the bugzilla group for security bugs and be able to set that membership << leads.
271 [2010/09/01 21:15:19] <vorlon078> keytoaster: no, I made the contact a few years ago
272 [2010/09/01 21:15:32] <keytoaster> any reason against having everyone receive them?
273 [2010/09/01 21:15:32] <vorlon078> and there should be no such policy from cert side
274 [2010/09/01 21:15:47] <_Craig_> who should be on v-sec << seniors (+1 years active in the security team)
275 [2010/09/01 21:15:59] <keytoaster> i mean, the entire team deals with confidential stuff, not receiving the cert mails won't make a difference wrt trustworthyness
276 [2010/09/01 21:16:02] <a3li> maybe let's focus on one list
277 [2010/09/01 21:16:04] <a3li> so CERT forst
278 [2010/09/01 21:16:05] <a3li> *first
279 [2010/09/01 21:16:10] <vorlon078> a3li: ++
280 [2010/09/01 21:16:17] <a3li> the problem with CERT is that they GPG sign
281 [2010/09/01 21:16:23] <a3li> so we cannot just update the list of recievers
282 [2010/09/01 21:16:27] <vorlon078> exactly
283 [2010/09/01 21:16:49] <vorlon078> a few more people would be good, so that we avoid forwarding in cleartext
284 [2010/09/01 21:17:32] <vorlon078> who actually would like to get the mails directly from cert?
285 [2010/09/01 21:17:35] <keytoaster> a few more on top of the ones that already receive them?
286 [2010/09/01 21:17:38] <p-y> at least the new leads should
287 [2010/09/01 21:17:54] <vorlon078> sorry for my sucky grammar and spelling today, pretty tired
288 [2010/09/01 21:18:01] <vorlon078> p-y: agreed
289 [2010/09/01 21:18:38] <rbu> craig and chainsaw could alse see them. i see no point in leaving them out
290 [2010/09/01 21:18:50] <keytoaster> rbu++
291 [2010/09/01 21:18:53] <keytoaster> that's my point
292 [2010/09/01 21:18:55] <rbu> i'd rather exclude myself from that list if they object to sending to 8 people
293 [2010/09/01 21:19:26] <vorlon078> then let's ask the other way around, is there anyone who does not want to get the cert mails
294 [2010/09/01 21:20:17] <vorlon078> then I would just ask them to add everyone who is attending this meeting and a member of the security project
295 [2010/09/01 21:20:20] <keytoaster> hrm, perhaps we should start by talking about who "the team" is. there are some people on the project page that have a) been inactive for years and b) not shown up to the meeting
296 [2010/09/01 21:20:33] <keytoaster> cool, we have the same thoughts there :)
297 [2010/09/01 21:20:55] <vorlon078> then let me add ...at the end of this meeting
298 [2010/09/01 21:21:01] <vorlon078> is that alright for everyone
299 [2010/09/01 21:21:07] <rbu> vorlon078: ++
300 [2010/09/01 21:21:09] <_Craig_> yo
301 [2010/09/01 21:21:10] <p-y> yep
302 [2010/09/01 21:21:17] <vorlon078> i will put a list together and send it on the security alias before sending to cert
303 [2010/09/01 21:21:19] <keytoaster> yup
304 [2010/09/01 21:21:27] <keytoaster> good
305 [2010/09/01 21:21:36] <a3li> wasn't that the job of the leads? :)
306 [2010/09/01 21:21:40] <a3li> vorlon078: ^
307 [2010/09/01 21:22:24] <vorlon078> well job of old leads is to get people on the cert list
308 [2010/09/01 21:22:32] <vorlon078> :)
309 [2010/09/01 21:22:41] <a3li> well. if you want to do it, do it.
310 [2010/09/01 21:22:44] <rbu> job of the lead is making sure things get done. not necessarily doing them ;-)
311 [2010/09/01 21:23:00] <a3li> okay, so no pointing at tobias and me for not doing our job then :)
312 [2010/09/01 21:23:21] <jaervosz> rbu: exactly
313 [2010/09/01 21:23:26] <vorlon078> I simply said I would do it, since I am a known contact for cert
314 [2010/09/01 21:23:31] <vorlon078> anyway
315 [2010/09/01 21:23:34] <vorlon078> lets get on
316 [2010/09/01 21:23:37] <vorlon078> v-sec alias
317 [2010/09/01 21:23:42] <a3li> vendor-sec : rbu,py,falco,jaervosz,vorlon,a3li
318 [2010/09/01 21:23:51] <rbu> get me off
319 [2010/09/01 21:23:55] <vorlon078> ah, I thought there were more
320 [2010/09/01 21:24:01] <a3li> I'd like at least keytoaster to be there as well
321 [2010/09/01 21:24:08] <rbu> there should be 2-4 active people on there
322 [2010/09/01 21:24:11] <a3li> and falco off before anyone else
323 [2010/09/01 21:24:12] <vorlon078> if you don't mind I would like to stay on the alias
324 [2010/09/01 21:24:18] <keytoaster> and _Craig_ on, if he wants
325 [2010/09/01 21:24:19] <vorlon078> planning to be more active anyway
326 [2010/09/01 21:24:33] <keytoaster> vorlon078: good
327 [2010/09/01 21:24:50] <vorlon078> if it is a problem for anyone, I don
328 [2010/09/01 21:24:56] <vorlon078> 't mind if you want to get me off the list
329 [2010/09/01 21:24:57] <_Craig_> vendorsec: me too, if possible.
330 [2010/09/01 21:25:02] <jaervosz> i'm hoping to be more active as well, but can be removed if needed
331 [2010/09/01 21:25:10] <a3li> a3li,keytoaster,vorlon,X
332 [2010/09/01 21:25:10] <p-y> jaervosz++
333 [2010/09/01 21:25:37] <vorlon078> then I would say current alias -falco +craig
334 [2010/09/01 21:25:47] <_Craig_> :)
335 [2010/09/01 21:26:31] <vorlon078> any objections?
336 [2010/09/01 21:26:33] <p-y> and keytoaster?
337 [2010/09/01 21:26:38] <a3li> yeah
338 [2010/09/01 21:26:39] <keytoaster> oh, right
339 [2010/09/01 21:26:40] <vorlon078> ah yeah of course
340 [2010/09/01 21:26:43] <keytoaster> p-y: good catch
341 [2010/09/01 21:26:47] <p-y> heh :)
342 [2010/09/01 21:27:00] <a3li> so rbu says max 4 people
343 [2010/09/01 21:27:03] <a3li> we're at 6 already
344 [2010/09/01 21:27:09] <a3li> with keytoaster and craig 7
345 [2010/09/01 21:27:13] <vorlon078> rbu,py,jaervosz,vorlon,a3li,keytoaster,craig
346 [2010/09/01 21:27:15] <a3li> (and falco removed)
347 [2010/09/01 21:27:19] <keytoaster> is that rbu's opinion or policy vendor-sec-wise?
348 [2010/09/01 21:27:35] <vorlon078> v-sec would like to keep it low at least
349 [2010/09/01 21:27:48] <vorlon078> i don't know the original deal
350 [2010/09/01 21:28:47] <rbu> i think hardly any distro has so many people on the list. i don't think there's a policy, i rather feel that with the "state" of the list (you know what i mean) there should really be a limited number of people on there
351 [2010/09/01 21:28:59] <keytoaster> vorlon078: well, they can assume that we'd leak it otherwise anyway :)
352 [2010/09/01 21:29:10] <vorlon078> rbu is right though
353 [2010/09/01 21:29:49] <jaervosz> yeah rbu is right
354 [2010/09/01 21:30:02] @ robbat2|na joined channel #gentoo-security
355 [2010/09/01 21:30:06] <jaervosz> at least just remove me and let the proven active ppl on the alias
356 [2010/09/01 21:30:15] <rbu> just as a sidenote.. i'm currently considering whether i can put any time into gentoo security anymore or not. and if i want to do more, there's plenty work outside of vendor sec
357 [2010/09/01 21:30:16] <robbat2|na> solar, you want to be sec team infra contact?
358 [2010/09/01 21:30:31] <jaervosz> if devs go awol for some time just replace them with active devs
359 [2010/09/01 21:30:56] <a3li> rbu: :( but thanks for being specific
360 [2010/09/01 21:31:13] <robbat2|na> re infra contact, what all do you need from me? how's the new glsamaker that a3li was working on?\
361 [2010/09/01 21:31:22] <a3li> robbat2|na: later on the agenda
362 [2010/09/01 21:31:39] <p-y> robbat2|na: we're in the middle of a meeting
363 [2010/09/01 21:31:44] <a3li> robbat2|na: and I think there's a special group for editing the security aliases. keytoaster and I would like access as new team leads
364 [2010/09/01 21:31:47] <keytoaster> my fault, i ordered him here :)
365 [2010/09/01 21:31:55] <robbat2|na> keytoaster asked me here re infra contact
366 [2010/09/01 21:32:07] <rbu> robbat2|na: i guess the main question is.. who is klieber? is there a point in having him as infra liaison?
367 [2010/09/01 21:32:14] <keytoaster> robbat2|na: lol
368 [2010/09/01 21:32:17] <keytoaster> err
369 [2010/09/01 21:32:19] <keytoaster> rbu: lol
370 [2010/09/01 21:32:26] <vorlon078> heh
371 [2010/09/01 21:32:30] <robbat2|na> klieber's still nominally infra, but hasn't been seen in ages, and potentially retirable
372 [2010/09/01 21:32:49] <vorlon078> klieber was also one of the founders of the sec team if i remember right
373 [2010/09/01 21:32:49] <robbat2|na> that's why I was asking what you need out of an infra liaison
374 [2010/09/01 21:32:55] <vorlon078> but i haven't seen him for years
375 [2010/09/01 21:33:05] <robbat2|na> as if he hasn't been around, and you haven't need anything from him, does the position even need to exist?
376 [2010/09/01 21:33:20] <keytoaster> i don't think so
377 [2010/09/01 21:33:23] <vorlon078> robbat2|na: I don't believe that job is well defined
378 [2010/09/01 21:33:30] <robbat2|na> if it does, what do you need from the person?
379 [2010/09/01 21:33:40] <rbu> i think we just cc'ed you and solar anyway if infra needs to act on a confidential bug
380 [2010/09/01 21:33:46] <keytoaster> we basically just need him for shell access ont he glsamaker box
381 [2010/09/01 21:33:56] <vorlon078> we used to cc someone from infra on confidential bugs relevant for infra
382 [2010/09/01 21:34:22] <vorlon078> keytoaster: leads used to have shell on the current infra box
383 [2010/09/01 21:34:29] <robbat2|na> just drop the position, and CC me/solar
384 [2010/09/01 21:34:34] <vorlon078> robbat2|na: agreed
385 [2010/09/01 21:34:37] <robbat2|na> other infra needs are pretty stock
386 [2010/09/01 21:34:48] <keytoaster> ok, agreed
387 [2010/09/01 21:35:43] <robbat2|na> i'll lurk here now, for the new glsamaker stuff later
388 [2010/09/01 21:35:43] <a3li> good.
389 [2010/09/01 21:35:49] <a3li> okay.
390 [2010/09/01 21:35:50] <vorlon078> if there are no objections we will then do as robbat2|na just proposed
391 [2010/09/01 21:35:53] <robbat2|na> ping if you need me
392 [2010/09/01 21:36:03] <vorlon078> thanks robbat2|na
393 [2010/09/01 21:36:07] <a3li> vorlon078: ack
394 [2010/09/01 21:36:08] <vorlon078> then lets get back to v-sec
395 [2010/09/01 21:36:12] <keytoaster> good
396 [2010/09/01 21:36:50] <vorlon078> we proposed "rbu,py,jaervosz,vorlon,a3li,keytoaster,craig" but that was too many
397 [2010/09/01 21:37:03] <keytoaster> so let's divide that into two groups: 1) people that we want to have there for sure, and 2) people who can still be on there if allowed
398 [2010/09/01 21:37:22] <a3li> I think on there for sure would be keytoaster, vorlon and me
399 [2010/09/01 21:37:26] * jaervosz is 2 unfortunately
400 [2010/09/01 21:37:36] <vorlon078> and do we actually want to discuss the names on that alias publicly?
401 [2010/09/01 21:37:46] <a3li> it's publically visible for any dev
402 [2010/09/01 21:37:47] <jaervosz> vorlon078: we already kind of did that....
403 [2010/09/01 21:37:56] <vorlon078> i know ;-)
404 [2010/09/01 21:37:58] <rbu> vorlon078: lol... too late
405 [2010/09/01 21:38:03] <vorlon078> i am for transparency anyways
406 [2010/09/01 21:38:03] <jaervosz> vorlon078: so unless you want to recruit a completely new team...
407 [2010/09/01 21:38:10] <a3li> we just rename
408 [2010/09/01 21:38:13] @ a3li is now known as a4li
409 [2010/09/01 21:38:14] <a4li> see?
410 [2010/09/01 21:38:16] <vorlon078> cool
411 [2010/09/01 21:38:17] <p-y> lol
412 [2010/09/01 21:38:22] <jaervosz> lol
413 [2010/09/01 21:38:37] <vorlon078> for security reasons the team's nicknames have to be changed weekly
414 [2010/09/01 21:38:45] <a4li> oh my, hopefully that's a long long
415 [2010/09/01 21:38:47] <vorlon078> sorry for the interruption
416 [2010/09/01 21:38:50] <a4li> or else I'll overflow soon :(
417 [2010/09/01 21:38:50] <rbu> 1) a3li,keytoaster,craig
418 [2010/09/01 21:39:11] <vorlon078> yep
419 [2010/09/01 21:39:24] <a4li> I think we should be able to allow 2 people from the 2) group
420 [2010/09/01 21:39:36] <a4li> or we could assign those later
421 [2010/09/01 21:39:50] <a4li> let's say in X months, after you've all had a chance to see how much time you can spend with gentoo sec
422 [2010/09/01 21:40:26] @ a4li is now known as a3li
423 [2010/09/01 21:40:27] <rbu> or "when you made the glsa backlog half its size"
424 [2010/09/01 21:40:38] <_Craig_> we can still try getting everyone in.
425 [2010/09/01 21:40:41] <a3li> I think sending that mozilla GLSA should be even enough :)
426 [2010/09/01 21:40:43] <p-y> a3li: that sounds reasonable
427 [2010/09/01 21:41:39] <jaervosz> a3li: sounds reasonable
428 [2010/09/01 21:41:55] <rbu> _Craig_: it's really not a question of getting people in. we administrate who is in and who is out. it's rather a question of ... let's say respect (?) to the group
429 [2010/09/01 21:42:14] <vorlon078> besides
430 [2010/09/01 21:42:25] <vorlon078> v-sec likes people on the list to be active members
431 [2010/09/01 21:42:31] <vorlon078> on the list tha tis
432 [2010/09/01 21:42:57] <vorlon078> ok
433 [2010/09/01 21:43:33] <vorlon078> so for now we put a3li keytoaster and _Craig_
434 [2010/09/01 21:44:10] <vorlon078> btw, it would be good to inform v-sec of changes on the alias, others do that too
435 [2010/09/01 21:44:18] <a3li> yes.
436 [2010/09/01 21:44:29] <a3li> I'd say let's talk about the other spots around christmas?
437 [2010/09/01 21:44:34] <a3li> three months should be reasonable
438 [2010/09/01 21:44:48] <vorlon078> a3li: I wanted to talk about a date for the next meeting in the end anyways
439 [2010/09/01 21:44:51] <vorlon078> and regular meetings
440 [2010/09/01 21:45:21] <vorlon078> are there any objections to the above change for the vendor-sec alias?
441 [2010/09/01 21:45:27] <a3li> no
442 [2010/09/01 21:45:29] <keytoaster> no
443 [2010/09/01 21:45:45] <jaervosz> no
444 [2010/09/01 21:46:21] <vorlon078> alright
445 [2010/09/01 21:46:43] <keytoaster> btw, is anyone gonna write a meeting summary?
446 [2010/09/01 21:46:49] <keytoaster> if no, i'd do that
447 [2010/09/01 21:46:59] <vorlon078> keytoaster: good, then you do it ;-)
448 [2010/09/01 21:47:02] <vorlon078> otherwise i would have
449 [2010/09/01 21:47:10] <Chainsaw> No objections.
450 [2010/09/01 21:47:21] <keytoaster> ok
451 [2010/09/01 21:47:38] <a3li> I'll do the v-s notification and alias changing
452 [2010/09/01 21:47:42] <Chainsaw> I'm happy with how I'm kept in the loop on everything; I realise I'm not the most active person for security right now.
453 [2010/09/01 21:47:43] <vorlon078> a3li: keytoaster then I would say go ahead and ask infra to change the alias
454 [2010/09/01 21:47:54] <keytoaster> vorlon078: i think we can change the alias ourselves
455 [2010/09/01 21:48:01] <keytoaster> err, the alias
456 [2010/09/01 21:48:04] <Chainsaw> If it's relevant to my interests I trust someone will forward it to me :)
457 [2010/09/01 21:48:05] <keytoaster> sorry, i was thinking bugzilla
458 [2010/09/01 21:48:13] <a3li> robbat2|na: can you add keytoaster and me to the securitymail group on pecker?
459 [2010/09/01 21:48:32] <vorlon078> a3li: thats not enough, at least it used not to be
460 [2010/09/01 21:48:51] <a3li> maybe robbat2|na can make it be enough? :)
461 [2010/09/01 21:48:51] <keytoaster> well, we can edit the alias file then :)
462 [2010/09/01 21:49:00] <vorlon078> argh
463 [2010/09/01 21:49:27] <vorlon078> vendor-sec can only be edited by infra afaict/afaik
464 [2010/09/01 21:49:33] <robbat2|na> ok, you should be able to edit all aliases in /var/mail/alias/security/ now (after you cycle login to get new groups)
465 [2010/09/01 21:49:33] <vorlon078> that is not the worst thing i guess
466 [2010/09/01 21:49:41] <robbat2|na> i can move vendor-sec alias if you want?
467 [2010/09/01 21:50:01] <a3li> robbat2|na: please do
468 [2010/09/01 21:50:14] <robbat2|na> done
469 [2010/09/01 21:50:14] @ Ford_Prefect joined channel #gentoo-security
470 [2010/09/01 21:50:20] <a3li> gracias
471 [2010/09/01 21:50:41] <vorlon078> securitymail group currently consists of: solar,vorlon,falco,py,rbu,keytoaster,a3li
472 [2010/09/01 21:51:52] <p-y> we should add _Craig_
473 [2010/09/01 21:52:24] <a3li> I think leads is enough
474 [2010/09/01 21:52:33] <a3li> as the group basically reads like a lead history
475 [2010/09/01 21:53:04] <vorlon078> a3li: it used to be leads, we actually introduced editing the alias ourselves back at that time
476 [2010/09/01 21:53:05] <_Craig_> agreed.
477 [2010/09/01 21:53:22] <rbu> why not remove old leads then?
478 [2010/09/01 21:53:24] <vorlon078> and it does not make sense to restrict the v-sec exploder when we all can change it
479 [2010/09/01 21:53:30] <rbu> only make it keytoaster,a3li
480 [2010/09/01 21:53:32] <keytoaster> vorlon078++
481 [2010/09/01 21:53:44] <vorlon078> and to add a little history to that
482 [2010/09/01 21:54:04] <vorlon078> it was quite hard for gentoo to get on vendor-sec in the first place
483 [2010/09/01 21:54:21] <vorlon078> that is a reason why the alias was under strict control
484 [2010/09/01 21:54:56] <vorlon078> since vendor-sec is a lot about trust, we should keep that in mind
485 [2010/09/01 21:55:06] <a3li> okay
486 [2010/09/01 21:55:19] <keytoaster> good
487 [2010/09/01 21:55:27] <jaervosz> vorlon078: reading mail is one thing, having ssh login to the mail server is another
488 [2010/09/01 21:55:34] <a3li> robbat2|na: please drop everyone besides keytoaster and me from securitymail
489 [2010/09/01 21:55:38] <a3li> jaervosz: it's dev.gentoo.org :)
490 [2010/09/01 21:56:03] <jaervosz> a3li: some of us get our mail forwarded to other boxes
491 [2010/09/01 21:56:07] <vorlon078> a mail server where every dev has shell access would be a topic in itself i guess
492 [2010/09/01 21:56:16] <vorlon078> anyways
493 [2010/09/01 21:56:21] <a3li> anyways!
494 [2010/09/01 21:56:22] <vorlon078> let's move on
495 [2010/09/01 21:56:25] <vorlon078> bugzie
496 [2010/09/01 21:56:41] <a3li> 21:17:47 < idl0r> a3li, craig, falco, jaervosz, keytoaster, py, rbu, vapier, vorlon
497 [2010/09/01 21:56:58] <vorlon078> members of the security group
498 [2010/09/01 21:57:01] <robbat2|na> a3li, done
499 [2010/09/01 21:57:04] <a3li> see above
500 [2010/09/01 21:57:06] <a3li> robbat2|na: thanks
501 [2010/09/01 21:57:22] <robbat2|na> i can make a new group for that one file if that would help too
502 [2010/09/01 21:57:35] <a3li> I think we're good now
503 [2010/09/01 21:57:48] <a3li> the alias isn't any less confidential as v-s
504 [2010/09/01 21:57:55] <a3li> security@ being the 'alias'
505 [2010/09/01 21:58:13] <robbat2|na> ok
506 [2010/09/01 21:58:17] <a3li> bugzilla: we can keep things the way they are imo.
507 [2010/09/01 21:58:32] <rbu> re security group. i think everyone on the alias should be in the group, and that is everyone in the team ?
508 [2010/09/01 21:58:39] <a3li> ack
509 [2010/09/01 21:58:45] <a3li> more or less
510 [2010/09/01 21:58:57] <rbu> more or less?
511 [2010/09/01 21:59:02] <a3li> security : klieber,jaervosz,vorlon,vapier,falco,solar,py,keytoaster,rbu,a3li,asym,craig
512 [2010/09/01 21:59:05] <a3li> that's the alias
513 [2010/09/01 21:59:10] <vorlon078> asym?
514 [2010/09/01 21:59:15] <jaervosz> yeah asym?
515 [2010/09/01 21:59:20] <keytoaster> lol
516 [2010/09/01 21:59:21] <a3li> he did kernel-check with rbu in 2009
517 [2010/09/01 21:59:25] <rbu> he was doing kernel security, but is being retired nw
518 [2010/09/01 21:59:25] <a3li> already being retired
519 [2010/09/01 21:59:32] <vorlon078> then remove him
520 [2010/09/01 21:59:35] <vorlon078> klieber too?
521 [2010/09/01 21:59:37] <_Craig_> it's not through yet
522 [2010/09/01 21:59:44] <_Craig_> he was given the usual 14 days
523 [2010/09/01 21:59:52] <vorlon078> and this weird craig guy
524 [2010/09/01 22:00:00] <vorlon078> :-P
525 [2010/09/01 22:00:29] <rbu> "who is in the team" is another question. but i think there should be no "more or less", but the stuff should be in sync
526 [2010/09/01 22:00:38] <vorlon078> agreed
527 [2010/09/01 22:00:42] <keytoaster> yup, right
528 [2010/09/01 22:00:49] <jaervosz> rbu: the team is the security alias as i see it
529 [2010/09/01 22:00:50] <vorlon078> there used to be the powers.xml which described who can do what
530 [2010/09/01 22:00:57] <Chainsaw> I'm happy to just be AMD64 liaison, yes :)
531 [2010/09/01 22:01:03] <jaervosz> + padawans et al
532 [2010/09/01 22:01:28] <vorlon078> padawans have not been on the security alias
533 [2010/09/01 22:01:30] <rbu> vorlon078: i think chainsaw is in the team, no?
534 [2010/09/01 22:01:42] <a3li> he's a padawan technically
535 [2010/09/01 22:01:48] <rbu> oh man
536 [2010/09/01 22:01:53] <p-y> vorlon078: you mean http://dev.gentoo.org/~falco/powers.html ?
537 [2010/09/01 22:01:54] <a3li> but now hired to the council
538 [2010/09/01 22:01:55] <keytoaster> huge mess here
539 [2010/09/01 22:02:06] <rbu> Chainsaw: get your butt up and join, man! :-)
540 [2010/09/01 22:02:14] <vorlon078> p-y: yes
541 [2010/09/01 22:02:20] <vorlon078> that was made by koon way back
542 [2010/09/01 22:02:21] <keytoaster> p-y: whoa, we'll have to move that into our project space
543 [2010/09/01 22:02:27] <p-y> indeed
544 [2010/09/01 22:02:28] <keytoaster> i can do that if you want
545 [2010/09/01 22:02:34] <vorlon078> make it so
546 [2010/09/01 22:02:37] <Chainsaw> rbu: With my current workload, it wouldn't be fair. A colleague of mine has left, and I'm doing the job of about 3 or 4 people right now.
547 [2010/09/01 22:03:08] <vorlon078> brb
548 [2010/09/01 22:03:10] <a3li> okay as for security@ right now
549 [2010/09/01 22:03:15] <a3li> I'll remove klieber and asym
550 [2010/09/01 22:03:16] <rbu> Chainsaw: sucks. sorry. well, hope you get more help@work soon then
551 [2010/09/01 22:03:25] <keytoaster> ok, vorlon078 is brb, me too
552 [2010/09/01 22:03:29] <keytoaster> 5-10 minutes
553 [2010/09/01 22:03:30] <keytoaster> sorry
554 [2010/09/01 22:03:32] <p-y> there's probably other interesting stuff to merge in ~falco
555 [2010/09/01 22:03:49] <Chainsaw> rbu: There's budget for an assistant next year.
556 [2010/09/01 22:03:58] <Chainsaw> rbu: I will be looking for a Gentoo developer with commit privs.
557 [2010/09/01 22:04:19] <rbu> not too hard to find in this channel i guess
558 [2010/09/01 22:04:23] <vorlon078> back
559 [2010/09/01 22:04:44] <vorlon078> a3li: ack wrt security@
560 [2010/09/01 22:04:50] <a3li> mhm being Chainsaw's PFY would mean access to those nice salt and vinegar crisps they have in GB
561 [2010/09/01 22:04:59] <a3li> okay
562 [2010/09/01 22:05:30] <Chainsaw> Yes, and living in the cathedral city of Peterborough :)
563 [2010/09/01 22:05:42] <vorlon078> we could make a short break for keytoaster and start with team membership afterwards
564 [2010/09/01 22:05:45] <a3li> as long as it has a pub
565 [2010/09/01 22:06:24] <vorlon078> then we should speed things up a little
566 [2010/09/01 22:06:28] <Chainsaw> a3li: Many pubs, yes :)
567 [2010/09/01 22:07:07] <a3li> okay, short break, let's go on at :15
568 [2010/09/01 22:07:26] <vorlon078> yes
569 [2010/09/01 22:07:30] <Chainsaw> I would actually like to go home at some point.
570 [2010/09/01 22:07:30] <p-y> the part 4 is probably the biggest and most interesting
571 [2010/09/01 22:07:39] <Chainsaw> It is 9pm and I'm sitting at my work desk.
572 [2010/09/01 22:08:08] <a3li> Chainsaw: feel free to leave, there will be no more voting I guess. we'll have a log and you can always ask questions later
573 [2010/09/01 22:08:22] <Chainsaw> Okay, thanks :)
574 [2010/09/01 22:09:09] @ Quit: Chainsaw: Remote host closed the connection
575 [2010/09/01 22:09:45] <keytoaster> back
576 [2010/09/01 22:11:49] <_Craig_> let's go on
577 [2010/09/01 22:15:08] <_Craig_> hullo?
578 [2010/09/01 22:15:21] <a3li> now is :15
579 [2010/09/01 22:15:23] <a3li> everyone back? :)
580 [2010/09/01 22:15:23] * jaervosz is still here for a bit more
581 [2010/09/01 22:15:26] <vorlon078> yep
582 [2010/09/01 22:15:31] <vorlon078> let's move on
583 [2010/09/01 22:15:33] <p-y> ok
584 [2010/09/01 22:15:34] <a3li> okay so let's speeeeeed up
585 [2010/09/01 22:16:05] <vorlon078> so we sorted out the security alias I believe
586 [2010/09/01 22:16:22] <a3li> yes
587 [2010/09/01 22:16:33] <vorlon078> if there is nothing more about bugzilla et al, we could go on to team membership
588 [2010/09/01 22:16:39] <keytoaster> yes
589 [2010/09/01 22:16:44] <a3li> bugzilla is fine. defined to be == team
590 [2010/09/01 22:16:47] @ Quit: Ford_Prefect: Ping timeout: 240 seconds
591 [2010/09/01 22:16:54] <a3li> now, let's talk about who the team is
592 [2010/09/01 22:17:03] <keytoaster> actually
593 [2010/09/01 22:17:11] <keytoaster> who is able to add people to the bugzie group?
594 [2010/09/01 22:17:14] <vorlon078> there is still the
595 [2010/09/01 22:17:18] <vorlon078> exactly
596 [2010/09/01 22:17:29] <a3li> should be the leads as well, right?
597 [2010/09/01 22:17:34] <vorlon078> there is a group who can do that
598 [2010/09/01 22:17:43] <keytoaster> i don't think there is a group
599 [2010/09/01 22:17:45] <vorlon078> I am currently still in it I beleieve
600 [2010/09/01 22:17:49] <vorlon078> a bugzie group
601 [2010/09/01 22:17:49] <keytoaster> people just get the bit set to be able to set it
602 [2010/09/01 22:17:52] <vorlon078> whatever you call it
603 [2010/09/01 22:17:54] <vorlon078> yes
604 [2010/09/01 22:18:42] <keytoaster> actually i can change that bit
605 [2010/09/01 22:18:46] <a3li> so. bottom line: team leads should have that flag?
606 [2010/09/01 22:18:47] <keytoaster> because i'm a recruiter
607 [2010/09/01 22:18:55] <a3li> if yes, I'll talk to idl0r later and have things sorted.
608 [2010/09/01 22:19:01] <keytoaster> but i don't seem to find a way to see who already has it
609 [2010/09/01 22:19:13] <vorlon078> a3li: that was the idea behind it at that time
610 [2010/09/01 22:19:20] <a3li> okay. I'll get it done later.
611 [2010/09/01 22:19:26] <a3li> next agenda item?
612 [2010/09/01 22:19:27] <keytoaster> ok, cool.
613 [2010/09/01 22:20:06] <p-y> 4) handling of the current GLSA and bug queues and how to avoid such situations in the future
614 [2010/09/01 22:20:31] <jaervosz> bedtime here have to get up at 5 am in the morning. However with my new job i should be available during normal working hours to help out, i'll try pinging again in here in the morning
615 [2010/09/01 22:20:51] <vorlon078> good night jaervosz and hope to see you around again here
616 [2010/09/01 22:20:52] <a3li> yes, that's the most important bit. we need to get everyone working again.
617 [2010/09/01 22:20:58] <a3li> so thanks jaervosz, see you!
618 [2010/09/01 22:21:16] <keytoaster> ok, good night
619 [2010/09/01 22:21:27] <jaervosz> see you tomorrow and we'll do something about that terrible backlog
620 [2010/09/01 22:21:35] <a3li> that's the spirit!
621 [2010/09/01 22:22:03] <vorlon078> since it was brought up earlier that the new glsamaker might help cleaning the current queue, could someone shed some light on that
622 [2010/09/01 22:22:08] <vorlon078> shortly
623 [2010/09/01 22:22:28] <a3li> okay. we started writing a new glsamaker as you all know
624 [2010/09/01 22:22:33] <vorlon078> like eta and how it can help
625 [2010/09/01 22:22:36] <a3li> it's in a near-usable state
626 [2010/09/01 22:22:50] <a3li> the goal is to have our information integrated better
627 [2010/09/01 22:22:53] <Falco> vorlon078: pong
628 [2010/09/01 22:22:53] <keytoaster> that is combined with the idea of "mini glsas": we have boilerplates for description that just says "xxx is affected. please review the CVEs referenced below for details."
629 [2010/09/01 22:23:01] <Falco> hey, some activity here
630 [2010/09/01 22:23:07] <_Craig_> a3li: what kind of problems are there to solve?
631 [2010/09/01 22:23:09] <p-y> I like the idea of mini-glsas
632 [2010/09/01 22:23:12] <a3li> Falco: nice of you to show up.
633 [2010/09/01 22:23:14] <rbu> Falco: team meeting
634 [2010/09/01 22:23:22] <Falco> was at work ^^
635 [2010/09/01 22:23:23] <keytoaster> p-y: me too
636 [2010/09/01 22:23:30] <_Craig_> keytoaster: ++
637 [2010/09/01 22:23:34] <keytoaster> vorlon078: we did a bunch of those a few months ago
638 [2010/09/01 22:23:36] <p-y> Hey Falco!
639 [2010/09/01 22:23:37] <Falco> and in holidays, before
640 [2010/09/01 22:23:39] <Falco> hey p-y !
641 [2010/09/01 22:23:45] <Falco> long time we haven't got a drink
642 [2010/09/01 22:23:46] <keytoaster> that actually went pretty fast and decreased the backlog
643 [2010/09/01 22:23:53] <p-y> Falco: yep
644 [2010/09/01 22:23:54] <vorlon078> Falco: hi
645 [2010/09/01 22:23:54] <keytoaster> and with the new glsamaker it's *very* easy to draft those
646 [2010/09/01 22:24:07] <vorlon078> keytoaster: I think we should do something like that for a while again
647 [2010/09/01 22:24:09] <a3li> _Craig_: the problem we are trying to solve is, that drafting an advisory isn't efficient and just not fun
648 [2010/09/01 22:24:21] <keytoaster> and let me claim that about 50% of the current backlog is just minor issues
649 [2010/09/01 22:24:27] <a3li> _Craig_: you have to get information from many sources and manually combine them
650 [2010/09/01 22:24:29] <vorlon078> well
651 [2010/09/01 22:24:29] <Falco> hi everyone, vorlon078 , keytoaster , a3li and jaervosz !!
652 [2010/09/01 22:24:34] <a3li> hi.
653 [2010/09/01 22:24:51] <p-y> vorlon078: not only for a while, IHMO
654 [2010/09/01 22:24:52] <vorlon078> at this point in the agend i see two slightly different subjects
655 [2010/09/01 22:25:18] <vorlon078> first: how to get rid of the very old things needing a glsa
656 [2010/09/01 22:25:29] <vorlon078> second: how to ease things up in the future
657 [2010/09/01 22:25:44] <vorlon078> for the second part a better tool is part of the solution i would say
658 [2010/09/01 22:25:52] <keytoaster> it both boils down to motivating people and getting the new glsamaker done :)
659 [2010/09/01 22:26:14] <vorlon078> the currently full backlog of old stuff is demotivating
660 [2010/09/01 22:26:22] <keytoaster> oh btw
661 [2010/09/01 22:26:22] <a3li> yes.
662 [2010/09/01 22:26:27] <vorlon078> it would help to find a quick and easy way to get rid of that
663 [2010/09/01 22:26:30] <p-y> maybe it's a good occasion to review the vulnerability policy
664 [2010/09/01 22:26:32] <keytoaster> at the moment we don't give glsamaker access to everyone
665 [2010/09/01 22:26:37] <keytoaster> because it holds confidential information
666 [2010/09/01 22:26:50] <p-y> and send glsa only for really serious issues
667 [2010/09/01 22:26:56] <keytoaster> the new tool will have permission groups, so we can give new interested people access way earlier
668 [2010/09/01 22:27:06] <vorlon078> p-y: i don't consider that a good idea
669 [2010/09/01 22:27:34] <a3li> I'd rather like to send a less detailed GLSA for those B3 things
670 [2010/09/01 22:27:40] <vorlon078> a3li: agreed
671 [2010/09/01 22:27:41] <keytoaster> p-y: we could send mini GLSAs instead. just fill out affeced, unaffected versions, use the boilerplates for the rest, done.
672 [2010/09/01 22:27:44] <a3li> i.e. what other distros do, copy the CVE text
673 [2010/09/01 22:27:45] <rbu> when is it "good enough" to use? i think that's the key to everything. not be perfect, but have it running and doing 80% of the job
674 [2010/09/01 22:27:48] <keytoaster> a3li++
675 [2010/09/01 22:27:50] <keytoaster> yes, indeed
676 [2010/09/01 22:27:56] <a3li> rbu: within the year.
677 [2010/09/01 22:28:04] <vorlon078> a3li: thanks for that info
678 [2010/09/01 22:28:15] <_Craig_> <@a3li> I'd rather like to send a less detailed GLSA for those B3 things <<< ++
679 [2010/09/01 22:28:17] <vorlon078> then we need to find a way with the current tools to get rid of the large queue
680 [2010/09/01 22:28:28] * _Craig_ wants mini-glsas, too.
681 [2010/09/01 22:28:35] <keytoaster> rbu: to replace the old tool: drafting is completely done. we need to create the txt advisory, xml advisory, and sending mails
682 [2010/09/01 22:28:36] <vorlon078> then let us define mini-glsa
683 [2010/09/01 22:29:03] <p-y> vorlon078: I say that because in the past, we used to send glsas for "minor" issues (DoS) on minor packages, and we were the only distro doing so, other fixed them silently
684 [2010/09/01 22:29:04] <keytoaster> rbu: actually i've sorted stuff on the redmine tracker
685 [2010/09/01 22:29:19] <p-y> that's a waste of energy IMO
686 [2010/09/01 22:29:37] <a3li> p-y: the thing is when there's a B2 bug coming later. what do you do with the DoS then?
687 [2010/09/01 22:29:43] <p-y> especially given the manpower shortage
688 [2010/09/01 22:29:48] <a3li> p-y: just discard it and not include in the advisory?
689 [2010/09/01 22:29:59] <keytoaster> vorlon078: like http://www.gentoo.org/security/en/glsa/glsa-201006-14.xml
690 [2010/09/01 22:30:14] <keytoaster> oh wait, that's actually still a pretty long one
691 [2010/09/01 22:30:30] <vorlon078> p-y: for such things i would propose to draft the changes to the policy, send to security@ and discuss it there
692 [2010/09/01 22:30:36] <vorlon078> or even better
693 [2010/09/01 22:30:37] <vorlon078> the gentoo-security list
694 [2010/09/01 22:30:38] <keytoaster> vorlon078: http://www.gentoo.org/security/en/glsa/glsa-201006-05.xml
695 [2010/09/01 22:31:04] <keytoaster> basically just a very short description and impact
696 [2010/09/01 22:31:44] <vorlon078> keytoaster: ok, thanks
697 [2010/09/01 22:32:05] <Falco> very good ! (that the new glsamaker tool will have permission groups) : because only very few glsas are actually confidential
698 [2010/09/01 22:32:08] <a3li> the new glsamaker could help there by filling in the background, getting the CVEs from the bug
699 [2010/09/01 22:33:06] <vorlon078> so what is the easiest way for us to deal with the old waiting drafts
700 [2010/09/01 22:33:21] <a3li> what we could do is a GLSA fest(tm)
701 [2010/09/01 22:33:25] <vorlon078> should we do mini-glsas like those examples in the current glsamaker?
702 [2010/09/01 22:33:30] <a3li> as many people as possible ddraft GLSAs together
703 [2010/09/01 22:33:31] <vorlon078> or is there another way?
704 [2010/09/01 22:33:39] <a3li> make that mini glsas.
705 [2010/09/01 22:33:43] <keytoaster> ++
706 [2010/09/01 22:33:44] <a3li> and after 5 hours they're sent
707 [2010/09/01 22:33:50] <a3li> but that needs at least 4-5 people
708 [2010/09/01 22:34:07] <a3li> same would be needed for bugs, btw
709 [2010/09/01 22:34:14] <vorlon078> a3li: yeah
710 [2010/09/01 22:34:15] <keytoaster> although i'd wait for the new tool
711 [2010/09/01 22:34:23] <keytoaster> i'm not motivated to do anything with the old one
712 [2010/09/01 22:34:26] <vorlon078> but I think it would be nice to clean up glsamaker queue first
713 [2010/09/01 22:34:37] <keytoaster> basically i start, look at the tool, and lose interest again
714 [2010/09/01 22:34:42] <vorlon078> actually, i don't think waiting is a good option right now
715 [2010/09/01 22:34:52] <vorlon078> it will just grow
716 [2010/09/01 22:35:19] <vorlon078> and there is currently know exact time frame for the new tool
717 [2010/09/01 22:35:26] <vorlon078> s/know/no
718 [2010/09/01 22:35:49] <vorlon078> I would be willing to do some old stuff in the old tool
719 [2010/09/01 22:35:53] <a3li> how about we'll have something that will allow us end-to-end drafting by Oct 1
720 [2010/09/01 22:35:54] <vorlon078> lets say next week
721 [2010/09/01 22:35:55] <rbu> ++ we can't wait until the end of the year and pile up
722 [2010/09/01 22:36:07] <keytoaster> a3li: define end-to-end
723 [2010/09/01 22:36:09] <rbu> well ... we can. but it we should make that public at least
724 [2010/09/01 22:36:12] <Falco> there's also another possibility
725 [2010/09/01 22:36:13] <a3li> bug comes in to email goes out
726 [2010/09/01 22:36:22] <keytoaster> yes, cool
727 [2010/09/01 22:36:32] <keytoaster> that shouldn't take too long
728 [2010/09/01 22:36:33] <a3li> that would mainly require people motivating keytoaster and me to finish things :)
729 [2010/09/01 22:36:42] <rbu> DO IT
730 [2010/09/01 22:36:44] <vorlon078> that would be a great thing
731 [2010/09/01 22:36:45] <rbu> enough?
732 [2010/09/01 22:36:45] <keytoaster> a3li: you'll have to do the xml part, i can do the txt erb and mail stuff
733 [2010/09/01 22:36:50] <a3li> rbu: does it involve beer?
734 [2010/09/01 22:36:58] <vorlon078> but should not stop us from already doing some stuff with the old tool
735 [2010/09/01 22:37:07] <a3li> so maybe we can separate the effor then
736 [2010/09/01 22:37:11] <rbu> yes. you get one crate of beer and one club mate *each*
737 [2010/09/01 22:37:12] <Falco> perhaps we can commit mini .xml files to portage, before writing the full text and sending the official mail
738 [2010/09/01 22:37:17] <rbu> paid by gentoo e.v.
739 [2010/09/01 22:37:24] <a3li> keytoaster and I focus on glsamaker 2
740 [2010/09/01 22:37:27] <a3li> the rest does our day-job
741 [2010/09/01 22:37:31] <keytoaster> vorlon078: perhaps you need to see the new tool in action to see what it's capable of? :D
742 [2010/09/01 22:37:59] <_Craig_> <@a3li> rbu: does it involve beer? <<< finish glsamaker, receive beer at 27c3.
743 [2010/09/01 22:38:01] <p-y> Falco: if we do that, we all know that the full text will never be written
744 [2010/09/01 22:38:02] <_Craig_> ;)
745 [2010/09/01 22:38:17] <Falco> p-y: possible, indeed
746 [2010/09/01 22:38:25] <vorlon078> oh and one important thing
747 [2010/09/01 22:38:32] <Falco> but glsa-check would be up-to-date
748 [2010/09/01 22:38:38] <vorlon078> with all the trouble we had and have, we should be more open about it
749 [2010/09/01 22:38:49] <vorlon078> and tell the users not to expect glsas in these situaions
750 [2010/09/01 22:38:49] <rbu> ++
751 [2010/09/01 22:38:57] <vorlon078> i feel rather bad about the way we handled it
752 [2010/09/01 22:39:41] <p-y> me too, but anyway, users emerging world on a regular basis should be ok
753 [2010/09/01 22:39:49] <vorlon078> yeah those should
754 [2010/09/01 22:40:10] <vorlon078> but there might be users and even larger environments that don't work that way
755 [2010/09/01 22:40:43] <keytoaster> vorlon078: i'll add a notice at the top of the project page
756 [2010/09/01 22:40:45] <vorlon078> that's why i would like to see glsas go out again or an explanation why not and how to keep track of security fixes
757 [2010/09/01 22:40:48] <keytoaster> refering to the meeting log/summary
758 [2010/09/01 22:41:16] <a3li> of course the goal is to get the GLSA process going again
759 [2010/09/01 22:41:45] <vorlon078> if we don't restart sending stuff again soon, i would propose to send an explanation out to -announce
760 [2010/09/01 22:41:51] <p-y> agreed
761 [2010/09/01 22:41:56] <a3li> well we have to simply
762 [2010/09/01 22:42:02] <vorlon078> yes
763 [2010/09/01 22:42:05] <p-y> even if we do, actually
764 [2010/09/01 22:42:47] <Falco> ok
765 [2010/09/01 22:43:03] <vorlon078> so we should write something up on the current security situation in gentoo and make it public?
766 [2010/09/01 22:43:13] <vorlon078> no matter how we go on next month
767 [2010/09/01 22:43:13] <rbu> y
768 [2010/09/01 22:43:17] <vorlon078> ack
769 [2010/09/01 22:43:18] <keytoaster> yes
770 [2010/09/01 22:43:19] <p-y> yep
771 [2010/09/01 22:43:24] <a3li> but please don't make to too dramatic
772 [2010/09/01 22:43:30] <a3li> *it
773 [2010/09/01 22:43:31] <_Craig_> oh no...bad news
774 [2010/09/01 22:43:35] <_Craig_> I already see it on heise...
775 [2010/09/01 22:43:43] <keytoaster> right
776 [2010/09/01 22:43:56] <vorlon078> I can try to think of a first draft
777 [2010/09/01 22:44:01] <keytoaster> and if it will be on heise, your line will be as well :P
778 [2010/09/01 22:44:23] <_Craig_> We're doomed.
779 [2010/09/01 22:44:28] <a3li> kay.
780 [2010/09/01 22:44:36] <vorlon078> alright
781 [2010/09/01 22:44:37] <keytoaster> ok, good
782 [2010/09/01 22:44:39] <keytoaster> next point then
783 [2010/09/01 22:44:44] <vorlon078> umm wait
784 [2010/09/01 22:45:04] <vorlon078> i can try and draft something next week
785 [2010/09/01 22:45:12] <vorlon078> or is there anyone else who wants to with more time
786 [2010/09/01 22:45:18] <keytoaster> nope
787 [2010/09/01 22:45:29] <a3li> next week is fine imo
788 [2010/09/01 22:45:41] <vorlon078> btw
789 [2010/09/01 22:45:57] <vorlon078> is there any team we should have it checked by?
790 [2010/09/01 22:46:09] <rbu> like pr?
791 [2010/09/01 22:46:14] <rbu> not that i know of
792 [2010/09/01 22:46:31] <vorlon078> same here
793 [2010/09/01 22:46:48] <vorlon078> ok
794 [2010/09/01 22:46:50] <vorlon078> then lets go on
795 [2010/09/01 22:47:04] <vorlon078> I"ll draft and send to security@g.o for review
796 [2010/09/01 22:47:18] <keytoaster> ok
797 [2010/09/01 22:48:11] <vorlon078> so for the current queue
798 [2010/09/01 22:48:19] <keytoaster> ok, 5. is "Any other topic"
799 [2010/09/01 22:48:19] <vorlon078> a tool by oct 1
800 [2010/09/01 22:48:25] <keytoaster> oh, sorry
801 [2010/09/01 22:48:36] <vorlon078> and who ever wants to send mini-glsas with the current tool can go on
802 [2010/09/01 22:48:38] <vorlon078> right?
803 [2010/09/01 22:48:49] <keytoaster> yes
804 [2010/09/01 22:49:01] <vorlon078> just for the record (and the summary)
805 [2010/09/01 22:49:02] <vorlon078> ok
806 [2010/09/01 22:49:10] <vorlon078> then any other topics?
807 [2010/09/01 22:49:16] <keytoaster> none from me
808 [2010/09/01 22:49:39] <a3li> well if you don't want any further info about glsamaker2..
809 [2010/09/01 22:50:00] <keytoaster> it seems you want to tell us info :)
810 [2010/09/01 22:50:07] <vorlon078> 5.1 further info about glsamaker2
811 [2010/09/01 22:50:17] <vorlon078> there you go ;)
812 [2010/09/01 22:50:21] <p-y> does it make coffee? :)
813 [2010/09/01 22:50:22] <a3li> I thought it was included in 4.
814 [2010/09/01 22:50:27] <a3li> p-y: no it's not emacs!
815 [2010/09/01 22:50:32] <p-y> oh :(
816 [2010/09/01 22:50:51] <a3li> so I already talked about the idea
817 [2010/09/01 22:50:56] <a3li> integrate all info
818 [2010/09/01 22:51:03] <a3li> that also means, it'll be the new CVE tracker.
819 [2010/09/01 22:51:18] <keytoaster> ++
820 [2010/09/01 22:51:30] <rbu> is there a live demo / staging server?
821 [2010/09/01 22:51:49] <a3li> I could update my trunk demo again
822 [2010/09/01 22:51:51] <p-y> yep, i'd like to see it too
823 [2010/09/01 22:51:58] <vorlon078> that would be great
824 [2010/09/01 22:52:09] <keytoaster> http://vandium.net/~keytoaster/glsamaker2-comments.ogv
825 [2010/09/01 22:52:10] <a3li> or get things rolling with infra (robbat2|na *prod*)
826 [2010/09/01 22:52:13] <keytoaster> that shows some comment action
827 [2010/09/01 22:52:17] <keytoaster> (nothing about the cve tracker)
828 [2010/09/01 22:52:21] <a3li> hot comment action!
829 [2010/09/01 22:52:24] <a3li> that's the drafting part
830 [2010/09/01 22:52:55] <a3li> http://stingray.a3li.info/~alex/cvetool-1.png and http://stingray.a3li.info/~alex/cvetool-2.png are shots of the CVE tracker
831 [2010/09/01 22:53:40] <robbat2|na> a3li, on phone, one moment
832 [2010/09/01 22:53:51] <a3li> robbat2|na: fix overlays first, yeah
833 [2010/09/01 22:54:33] <p-y> you guys really did an awesome job, thanks
834 [2010/09/01 22:55:22] <rbu> sweet
835 [2010/09/01 22:55:33] <rbu> the images alone make me want to work again!
836 [2010/09/01 22:55:39] <a3li> yes, it has 3G
837 [2010/09/01 22:55:40] <p-y> yeah, me too
838 [2010/09/01 22:55:41] <a3li> and the wifis
839 [2010/09/01 22:55:52] <a3li> and it doesn't crash if you enter >A instead of >5
840 [2010/09/01 22:55:52] <a3li> :P
841 [2010/09/01 22:55:53] <rbu> get it running NOW
842 [2010/09/01 22:56:03] <a3li> see the url in the title bar
843 [2010/09/01 22:56:05] <a3li> :>
844 [2010/09/01 22:56:57] <rbu> localhorst?
845 [2010/09/01 22:57:01] <a3li> lolcathost
846 [2010/09/01 22:57:12] <p-y> local toast?
847 [2010/09/01 22:57:24] <vorlon078> port 3000 is bad
848 [2010/09/01 22:57:31] <vorlon078> just wanted to add something too ;)
849 [2010/09/01 22:57:42] <a3li> we should have it on port 0
850 [2010/09/01 22:57:47] <vorlon078> yeah
851 [2010/09/01 22:58:09] <vorlon078> sounds like we already passed the end of the meeting btw
852 [2010/09/01 22:58:17] <a3li> likely.
853 [2010/09/01 22:58:20] <vorlon078> oh and it should be yellow
854 [2010/09/01 22:58:22] <a3li> I hope we get back in the saddle
855 [2010/09/01 22:58:39] <vorlon078> is there anything anyone wants to add about glsamaker2?
856 [2010/09/01 22:58:50] <keytoaster> nope
857 [2010/09/01 22:58:56] <a3li> we'll get you a demo running
858 [2010/09/01 22:59:06] <vorlon078> that would really be great
859 [2010/09/01 22:59:11] <a3li> then we need testing and of course take suggestions
860 [2010/09/01 22:59:17] <a3li> beta rollout by october
861 [2010/09/01 22:59:29] <a3li> working 1.0 version rollout within the year
862 [2010/09/01 22:59:39] <keytoaster> what's within the year?
863 [2010/09/01 22:59:45] <keytoaster> in 2010 or within 12 months from now on?
864 [2010/09/01 22:59:53] <a3li> 2010!
865 [2010/09/01 22:59:58] <keytoaster> whoa
866 [2010/09/01 23:00:01] <keytoaster> you're optimistic :)
867 [2010/09/01 23:00:04] <a3li> er?
868 [2010/09/01 23:00:04] <vorlon078> i think it would be nice to have a current todo list for the team and who is 'responsible' for which task
869 [2010/09/01 23:00:11] <a3li> it won't be the final version
870 [2010/09/01 23:00:21] <keytoaster> floss is never final
871 [2010/09/01 23:00:28] <keytoaster> vorlon078: we have a redmine
872 [2010/09/01 23:00:34] <rbu> well.. glsamaker1 is final
873 [2010/09/01 23:00:34] <keytoaster> oh, you mean in general for security
874 [2010/09/01 23:00:50] <vorlon078> yeah for security
875 [2010/09/01 23:01:01] <a3li> we can get a wiki again somewhere
876 [2010/09/01 23:01:06] <vorlon078> a3li: good point
877 [2010/09/01 23:01:14] <keytoaster> *sigh*
878 [2010/09/01 23:01:18] <keytoaster> not another wiki discussion
879 [2010/09/01 23:01:27] <keytoaster> but yes, go for it
880 [2010/09/01 23:01:32] <vorlon078> well, for the task list an .xml in proj is fine
881 [2010/09/01 23:01:32] <a3li> yes. let's have a cvs and check in guidexml files
882 [2010/09/01 23:01:33] <keytoaster> i'll kill the first guy who objects
883 [2010/09/01 23:01:58] <vorlon078> hmpf
884 [2010/09/01 23:02:12] * _Craig_ AFK: pizzapizza. BBL.
885 [2010/09/01 23:02:12] <a3li> okay. I think we're really done now
886 [2010/09/01 23:02:14] <keytoaster> vorlon078: you didn't get the joke probably :)
887 [2010/09/01 23:02:22] <vorlon078> keytoaster: no not at first
888 [2010/09/01 23:02:41] <vorlon078> and actually i simply want a list and a place to keep such stuff
889 [2010/09/01 23:02:50] <vorlon078> i did use our dokuwiki installation btw
890 [2010/09/01 23:02:58] <a3li> we'll arrange for something
891 [2010/09/01 23:03:12] <vorlon078> one last thing at the end of each meeting
892 [2010/09/01 23:03:32] <vorlon078> i would like to hold meetings way more often but shorter
893 [2010/09/01 23:03:40] <keytoaster> ++
894 [2010/09/01 23:03:43] <vorlon078> way more often means more than every two years
895 [2010/09/01 23:04:02] <keytoaster> every three months?
896 [2010/09/01 23:04:02] <rbu> thanks vorlon078 for moderating and calling in the meeting
897 [2010/09/01 23:04:14] <rbu> and thanks to everyone who picked up tasks
898 [2010/09/01 23:04:23] <a3li> thanks to rbu for the mate
899 [2010/09/01 23:04:24] <keytoaster> thanks rbu for attending
900 [2010/09/01 23:04:24] <vorlon078> every two or three would be really good i think
901 [2010/09/01 23:04:28] <vorlon078> rbu: thanks
902 [2010/09/01 23:04:59] <vorlon078> what aboud mid october for october for the next one since we wanted to make changes then
903 [2010/09/01 23:05:05] <vorlon078> argh
904 [2010/09/01 23:05:37] <vorlon078> i would have said nov/dec, but oct might be nice in case we do have a tool to change things again
905 [2010/09/01 23:05:46] <keytoaster> fine with me
906 [2010/09/01 23:05:52] <rbu> good
907 [2010/09/01 23:05:59] <p-y> ok for me
908 [2010/09/01 23:06:01] <a3li> kk
909 [2010/09/01 23:06:05] <vorlon078> oh wait
910 [2010/09/01 23:06:10] <vorlon078> im on vacation then
911 [2010/09/01 23:06:11] <vorlon078> lol
912 [2010/09/01 23:06:17] <p-y> I have to go, gn8 all
913 [2010/09/01 23:06:20] <a3li> n8
914 [2010/09/01 23:06:25] <keytoaster> p-y: good night, and thanks
915 [2010/09/01 23:06:26] <vorlon078> alright
916 [2010/09/01 23:06:29] <vorlon078> good night
917 [2010/09/01 23:06:32] <rbu> nite
918 [2010/09/01 23:06:53] <vorlon078> i'll write a reminder for myself for an october meeting then
919 [2010/09/01 23:07:22] <vorlon078> thanks for attending everyone :)
920 [2010/09/01 23:07:29] <a3li> monstermeeting
921 [2010/09/01 23:07:32] <keytoaster> thanks vorlon078 for doing this :)
922 [2010/09/01 23:07:34] <a3li> thanks
923 [2010/09/01 23:08:03] @ keytoaster set topic "Last project meeting: 2010-09-01 18:30 UTC; Logs and summary available soon | This channel is only for coordinating vulnerabilities and GLSA releases. For an end-user support channel, see #gentoo | http://security.gentoo.org | New recruits: http://www.gentoo.org/security/en/padawans.xml"
924 [2010/09/01 23:08:29] <a3li> that topic is not so god
925 [2010/09/01 23:08:31] <a3li> *good
926 [2010/09/01 23:08:42] <a3li> sounds like that was our last meeting ever :)
927 [2010/09/01 23:08:52] <keytoaster> *sigh*
928 [2010/09/01 23:09:02] @ keytoaster set topic "Previous project meeting: 2010-09-01 18:30 UTC; Logs and summary available soon | This channel is only for coordinating vulnerabilities and GLSA releases. For an end-user support channel, see #gentoo | http://security.gentoo.org | New recruits: http://www.gentoo.org/security/en/padawans.xml"
929 [2010/09/01 23:10:46] <vorlon078> log stopped here btw
930 [2010/09/01 23:10:56] <a3li> %part
931 [2010/09/01 23:10:56] @ Left channel #gentoo-security ()
Report Message
Find on MARC Find on Google Groups