| 1 |
Security Project Meeting 2010-09-01 |
| 2 |
=================================== |
| 3 |
|
| 4 |
Roll call |
| 5 |
--------- |
| 6 |
here: |
| 7 |
Alex Legler (a3li) |
| 8 |
Tony Vroon (chainsaw), padawan |
| 9 |
Stefan Behte (craig) |
| 10 |
Raphaƫl Marichez (falco), joined later on during the meeting |
| 11 |
Sune Kloppenborg Jeppesen (jaervosz) |
| 12 |
Tobias Heinlein (keytoaster) |
| 13 |
Pierre-Yves Rofes (py) |
| 14 |
Robert Buchholz (rbu) |
| 15 |
Robin H. Johnson (robbat2), infrastructure representative |
| 16 |
Tim Sammut (underling), padawan |
| 17 |
Matthias Geerdsen (vorlon) |
| 18 |
missing: |
| 19 |
Kurt Lieber (klieber) |
| 20 |
Ned Ludd (solar) |
| 21 |
|
| 22 |
|
| 23 |
1. Project status |
| 24 |
----------------- |
| 25 |
The Gentoo Security team is functional, but running on low flame. There |
| 26 |
is a huge backlog (a huge amount of open bugs and GLSAs that still need |
| 27 |
to be sent) and due to a small amount of active members not all bugs are |
| 28 |
filed/handled in a timely manner and bigger packages (Firefox, Java, |
| 29 |
etc.) are not easy to draft GLSAs for for various reasons. |
| 30 |
|
| 31 |
Some members feel that drafting GLSAs with the old GLSAMaker is a huge PITA. |
| 32 |
|
| 33 |
Not all recruitment requests by both developers and non-developers have |
| 34 |
been handled as well as we want them to, due to limited time and resources. |
| 35 |
|
| 36 |
|
| 37 |
2. Lead election |
| 38 |
---------------- |
| 39 |
It has been decided that the Gentoo security team's leads are there to |
| 40 |
do administrative stuff (like distributing permissions e.g. on |
| 41 |
Bugzilla), to ensure progress, to cast deciding votes, and to act as the |
| 42 |
point of contact for encrypted mails. |
| 43 |
|
| 44 |
Robert, Matthias, and Stefan have either opted out of being nominated or |
| 45 |
not accepted their nomination due to time issues. Alex and Tobias have |
| 46 |
been nominated. |
| 47 |
|
| 48 |
The team has decided unanimously to continue having two leads, and that |
| 49 |
those be Alex and Tobias. |
| 50 |
|
| 51 |
|
| 52 |
3. Population of several mail aliases, bugzilla groups etc. |
| 53 |
----------------------------------------------------------- |
| 54 |
The following groups/aliases had to be cleaned and updated in order to |
| 55 |
ensure that no outdated entries still exist. |
| 56 |
|
| 57 |
|
| 58 |
3.1 CERT mails |
| 59 |
It has been decided that all team members who attended the meeting will |
| 60 |
receive the CERT mails. Matthias will put a list together and send it to |
| 61 |
the security alias before informing CERT. |
| 62 |
|
| 63 |
|
| 64 |
3.2 vendor-sec alias |
| 65 |
Due to respect for the group, the team decided to have only a limited |
| 66 |
number of people subscribed. As such, everyone has been removed from the |
| 67 |
alias and only Alex, Tobias, and Stefan have been put on it. The team |
| 68 |
agreed to further evaluate subscribing active members at the next meeting. |
| 69 |
|
| 70 |
|
| 71 |
3.3 "securitymail" group on dev.gentoo.org |
| 72 |
The team decided that only the new leads will be allowed to edit mail |
| 73 |
aliases. |
| 74 |
|
| 75 |
|
| 76 |
3.3 "security" mail alias and "security" group on Bugzilla |
| 77 |
The team agreed that every "full" team member should be on/in these. The |
| 78 |
leads will have the power to edit them. |
| 79 |
|
| 80 |
|
| 81 |
4. Handling of the current GLSA and bug queues and how to avoid such |
| 82 |
situations in the future |
| 83 |
--------------------------------------------------------------------------------------------- |
| 84 |
The new GLSAMaker will ease the team's work in huge parts and its |
| 85 |
development is currently of utmost importance. Alex and Tobias have |
| 86 |
given a summary on the new GLSAMaker: It's in a near-usable state, the |
| 87 |
goal is to have our information integrated better, it will replace the |
| 88 |
old CVE tracker, it's way easier to draft minor issues, and permission |
| 89 |
groups allow for non-team members and new recruits to help with drafting. |
| 90 |
|
| 91 |
Alex and Tobias will see to getting a usable beta version of GLSAMaker2 |
| 92 |
deployed until Oct 1, 2010, while the rest of the team will try to get |
| 93 |
some GLSAs out with the old one. |
| 94 |
|
| 95 |
The team agreed to send "mini-GLSAs" for minor issues, that is a usual |
| 96 |
GLSA with shorter description and impact texts, like we did a few months |
| 97 |
ago. |
| 98 |
|
| 99 |
|
| 100 |
5. Any other topic |
| 101 |
------------------ |
| 102 |
In order to be more open to users, Matthias will draft an announcement |
| 103 |
explaining our current situation. |
| 104 |
|
| 105 |
Alex will arrange for a wiki to document todo lists and miscellaneous stuff. |
| 106 |
|
| 107 |
The team will hold meetings more frequently, every 2 or 3 months has |
| 108 |
been suggested. The next meeting will be around mid-October to vote on |
| 109 |
this and also to check the progress of GLSAMaker2. |
| 110 |
|
| 111 |
There is no further need for the position of the infrastructure liasion |
| 112 |
and it has been removed. Robin suggested to bug either him or Ned. |
| 113 |
|
| 114 |
Tobias will merge documentation files from devspaces into our project pages. |
Archives