| 1 |
keytoaster 10/09/06 10:13:59 |
| 2 |
|
| 3 |
Added: gentoo-security-meeting-2010-09-01-summary.txt |
| 4 |
Log: |
| 5 |
Adding meeting summary. |
| 6 |
|
| 7 |
Revision Changes Path |
| 8 |
1.1 xml/htdocs/proj/en/security/meeting-logs/gentoo-security-meeting-2010-09-01-summary.txt |
| 9 |
|
| 10 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/security/meeting-logs/gentoo-security-meeting-2010-09-01-summary.txt?rev=1.1&view=markup |
| 11 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/security/meeting-logs/gentoo-security-meeting-2010-09-01-summary.txt?rev=1.1&content-type=text/plain |
| 12 |
|
| 13 |
Index: gentoo-security-meeting-2010-09-01-summary.txt |
| 14 |
=================================================================== |
| 15 |
Security Project Meeting 2010-09-01 |
| 16 |
=================================== |
| 17 |
|
| 18 |
Roll call |
| 19 |
--------- |
| 20 |
here: |
| 21 |
Alex Legler (a3li) |
| 22 |
Tony Vroon (chainsaw), padawan |
| 23 |
Stefan Behte (craig) |
| 24 |
Raphaƫl Marichez (falco), joined later on during the meeting |
| 25 |
Sune Kloppenborg Jeppesen (jaervosz) |
| 26 |
Tobias Heinlein (keytoaster) |
| 27 |
Pierre-Yves Rofes (py) |
| 28 |
Robert Buchholz (rbu) |
| 29 |
Robin H. Johnson (robbat2), infrastructure representative |
| 30 |
Tim Sammut (underling), padawan |
| 31 |
Matthias Geerdsen (vorlon) |
| 32 |
missing: |
| 33 |
Kurt Lieber (klieber) |
| 34 |
Ned Ludd (solar) |
| 35 |
|
| 36 |
|
| 37 |
1. Project status |
| 38 |
----------------- |
| 39 |
The Gentoo Security team is functional, but running on low flame. There is a |
| 40 |
huge backlog (a huge amount of open bugs and GLSAs that still need to be sent) |
| 41 |
and due to a small amount of active members not all bugs are filed/handled in a |
| 42 |
timely manner and bigger packages (Firefox, Java, etc.) are not easy to draft |
| 43 |
GLSAs for for various reasons. |
| 44 |
|
| 45 |
Some members feel that drafting GLSAs with the old GLSAMaker is a huge PITA. |
| 46 |
|
| 47 |
Not all recruitment requests by both developers and non-developers have been |
| 48 |
handled as well as we want them to, due to limited time and resources. |
| 49 |
|
| 50 |
|
| 51 |
2. Lead election |
| 52 |
---------------- |
| 53 |
It has been decided that the Gentoo security team's leads are there to do |
| 54 |
administrative stuff (like distributing permissions e.g. on Bugzilla), to |
| 55 |
ensure progress, to cast deciding votes, and to act as the point of contact for |
| 56 |
encrypted mails. |
| 57 |
|
| 58 |
Robert, Matthias, and Stefan have either opted out of being nominated or not |
| 59 |
accepted their nomination due to time issues. Alex and Tobias have been |
| 60 |
nominated. |
| 61 |
|
| 62 |
The team has decided unanimously to continue having two leads, and that those be |
| 63 |
Alex and Tobias. |
| 64 |
|
| 65 |
|
| 66 |
3. Population of several mail aliases, bugzilla groups etc. |
| 67 |
----------------------------------------------------------- |
| 68 |
The following groups/aliases had to be cleaned and updated in order to ensure |
| 69 |
that no outdated entries still exist. |
| 70 |
|
| 71 |
|
| 72 |
3.1 CERT mails |
| 73 |
It has been decided that all team members who attended the meeting will receive |
| 74 |
the CERT mails. Matthias will put a list together and send it to the security |
| 75 |
alias before informing CERT. |
| 76 |
|
| 77 |
|
| 78 |
3.2 vendor-sec alias |
| 79 |
Due to respect for the group, the team decided to have only a limited number of |
| 80 |
people subscribed. As such, everyone has been removed from the alias and only |
| 81 |
Alex, Tobias, and Stefan have been put on it. The team agreed to further |
| 82 |
evaluate subscribing active members at the next meeting. |
| 83 |
|
| 84 |
|
| 85 |
3.3 "securitymail" group on dev.gentoo.org |
| 86 |
The team decided that only the new leads will be allowed to edit mail aliases. |
| 87 |
|
| 88 |
|
| 89 |
3.3 "security" mail alias and "security" group on Bugzilla |
| 90 |
The team agreed that every "full" team member should be on/in these. The leads |
| 91 |
will have the power to edit them. |
| 92 |
|
| 93 |
|
| 94 |
4. Handling of the current GLSA and bug queues and how to avoid such situations in the future |
| 95 |
--------------------------------------------------------------------------------------------- |
| 96 |
The new GLSAMaker will ease the team's work in huge parts and its development is |
| 97 |
currently of utmost importance. Alex and Tobias have given a summary on the new |
| 98 |
GLSAMaker: It's in a near-usable state, the goal is to have our information |
| 99 |
integrated better, it will replace the old CVE tracker, it's way easier to |
| 100 |
draft minor issues, and permission groups allow for non-team members and new |
| 101 |
recruits to help with drafting. |
| 102 |
|
| 103 |
Alex and Tobias will see to getting a usable beta version of GLSAMaker2 deployed |
| 104 |
until Oct 1, 2010, while the rest of the team will try to get some GLSAs out |
| 105 |
with the old one. |
| 106 |
|
| 107 |
The team agreed to send "mini-GLSAs" for minor issues, that is a usual GLSA |
| 108 |
with shorter description and impact texts, like we did a few months ago. |
| 109 |
|
| 110 |
|
| 111 |
5. Any other topic |
| 112 |
------------------ |
| 113 |
In order to be more open to users, Matthias will draft an announcement |
| 114 |
explaining our current situation. |
| 115 |
|
| 116 |
Alex will arrange for a wiki to document todo lists and miscellaneous stuff. |
| 117 |
|
| 118 |
The team will hold meetings more frequently, every 2 or 3 months has been |
| 119 |
suggested. The next meeting will be around mid-October to vote on this and also |
| 120 |
to check the progress of GLSAMaker2. |
| 121 |
|
| 122 |
There is no further need for the position of the infrastructure liasion and it |
| 123 |
has been removed. Robin suggested to bug either him or Ned. |
| 124 |
|
| 125 |
Tobias will merge documentation files from devspaces into our project pages. |
Archives