1 |
Security Project Meeting 2010-09-01 |
2 |
=================================== |
3 |
|
4 |
Roll call |
5 |
--------- |
6 |
here: |
7 |
Alex Legler (a3li) |
8 |
Tony Vroon (chainsaw), padawan |
9 |
Stefan Behte (craig) |
10 |
Raphaƫl Marichez (falco), joined later on during the meeting |
11 |
Sune Kloppenborg Jeppesen (jaervosz) |
12 |
Tobias Heinlein (keytoaster) |
13 |
Pierre-Yves Rofes (py) |
14 |
Robert Buchholz (rbu) |
15 |
Robin H. Johnson (robbat2), infrastructure representative |
16 |
Tim Sammut (underling), padawan |
17 |
Matthias Geerdsen (vorlon) |
18 |
missing: |
19 |
Kurt Lieber (klieber) |
20 |
Ned Ludd (solar) |
21 |
|
22 |
|
23 |
1. Project status |
24 |
----------------- |
25 |
The Gentoo Security team is functional, but running on low flame. There |
26 |
is a huge backlog (a huge amount of open bugs and GLSAs that still need |
27 |
to be sent) and due to a small amount of active members not all bugs are |
28 |
filed/handled in a timely manner and bigger packages (Firefox, Java, |
29 |
etc.) are not easy to draft GLSAs for for various reasons. |
30 |
|
31 |
Some members feel that drafting GLSAs with the old GLSAMaker is a huge PITA. |
32 |
|
33 |
Not all recruitment requests by both developers and non-developers have |
34 |
been handled as well as we want them to, due to limited time and resources. |
35 |
|
36 |
|
37 |
2. Lead election |
38 |
---------------- |
39 |
It has been decided that the Gentoo security team's leads are there to |
40 |
do administrative stuff (like distributing permissions e.g. on |
41 |
Bugzilla), to ensure progress, to cast deciding votes, and to act as the |
42 |
point of contact for encrypted mails. |
43 |
|
44 |
Robert, Matthias, and Stefan have either opted out of being nominated or |
45 |
not accepted their nomination due to time issues. Alex and Tobias have |
46 |
been nominated. |
47 |
|
48 |
The team has decided unanimously to continue having two leads, and that |
49 |
those be Alex and Tobias. |
50 |
|
51 |
|
52 |
3. Population of several mail aliases, bugzilla groups etc. |
53 |
----------------------------------------------------------- |
54 |
The following groups/aliases had to be cleaned and updated in order to |
55 |
ensure that no outdated entries still exist. |
56 |
|
57 |
|
58 |
3.1 CERT mails |
59 |
It has been decided that all team members who attended the meeting will |
60 |
receive the CERT mails. Matthias will put a list together and send it to |
61 |
the security alias before informing CERT. |
62 |
|
63 |
|
64 |
3.2 vendor-sec alias |
65 |
Due to respect for the group, the team decided to have only a limited |
66 |
number of people subscribed. As such, everyone has been removed from the |
67 |
alias and only Alex, Tobias, and Stefan have been put on it. The team |
68 |
agreed to further evaluate subscribing active members at the next meeting. |
69 |
|
70 |
|
71 |
3.3 "securitymail" group on dev.gentoo.org |
72 |
The team decided that only the new leads will be allowed to edit mail |
73 |
aliases. |
74 |
|
75 |
|
76 |
3.3 "security" mail alias and "security" group on Bugzilla |
77 |
The team agreed that every "full" team member should be on/in these. The |
78 |
leads will have the power to edit them. |
79 |
|
80 |
|
81 |
4. Handling of the current GLSA and bug queues and how to avoid such |
82 |
situations in the future |
83 |
--------------------------------------------------------------------------------------------- |
84 |
The new GLSAMaker will ease the team's work in huge parts and its |
85 |
development is currently of utmost importance. Alex and Tobias have |
86 |
given a summary on the new GLSAMaker: It's in a near-usable state, the |
87 |
goal is to have our information integrated better, it will replace the |
88 |
old CVE tracker, it's way easier to draft minor issues, and permission |
89 |
groups allow for non-team members and new recruits to help with drafting. |
90 |
|
91 |
Alex and Tobias will see to getting a usable beta version of GLSAMaker2 |
92 |
deployed until Oct 1, 2010, while the rest of the team will try to get |
93 |
some GLSAs out with the old one. |
94 |
|
95 |
The team agreed to send "mini-GLSAs" for minor issues, that is a usual |
96 |
GLSA with shorter description and impact texts, like we did a few months |
97 |
ago. |
98 |
|
99 |
|
100 |
5. Any other topic |
101 |
------------------ |
102 |
In order to be more open to users, Matthias will draft an announcement |
103 |
explaining our current situation. |
104 |
|
105 |
Alex will arrange for a wiki to document todo lists and miscellaneous stuff. |
106 |
|
107 |
The team will hold meetings more frequently, every 2 or 3 months has |
108 |
been suggested. The next meeting will be around mid-October to vote on |
109 |
this and also to check the progress of GLSAMaker2. |
110 |
|
111 |
There is no further need for the position of the infrastructure liasion |
112 |
and it has been removed. Robin suggested to bug either him or Ned. |
113 |
|
114 |
Tobias will merge documentation files from devspaces into our project pages. |