1 |
keytoaster 10/09/06 10:13:59 |
2 |
|
3 |
Added: gentoo-security-meeting-2010-09-01-summary.txt |
4 |
Log: |
5 |
Adding meeting summary. |
6 |
|
7 |
Revision Changes Path |
8 |
1.1 xml/htdocs/proj/en/security/meeting-logs/gentoo-security-meeting-2010-09-01-summary.txt |
9 |
|
10 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/security/meeting-logs/gentoo-security-meeting-2010-09-01-summary.txt?rev=1.1&view=markup |
11 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/security/meeting-logs/gentoo-security-meeting-2010-09-01-summary.txt?rev=1.1&content-type=text/plain |
12 |
|
13 |
Index: gentoo-security-meeting-2010-09-01-summary.txt |
14 |
=================================================================== |
15 |
Security Project Meeting 2010-09-01 |
16 |
=================================== |
17 |
|
18 |
Roll call |
19 |
--------- |
20 |
here: |
21 |
Alex Legler (a3li) |
22 |
Tony Vroon (chainsaw), padawan |
23 |
Stefan Behte (craig) |
24 |
Raphaƫl Marichez (falco), joined later on during the meeting |
25 |
Sune Kloppenborg Jeppesen (jaervosz) |
26 |
Tobias Heinlein (keytoaster) |
27 |
Pierre-Yves Rofes (py) |
28 |
Robert Buchholz (rbu) |
29 |
Robin H. Johnson (robbat2), infrastructure representative |
30 |
Tim Sammut (underling), padawan |
31 |
Matthias Geerdsen (vorlon) |
32 |
missing: |
33 |
Kurt Lieber (klieber) |
34 |
Ned Ludd (solar) |
35 |
|
36 |
|
37 |
1. Project status |
38 |
----------------- |
39 |
The Gentoo Security team is functional, but running on low flame. There is a |
40 |
huge backlog (a huge amount of open bugs and GLSAs that still need to be sent) |
41 |
and due to a small amount of active members not all bugs are filed/handled in a |
42 |
timely manner and bigger packages (Firefox, Java, etc.) are not easy to draft |
43 |
GLSAs for for various reasons. |
44 |
|
45 |
Some members feel that drafting GLSAs with the old GLSAMaker is a huge PITA. |
46 |
|
47 |
Not all recruitment requests by both developers and non-developers have been |
48 |
handled as well as we want them to, due to limited time and resources. |
49 |
|
50 |
|
51 |
2. Lead election |
52 |
---------------- |
53 |
It has been decided that the Gentoo security team's leads are there to do |
54 |
administrative stuff (like distributing permissions e.g. on Bugzilla), to |
55 |
ensure progress, to cast deciding votes, and to act as the point of contact for |
56 |
encrypted mails. |
57 |
|
58 |
Robert, Matthias, and Stefan have either opted out of being nominated or not |
59 |
accepted their nomination due to time issues. Alex and Tobias have been |
60 |
nominated. |
61 |
|
62 |
The team has decided unanimously to continue having two leads, and that those be |
63 |
Alex and Tobias. |
64 |
|
65 |
|
66 |
3. Population of several mail aliases, bugzilla groups etc. |
67 |
----------------------------------------------------------- |
68 |
The following groups/aliases had to be cleaned and updated in order to ensure |
69 |
that no outdated entries still exist. |
70 |
|
71 |
|
72 |
3.1 CERT mails |
73 |
It has been decided that all team members who attended the meeting will receive |
74 |
the CERT mails. Matthias will put a list together and send it to the security |
75 |
alias before informing CERT. |
76 |
|
77 |
|
78 |
3.2 vendor-sec alias |
79 |
Due to respect for the group, the team decided to have only a limited number of |
80 |
people subscribed. As such, everyone has been removed from the alias and only |
81 |
Alex, Tobias, and Stefan have been put on it. The team agreed to further |
82 |
evaluate subscribing active members at the next meeting. |
83 |
|
84 |
|
85 |
3.3 "securitymail" group on dev.gentoo.org |
86 |
The team decided that only the new leads will be allowed to edit mail aliases. |
87 |
|
88 |
|
89 |
3.3 "security" mail alias and "security" group on Bugzilla |
90 |
The team agreed that every "full" team member should be on/in these. The leads |
91 |
will have the power to edit them. |
92 |
|
93 |
|
94 |
4. Handling of the current GLSA and bug queues and how to avoid such situations in the future |
95 |
--------------------------------------------------------------------------------------------- |
96 |
The new GLSAMaker will ease the team's work in huge parts and its development is |
97 |
currently of utmost importance. Alex and Tobias have given a summary on the new |
98 |
GLSAMaker: It's in a near-usable state, the goal is to have our information |
99 |
integrated better, it will replace the old CVE tracker, it's way easier to |
100 |
draft minor issues, and permission groups allow for non-team members and new |
101 |
recruits to help with drafting. |
102 |
|
103 |
Alex and Tobias will see to getting a usable beta version of GLSAMaker2 deployed |
104 |
until Oct 1, 2010, while the rest of the team will try to get some GLSAs out |
105 |
with the old one. |
106 |
|
107 |
The team agreed to send "mini-GLSAs" for minor issues, that is a usual GLSA |
108 |
with shorter description and impact texts, like we did a few months ago. |
109 |
|
110 |
|
111 |
5. Any other topic |
112 |
------------------ |
113 |
In order to be more open to users, Matthias will draft an announcement |
114 |
explaining our current situation. |
115 |
|
116 |
Alex will arrange for a wiki to document todo lists and miscellaneous stuff. |
117 |
|
118 |
The team will hold meetings more frequently, every 2 or 3 months has been |
119 |
suggested. The next meeting will be around mid-October to vote on this and also |
120 |
to check the progress of GLSAMaker2. |
121 |
|
122 |
There is no further need for the position of the infrastructure liasion and it |
123 |
has been removed. Robin suggested to bug either him or Ned. |
124 |
|
125 |
Tobias will merge documentation files from devspaces into our project pages. |