[2010/09/01 20:29:30] @ Log started by gen2 [2010/09/01 20:29:30] @ Joined channel #gentoo-security [2010/09/01 20:29:30] @ Topic is "Project Meeting 2010-09-01 18:30 UTC in here | This channel is only for coordinating vulnerabilities and GLSA releases. For an end-user support channel, see #gentoo | http://security.gentoo.org | New recruits: http://www.gentoo.org/security/en/padawans.xml" [2010/09/01 20:29:30] @ Topic set by vorlon078!~vorlon@gentoo/developer/vorlon on Mon Aug 30 22:16:23 +0200 2010 [2010/09/01 20:29:30] @ Mode +cntz by kornbluth.freenode.net [2010/09/01 20:29:38] bye _Craig_ :P [2010/09/01 20:29:39] three loggers now [2010/09/01 20:29:41] at leat [2010/09/01 20:29:42] *least [2010/09/01 20:29:52] <_Craig_> I'm against data retention! [2010/09/01 20:29:53] that should be enough :) [2010/09/01 20:30:01] * _Craig_ logs, too [2010/09/01 20:30:02] hi [2010/09/01 20:30:12] hi everyone [2010/09/01 20:30:12] * a3li deletes _Craig_ [2010/09/01 20:30:27] since it's time now... could we have a short roll call [2010/09/01 20:30:30] * vorlon078 is here [2010/09/01 20:30:30] Do we have an agenda? [2010/09/01 20:30:42] * Chainsaw is present(ly awaiting an agenda link!) [2010/09/01 20:30:44] http://archives.gentoo.org/gentoo-security/msg_69f93c889d9aaeeb3a13d679f1abde8c.xml [2010/09/01 20:31:12] I am here, hey folks. [2010/09/01 20:31:18] http://dev.gentoo.org/~vorlon/security/meeting-20100901.xml [2010/09/01 20:31:27] underling: great [2010/09/01 20:31:44] * rbu here [2010/09/01 20:31:46] * jaervosz is here too [2010/09/01 20:31:54] Falco: ping [2010/09/01 20:31:55] if there's anyone who doesn't know underling yet. he's that very active @cisco.com dude who files bugs in bugzilla :) [2010/09/01 20:31:58] * p-y is here [2010/09/01 20:33:25] _Craig_ keytoaster solar: meeting ping [2010/09/01 20:33:31] <_Craig_> yo [2010/09/01 20:33:57] yo [2010/09/01 20:34:15] great [2010/09/01 20:34:30] so we are more or less complete I guess and ready to start [2010/09/01 20:35:41] well [2010/09/01 20:35:53] <_Craig_> 1) project status [2010/09/01 20:35:54] nobody added anything to the proposed agenda [2010/09/01 20:36:12] so we should just start and add anything that still comes up to point 5 [2010/09/01 20:36:33] could someone give a short overview of where we stand right now [2010/09/01 20:36:49] besides the existance of an enormous backlog [2010/09/01 20:37:12] <_Craig_> Current status from my point of view: we file bugs, but we're slow sometimes. Sometimes we miss bugs. [2010/09/01 20:37:25] <_Craig_> Things like firefox and browsers generally are a huge PITA [2010/09/01 20:37:49] <_Craig_> lots of bugs, hard to trace, no one really likes doing that kind of work [2010/09/01 20:38:11] The Mozilla trademark issues don't help. [2010/09/01 20:38:37] <_Craig_> and there are times when no one files anything, because we're busy, e.g. with studies [2010/09/01 20:38:44] or real life [2010/09/01 20:38:46] yeah [2010/09/01 20:39:04] <_Craig_> as the team is rather small, it can quickly happen that no one does anything for a week on critical bugs. [2010/09/01 20:39:07] so the problem is not just drafting/reviewing but also filing bugs in time [2010/09/01 20:39:17] what about the new glsamaker? [2010/09/01 20:39:31] <_Craig_> IMHO, yes. High-priority gets attention, but lower ones not always. [2010/09/01 20:39:32] p-y: maybe we talk about that later on [2010/09/01 20:39:35] ok [2010/09/01 20:39:58] _Craig_: but that's alright then. use the time you have as wise as you can. :-) [2010/09/01 20:40:00] in terms of bugs we usually do the easy stuff first. but we're already running at capacity while dealing with the easy stuff. [2010/09/01 20:40:05] so the hard things don't get done. [2010/09/01 20:40:20] <_Craig_> (like the gazillion of browser bugs) [2010/09/01 20:40:25] on a larger scale, we're scratching on the surface of the amount of bugs and advisories we need to send [2010/09/01 20:40:33] yeah [2010/09/01 20:40:37] what is easy vs. hard? firefox, etc.. i heard. what else? [2010/09/01 20:40:50] <_Craig_> webkit [2010/09/01 20:40:50] and with the current active (not on the list) team, we're not getting the numbers lower, we're rather growing further apart from 0 open bugs [2010/09/01 20:40:51] php, java... [2010/09/01 20:41:21] ok.. so large packages are not easy. because they have so many issues? [2010/09/01 20:41:35] it's the quantity as well as the list of affected packages [2010/09/01 20:41:36] sidenote: I would like to add team membership to topic 4 [2010/09/01 20:42:07] rbu: as in 1 CVE affects xulrunner, firefox, thunderbird, seamonkey and several versions of these [2010/09/01 20:42:12] and that >100 times [2010/09/01 20:42:20] <_Craig_> or sometimes not all bugs get fixed, so we cannot send the glsa yet. [2010/09/01 20:42:27] rbu: not only because of many issues, but also because some issues are fixed in one version, some in another only, some in both [2010/09/01 20:42:43] and more importantly, bugs that are not readily researched are completely left aside. [2010/09/01 20:42:49] and seometimes it's hard to know whether it's fixed or not [2010/09/01 20:43:17] ok, so our job sucks because most upstreams suck :) [2010/09/01 20:43:24] heh [2010/09/01 20:43:37] are we gathering problems first, and discussing solutions later, or do we do both in parallel? [2010/09/01 20:43:42] so in summary we are very low on active ressources and have some more trouble with the usual troublesome packages [2010/09/01 20:43:55] keytoaster: i guess because upstream sucks, our job exists [2010/09/01 20:44:23] according the the very short agenda I proposed this is the short status overview and we look at solutions later ;) [2010/09/01 20:44:41] vorlon078: full ack [2010/09/01 20:44:58] what's the status besides bug reporting? [2010/09/01 20:45:34] it's the same wrt GLSA sending and CVE tracking. [2010/09/01 20:45:46] a huge backlog with drafting, because noone wants to draft with the old glsamaker anymore [2010/09/01 20:45:55] i personally am waiting till the new one is ready [2010/09/01 20:46:15] all-in-all I'd say we're functional, but running on low flame. [2010/09/01 20:46:19] I must admit, I was shown the glsamaker and it made me lose the will to live. [2010/09/01 20:46:43] Chainsaw: the interface, or the backlog? [2010/09/01 20:46:52] both probably [2010/09/01 20:46:53] p-y: Both. They combine. [2010/09/01 20:47:36] so actually it seems we have the problems we always had, just a even worse this time [2010/09/01 20:47:39] we have some new functions in the new glsamaker to quickly draft all those old, low severity issues within minutes [2010/09/01 20:47:48] that would decrease the backlog partly [2010/09/01 20:48:19] Could we adopt a rule that we kick out any advisory that is no longer relevant because newer software has already been stabled for another GLSA? [2010/09/01 20:48:33] are there any status related questions left? else we should discuss the possible backlog soluions later on [2010/09/01 20:48:33] (This kept happening for Asterisk) [2010/09/01 20:48:42] vorlon078: yes. I think that is due to the reason that we're basically three active people plus one trainee [2010/09/01 20:48:52] Chainsaw: people might still be running the vulnerable software [2010/09/01 20:49:01] oh, for another GLSA [2010/09/01 20:49:04] hrm.. [2010/09/01 20:49:15] well, that's just corner cases i guess [2010/09/01 20:50:00] then I believe we should get on to topic 2 [2010/09/01 20:50:06] yes. [2010/09/01 20:50:07] if nobody objects [2010/09/01 20:50:24] one question still [2010/09/01 20:50:34] what about new recruits, team maintenance? [2010/09/01 20:50:45] what is the status there [2010/09/01 20:51:01] I started working with Chainsaw, but I've sent him to the council where his works is just as needed. [2010/09/01 20:51:01] we had a few requests from different people, both devs and non-devs [2010/09/01 20:51:20] those non-devs never returned because we just didn't have enough time to train them [2010/09/01 20:51:28] (apart from underling :) [2010/09/01 20:51:36] underling is doing a good job with filing bugs, I shall introduce him to the magic of drafting soon [2010/09/01 20:51:43] good [2010/09/01 20:51:46] yeah [2010/09/01 20:51:58] <_Craig_> keytoaster: chiiph got trained a bit too, but stopped filing. [2010/09/01 20:51:58] underling: sounds great what you do, i saw some bugmail [2010/09/01 20:52:05] porps [2010/09/01 20:52:09] _Craig_: yes, that's my fault too [2010/09/01 20:52:18] rbu: thanks, I am looking forward to "magic" [2010/09/01 20:52:25] i'll ask him again when the new glsamaker is done [2010/09/01 20:52:46] keytoaster: it'll be never done, just v1.0 :p [2010/09/01 20:52:51] vorlon078: feel free to go to #2 then from my side [2010/09/01 20:52:52] keytoaster: well... not really... I'm with my hands full with other things apart from gentoo atm... [2010/09/01 20:52:54] yeah yeah [2010/09/01 20:53:01] chiiph: oh, ok then :( [2010/09/01 20:53:01] ok [2010/09/01 20:53:09] then lets get to topic 2 [2010/09/01 20:53:15] keytoaster: but don't count me out just yet... [2010/09/01 20:53:25] lead election, simply because it is supposed to happen every year [2010/09/01 20:54:05] i for one don't think we even need leads [2010/09/01 20:54:16] keytoaster: Someone has to cast the deciding voice. [2010/09/01 20:54:20] it has always been more or less a formality for us [2010/09/01 20:54:25] keytoaster: hah.. you're not serious? [2010/09/01 20:54:27] keytoaster: Running things by committee will turn you into Debian. [2010/09/01 20:54:37] no swearing please :) [2010/09/01 20:54:38] ok, then what have our leads done in the last two years? [2010/09/01 20:54:39] and in rare cases decisions have to be made [2010/09/01 20:54:43] keytoaster: at least for the CERT mails [2010/09/01 20:54:45] i don't recall there has been any decision [2010/09/01 20:54:48] and that kind of stuff [2010/09/01 20:55:29] keytoaster: The best managers are the ones you don't see (micro!)managing stuff all the time. [2010/09/01 20:55:44] back then leads just meant taking in the lead in doing the hard work and ensuring some progress [2010/09/01 20:55:45] keytoaster: not that much, I have to admit :( [2010/09/01 20:55:57] well there used to be administrative stuff like rights for bugzie, v-sec etc. [2010/09/01 20:56:00] p-y: it wasn't meant to be an insult [2010/09/01 20:56:04] I know [2010/09/01 20:56:08] but still [2010/09/01 20:56:10] more like there simply was no need for them [2010/09/01 20:56:17] leads were the points of contact for cert and encrypted mail etc [2010/09/01 20:56:35] Chainsaw: we don't need micro management. but we also need someone who understands the state of the group, and keeps them together [2010/09/01 20:56:42] vorlon078: ok, that's about it [2010/09/01 20:56:49] rbu: ++ [2010/09/01 20:56:54] i do not feel i can currently do that, so i'd be happy if new (old) faces could step up [2010/09/01 20:57:02] old=known [2010/09/01 20:57:16] lol [2010/09/01 20:57:26] anyway [2010/09/01 20:57:37] is there anyone willing and able to do it? [2010/09/01 20:57:38] well if you want a newish face, I'd be happy to help out [2010/09/01 20:57:46] me too [2010/09/01 20:57:51] * Chainsaw votes for a3li [2010/09/01 20:57:57] simply because we're the few active people [2010/09/01 20:57:58] * _Craig_ points at a3li, too [2010/09/01 20:58:29] just don't do it like py and me did.. afer the vote, disappear! [2010/09/01 20:58:34] I would have said me too, but since I can't guarantee a fixed amount of dedicated time yet, that would not be the best choice [2010/09/01 20:58:41] rbu++ [2010/09/01 20:59:15] ok.. anyone else who wants to be nominated? [2010/09/01 20:59:29] Chainsaw and a3li so far [2010/09/01 20:59:33] i would nominate craig on top of that [2010/09/01 20:59:40] <_Craig_> Oo [2010/09/01 20:59:41] vorlon078: What? No. keytoaster & a3li. [2010/09/01 20:59:44] vorlon078: you mean keytoaster and me :) [2010/09/01 20:59:51] oops type and tab completions, sorry [2010/09/01 21:00:03] The sound herd pulled that trick last time. [2010/09/01 21:00:06] so keytoaster and a3li with _Craig_ on top [2010/09/01 21:00:12] * Chainsaw is not falling for that again [2010/09/01 21:00:13] erm *cough* [2010/09/01 21:01:15] so anyone else? [2010/09/01 21:01:56] ETIMEOUT [2010/09/01 21:02:01] * Chainsaw points at a3li [2010/09/01 21:02:11] _Craig_: want to be nominated? [2010/09/01 21:02:56] do we have one or two votes per team member? [2010/09/01 21:03:09] next question... how many leads [2010/09/01 21:03:11] <_Craig_> uhm, I'd prefer being a full dev before leading anything [2010/09/01 21:03:14] we did some combined vote last time [2010/09/01 21:03:18] we used to have 2 and had 3 for some time too [2010/09/01 21:03:29] <_Craig_> let's have 2 votes [2010/09/01 21:03:41] <_Craig_> should we vote on that? ;) [2010/09/01 21:03:55] * keytoaster votes for 2 votes [2010/09/01 21:04:00] arghhhhh [2010/09/01 21:04:06] * p-y seconds keytoaster [2010/09/01 21:04:15] _Craig_: you do not have to be an ebuild dev to be a team lead [2010/09/01 21:04:23] rbu: ++ [2010/09/01 21:05:13] _Craig_: in fact, it may even help you keep focus not to be distracted by latest release of $software [2010/09/01 21:05:33] so if we simply have 2 or 3 nominees we could vote for all en bloc [2010/09/01 21:06:11] if nobody objects to that, or give votes and take the 2? with the highest amount of votes [2010/09/01 21:06:12] <_Craig_> rbu: I know that, but still. I'm know I'm just too busy right now and for the next months. [2010/09/01 21:06:40] <_Craig_> So, next time. ;) [2010/09/01 21:07:34] _Craig_: too bad.. but i appreciate your anticipation [2010/09/01 21:07:35] ok [2010/09/01 21:07:40] yeah [2010/09/01 21:08:01] <_Craig_> so, two votes. [2010/09/01 21:08:04] then if nobody objects I say we simply vote on accepting the two nominees [2010/09/01 21:08:12] vorlon078: ++ [2010/09/01 21:08:13] yes. one vote [2010/09/01 21:08:17] yep [2010/09/01 21:08:20] <_Craig_> okok [2010/09/01 21:08:24] i want a3li and keytoaster as leads [2010/09/01 21:08:31] _Craig_: what would happen if one would be not accepted? :) [2010/09/01 21:08:32] <_Craig_> me, too. [2010/09/01 21:08:44] I vote for a3li and keytoaster as well [2010/09/01 21:08:49] me too [2010/09/01 21:08:55] me too:) [2010/09/01 21:09:02] <_Craig_> a3li: damocles sword will hit someone. [2010/09/01 21:09:06] so can a3li and me vote for ourselves? [2010/09/01 21:09:11] I confirm, a3li as primary, keytoaster as secondary. [2010/09/01 21:09:13] sure you can [2010/09/01 21:09:46] you should! or do you not trust yourselves? [2010/09/01 21:09:56] ok, i vote for a3li and me :) [2010/09/01 21:10:13] I vote against not being team lead together with keytoaster [2010/09/01 21:10:23] then so it will be [2010/09/01 21:10:23] shit, now we're screwed [2010/09/01 21:10:33] oh wait, "against not" [2010/09/01 21:10:39] haha [2010/09/01 21:10:44] you got me there :( [2010/09/01 21:11:00] <_Craig_> haha [2010/09/01 21:11:00] i count many votes for and none against a3li and keytoaster as the new team leads [2010/09/01 21:11:13] congrats [2010/09/01 21:11:17] vorlon078: "Unanimous" is shorter. [2010/09/01 21:11:19] well I want to thank our two predecessors. especially rbu for always replying to my enquiries about the content of the CERT emails I couldn't read :) [2010/09/01 21:11:38] ++ [2010/09/01 21:11:39] congrats a3li and keytoaster [2010/09/01 21:11:50] in case you accept the voting of course [2010/09/01 21:11:52] ;-) [2010/09/01 21:11:56] first action duty as new leads: buy old leads beer [2010/09/01 21:12:01] ++ [2010/09/01 21:12:16] rbu: sure, if you show up here :) [2010/09/01 21:12:20] and two bear for the leads before the old leads [2010/09/01 21:12:22] <_Craig_> rbu: ...if they show up and file bugs :P [2010/09/01 21:12:26] beer even [2010/09/01 21:12:29] bear [2010/09/01 21:12:32] vorlon078: here, have a pedobear [2010/09/01 21:12:33] sec, gonna shoot some [2010/09/01 21:12:46] yeah just keep hitting [2010/09/01 21:12:58] :-P [2010/09/01 21:13:00] ok [2010/09/01 21:13:04] agenda++; [2010/09/01 21:13:09] if there are no objections again, then lets go on [2010/09/01 21:13:21] # Population of several mail aliases, bugzilla groups etc. [2010/09/01 21:13:56] we need to go through the v-sec alias to see, cert mails and bugzilla security group [2010/09/01 21:13:58] what is meant by that exactly? [2010/09/01 21:14:01] -to see [2010/09/01 21:14:24] who is supposed to be receiving cert mails at the moment [2010/09/01 21:14:34] who should be on v-sec, which is pretty crowded right now [2010/09/01 21:14:50] To: Matthias Geerdsen , Raphael Marichez , Pierre-Yves Rofes , Robert Buchholz [2010/09/01 21:14:51] and who should be on the bugzilla group for security bugs and be able to set that membership [2010/09/01 21:14:54] Cc: Gentoo Security Team , CERT Coordination Center [2010/09/01 21:14:57] that is CERT as-is [2010/09/01 21:15:02] ok, cert: is it policy by them that only the leads (or only 2?) people may receive the mails? [2010/09/01 21:15:16] <_Craig_> who should be on the bugzilla group for security bugs and be able to set that membership << leads. [2010/09/01 21:15:19] keytoaster: no, I made the contact a few years ago [2010/09/01 21:15:32] any reason against having everyone receive them? [2010/09/01 21:15:32] and there should be no such policy from cert side [2010/09/01 21:15:47] <_Craig_> who should be on v-sec << seniors (+1 years active in the security team) [2010/09/01 21:15:59] i mean, the entire team deals with confidential stuff, not receiving the cert mails won't make a difference wrt trustworthyness [2010/09/01 21:16:02] maybe let's focus on one list [2010/09/01 21:16:04] so CERT forst [2010/09/01 21:16:05] *first [2010/09/01 21:16:10] a3li: ++ [2010/09/01 21:16:17] the problem with CERT is that they GPG sign [2010/09/01 21:16:23] so we cannot just update the list of recievers [2010/09/01 21:16:27] exactly [2010/09/01 21:16:49] a few more people would be good, so that we avoid forwarding in cleartext [2010/09/01 21:17:32] who actually would like to get the mails directly from cert? [2010/09/01 21:17:35] a few more on top of the ones that already receive them? [2010/09/01 21:17:38] at least the new leads should [2010/09/01 21:17:54] sorry for my sucky grammar and spelling today, pretty tired [2010/09/01 21:18:01] p-y: agreed [2010/09/01 21:18:38] craig and chainsaw could alse see them. i see no point in leaving them out [2010/09/01 21:18:50] rbu++ [2010/09/01 21:18:53] that's my point [2010/09/01 21:18:55] i'd rather exclude myself from that list if they object to sending to 8 people [2010/09/01 21:19:26] then let's ask the other way around, is there anyone who does not want to get the cert mails [2010/09/01 21:20:17] then I would just ask them to add everyone who is attending this meeting and a member of the security project [2010/09/01 21:20:20] hrm, perhaps we should start by talking about who "the team" is. there are some people on the project page that have a) been inactive for years and b) not shown up to the meeting [2010/09/01 21:20:33] cool, we have the same thoughts there :) [2010/09/01 21:20:55] then let me add ...at the end of this meeting [2010/09/01 21:21:01] is that alright for everyone [2010/09/01 21:21:07] vorlon078: ++ [2010/09/01 21:21:09] <_Craig_> yo [2010/09/01 21:21:10] yep [2010/09/01 21:21:17] i will put a list together and send it on the security alias before sending to cert [2010/09/01 21:21:19] yup [2010/09/01 21:21:27] good [2010/09/01 21:21:36] wasn't that the job of the leads? :) [2010/09/01 21:21:40] vorlon078: ^ [2010/09/01 21:22:24] well job of old leads is to get people on the cert list [2010/09/01 21:22:32] :) [2010/09/01 21:22:41] well. if you want to do it, do it. [2010/09/01 21:22:44] job of the lead is making sure things get done. not necessarily doing them ;-) [2010/09/01 21:23:00] okay, so no pointing at tobias and me for not doing our job then :) [2010/09/01 21:23:21] rbu: exactly [2010/09/01 21:23:26] I simply said I would do it, since I am a known contact for cert [2010/09/01 21:23:31] anyway [2010/09/01 21:23:34] lets get on [2010/09/01 21:23:37] v-sec alias [2010/09/01 21:23:42] vendor-sec : rbu,py,falco,jaervosz,vorlon,a3li [2010/09/01 21:23:51] get me off [2010/09/01 21:23:55] ah, I thought there were more [2010/09/01 21:24:01] I'd like at least keytoaster to be there as well [2010/09/01 21:24:08] there should be 2-4 active people on there [2010/09/01 21:24:11] and falco off before anyone else [2010/09/01 21:24:12] if you don't mind I would like to stay on the alias [2010/09/01 21:24:18] and _Craig_ on, if he wants [2010/09/01 21:24:19] planning to be more active anyway [2010/09/01 21:24:33] vorlon078: good [2010/09/01 21:24:50] if it is a problem for anyone, I don [2010/09/01 21:24:56] 't mind if you want to get me off the list [2010/09/01 21:24:57] <_Craig_> vendorsec: me too, if possible. [2010/09/01 21:25:02] i'm hoping to be more active as well, but can be removed if needed [2010/09/01 21:25:10] a3li,keytoaster,vorlon,X [2010/09/01 21:25:10] jaervosz++ [2010/09/01 21:25:37] then I would say current alias -falco +craig [2010/09/01 21:25:47] <_Craig_> :) [2010/09/01 21:26:31] any objections? [2010/09/01 21:26:33] and keytoaster? [2010/09/01 21:26:38] yeah [2010/09/01 21:26:39] oh, right [2010/09/01 21:26:40] ah yeah of course [2010/09/01 21:26:43] p-y: good catch [2010/09/01 21:26:47] heh :) [2010/09/01 21:27:00] so rbu says max 4 people [2010/09/01 21:27:03] we're at 6 already [2010/09/01 21:27:09] with keytoaster and craig 7 [2010/09/01 21:27:13] rbu,py,jaervosz,vorlon,a3li,keytoaster,craig [2010/09/01 21:27:15] (and falco removed) [2010/09/01 21:27:19] is that rbu's opinion or policy vendor-sec-wise? [2010/09/01 21:27:35] v-sec would like to keep it low at least [2010/09/01 21:27:48] i don't know the original deal [2010/09/01 21:28:47] i think hardly any distro has so many people on the list. i don't think there's a policy, i rather feel that with the "state" of the list (you know what i mean) there should really be a limited number of people on there [2010/09/01 21:28:59] vorlon078: well, they can assume that we'd leak it otherwise anyway :) [2010/09/01 21:29:10] rbu is right though [2010/09/01 21:29:49] yeah rbu is right [2010/09/01 21:30:02] @ robbat2|na joined channel #gentoo-security [2010/09/01 21:30:06] at least just remove me and let the proven active ppl on the alias [2010/09/01 21:30:15] just as a sidenote.. i'm currently considering whether i can put any time into gentoo security anymore or not. and if i want to do more, there's plenty work outside of vendor sec [2010/09/01 21:30:16] solar, you want to be sec team infra contact? [2010/09/01 21:30:31] if devs go awol for some time just replace them with active devs [2010/09/01 21:30:56] rbu: :( but thanks for being specific [2010/09/01 21:31:13] re infra contact, what all do you need from me? how's the new glsamaker that a3li was working on?\ [2010/09/01 21:31:22] robbat2|na: later on the agenda [2010/09/01 21:31:39] robbat2|na: we're in the middle of a meeting [2010/09/01 21:31:44] robbat2|na: and I think there's a special group for editing the security aliases. keytoaster and I would like access as new team leads [2010/09/01 21:31:47] my fault, i ordered him here :) [2010/09/01 21:31:55] keytoaster asked me here re infra contact [2010/09/01 21:32:07] robbat2|na: i guess the main question is.. who is klieber? is there a point in having him as infra liaison? [2010/09/01 21:32:14] robbat2|na: lol [2010/09/01 21:32:17] err [2010/09/01 21:32:19] rbu: lol [2010/09/01 21:32:26] heh [2010/09/01 21:32:30] klieber's still nominally infra, but hasn't been seen in ages, and potentially retirable [2010/09/01 21:32:49] klieber was also one of the founders of the sec team if i remember right [2010/09/01 21:32:49] that's why I was asking what you need out of an infra liaison [2010/09/01 21:32:55] but i haven't seen him for years [2010/09/01 21:33:05] as if he hasn't been around, and you haven't need anything from him, does the position even need to exist? [2010/09/01 21:33:20] i don't think so [2010/09/01 21:33:23] robbat2|na: I don't believe that job is well defined [2010/09/01 21:33:30] if it does, what do you need from the person? [2010/09/01 21:33:40] i think we just cc'ed you and solar anyway if infra needs to act on a confidential bug [2010/09/01 21:33:46] we basically just need him for shell access ont he glsamaker box [2010/09/01 21:33:56] we used to cc someone from infra on confidential bugs relevant for infra [2010/09/01 21:34:22] keytoaster: leads used to have shell on the current infra box [2010/09/01 21:34:29] just drop the position, and CC me/solar [2010/09/01 21:34:34] robbat2|na: agreed [2010/09/01 21:34:37] other infra needs are pretty stock [2010/09/01 21:34:48] ok, agreed [2010/09/01 21:35:43] i'll lurk here now, for the new glsamaker stuff later [2010/09/01 21:35:43] good. [2010/09/01 21:35:49] okay. [2010/09/01 21:35:50] if there are no objections we will then do as robbat2|na just proposed [2010/09/01 21:35:53] ping if you need me [2010/09/01 21:36:03] thanks robbat2|na [2010/09/01 21:36:07] vorlon078: ack [2010/09/01 21:36:08] then lets get back to v-sec [2010/09/01 21:36:12] good [2010/09/01 21:36:50] we proposed "rbu,py,jaervosz,vorlon,a3li,keytoaster,craig" but that was too many [2010/09/01 21:37:03] so let's divide that into two groups: 1) people that we want to have there for sure, and 2) people who can still be on there if allowed [2010/09/01 21:37:22] I think on there for sure would be keytoaster, vorlon and me [2010/09/01 21:37:26] * jaervosz is 2 unfortunately [2010/09/01 21:37:36] and do we actually want to discuss the names on that alias publicly? [2010/09/01 21:37:46] it's publically visible for any dev [2010/09/01 21:37:47] vorlon078: we already kind of did that.... [2010/09/01 21:37:56] i know ;-) [2010/09/01 21:37:58] vorlon078: lol... too late [2010/09/01 21:38:03] i am for transparency anyways [2010/09/01 21:38:03] vorlon078: so unless you want to recruit a completely new team... [2010/09/01 21:38:10] we just rename [2010/09/01 21:38:13] @ a3li is now known as a4li [2010/09/01 21:38:14] see? [2010/09/01 21:38:16] cool [2010/09/01 21:38:17] lol [2010/09/01 21:38:22] lol [2010/09/01 21:38:37] for security reasons the team's nicknames have to be changed weekly [2010/09/01 21:38:45] oh my, hopefully that's a long long [2010/09/01 21:38:47] sorry for the interruption [2010/09/01 21:38:50] or else I'll overflow soon :( [2010/09/01 21:38:50] 1) a3li,keytoaster,craig [2010/09/01 21:39:11] yep [2010/09/01 21:39:24] I think we should be able to allow 2 people from the 2) group [2010/09/01 21:39:36] or we could assign those later [2010/09/01 21:39:50] let's say in X months, after you've all had a chance to see how much time you can spend with gentoo sec [2010/09/01 21:40:26] @ a4li is now known as a3li [2010/09/01 21:40:27] or "when you made the glsa backlog half its size" [2010/09/01 21:40:38] <_Craig_> we can still try getting everyone in. [2010/09/01 21:40:41] I think sending that mozilla GLSA should be even enough :) [2010/09/01 21:40:43] a3li: that sounds reasonable [2010/09/01 21:41:39] a3li: sounds reasonable [2010/09/01 21:41:55] _Craig_: it's really not a question of getting people in. we administrate who is in and who is out. it's rather a question of ... let's say respect (?) to the group [2010/09/01 21:42:14] besides [2010/09/01 21:42:25] v-sec likes people on the list to be active members [2010/09/01 21:42:31] on the list tha tis [2010/09/01 21:42:57] ok [2010/09/01 21:43:33] so for now we put a3li keytoaster and _Craig_ [2010/09/01 21:44:10] btw, it would be good to inform v-sec of changes on the alias, others do that too [2010/09/01 21:44:18] yes. [2010/09/01 21:44:29] I'd say let's talk about the other spots around christmas? [2010/09/01 21:44:34] three months should be reasonable [2010/09/01 21:44:48] a3li: I wanted to talk about a date for the next meeting in the end anyways [2010/09/01 21:44:51] and regular meetings [2010/09/01 21:45:21] are there any objections to the above change for the vendor-sec alias? [2010/09/01 21:45:27] no [2010/09/01 21:45:29] no [2010/09/01 21:45:45] no [2010/09/01 21:46:21] alright [2010/09/01 21:46:43] btw, is anyone gonna write a meeting summary? [2010/09/01 21:46:49] if no, i'd do that [2010/09/01 21:46:59] keytoaster: good, then you do it ;-) [2010/09/01 21:47:02] otherwise i would have [2010/09/01 21:47:10] No objections. [2010/09/01 21:47:21] ok [2010/09/01 21:47:38] I'll do the v-s notification and alias changing [2010/09/01 21:47:42] I'm happy with how I'm kept in the loop on everything; I realise I'm not the most active person for security right now. [2010/09/01 21:47:43] a3li: keytoaster then I would say go ahead and ask infra to change the alias [2010/09/01 21:47:54] vorlon078: i think we can change the alias ourselves [2010/09/01 21:48:01] err, the alias [2010/09/01 21:48:04] If it's relevant to my interests I trust someone will forward it to me :) [2010/09/01 21:48:05] sorry, i was thinking bugzilla [2010/09/01 21:48:13] robbat2|na: can you add keytoaster and me to the securitymail group on pecker? [2010/09/01 21:48:32] a3li: thats not enough, at least it used not to be [2010/09/01 21:48:51] maybe robbat2|na can make it be enough? :) [2010/09/01 21:48:51] well, we can edit the alias file then :) [2010/09/01 21:49:00] argh [2010/09/01 21:49:27] vendor-sec can only be edited by infra afaict/afaik [2010/09/01 21:49:33] ok, you should be able to edit all aliases in /var/mail/alias/security/ now (after you cycle login to get new groups) [2010/09/01 21:49:33] that is not the worst thing i guess [2010/09/01 21:49:41] i can move vendor-sec alias if you want? [2010/09/01 21:50:01] robbat2|na: please do [2010/09/01 21:50:14] done [2010/09/01 21:50:14] @ Ford_Prefect joined channel #gentoo-security [2010/09/01 21:50:20] gracias [2010/09/01 21:50:41] securitymail group currently consists of: solar,vorlon,falco,py,rbu,keytoaster,a3li [2010/09/01 21:51:52] we should add _Craig_ [2010/09/01 21:52:24] I think leads is enough [2010/09/01 21:52:33] as the group basically reads like a lead history [2010/09/01 21:53:04] a3li: it used to be leads, we actually introduced editing the alias ourselves back at that time [2010/09/01 21:53:05] <_Craig_> agreed. [2010/09/01 21:53:22] why not remove old leads then? [2010/09/01 21:53:24] and it does not make sense to restrict the v-sec exploder when we all can change it [2010/09/01 21:53:30] only make it keytoaster,a3li [2010/09/01 21:53:32] vorlon078++ [2010/09/01 21:53:44] and to add a little history to that [2010/09/01 21:54:04] it was quite hard for gentoo to get on vendor-sec in the first place [2010/09/01 21:54:21] that is a reason why the alias was under strict control [2010/09/01 21:54:56] since vendor-sec is a lot about trust, we should keep that in mind [2010/09/01 21:55:06] okay [2010/09/01 21:55:19] good [2010/09/01 21:55:27] vorlon078: reading mail is one thing, having ssh login to the mail server is another [2010/09/01 21:55:34] robbat2|na: please drop everyone besides keytoaster and me from securitymail [2010/09/01 21:55:38] jaervosz: it's dev.gentoo.org :) [2010/09/01 21:56:03] a3li: some of us get our mail forwarded to other boxes [2010/09/01 21:56:07] a mail server where every dev has shell access would be a topic in itself i guess [2010/09/01 21:56:16] anyways [2010/09/01 21:56:21] anyways! [2010/09/01 21:56:22] let's move on [2010/09/01 21:56:25] bugzie [2010/09/01 21:56:41] 21:17:47 < idl0r> a3li, craig, falco, jaervosz, keytoaster, py, rbu, vapier, vorlon [2010/09/01 21:56:58] members of the security group [2010/09/01 21:57:01] a3li, done [2010/09/01 21:57:04] see above [2010/09/01 21:57:06] robbat2|na: thanks [2010/09/01 21:57:22] i can make a new group for that one file if that would help too [2010/09/01 21:57:35] I think we're good now [2010/09/01 21:57:48] the alias isn't any less confidential as v-s [2010/09/01 21:57:55] security@ being the 'alias' [2010/09/01 21:58:13] ok [2010/09/01 21:58:17] bugzilla: we can keep things the way they are imo. [2010/09/01 21:58:32] re security group. i think everyone on the alias should be in the group, and that is everyone in the team ? [2010/09/01 21:58:39] ack [2010/09/01 21:58:45] more or less [2010/09/01 21:58:57] more or less? [2010/09/01 21:59:02] security : klieber,jaervosz,vorlon,vapier,falco,solar,py,keytoaster,rbu,a3li,asym,craig [2010/09/01 21:59:05] that's the alias [2010/09/01 21:59:10] asym? [2010/09/01 21:59:15] yeah asym? [2010/09/01 21:59:20] lol [2010/09/01 21:59:21] he did kernel-check with rbu in 2009 [2010/09/01 21:59:25] he was doing kernel security, but is being retired nw [2010/09/01 21:59:25] already being retired [2010/09/01 21:59:32] then remove him [2010/09/01 21:59:35] klieber too? [2010/09/01 21:59:37] <_Craig_> it's not through yet [2010/09/01 21:59:44] <_Craig_> he was given the usual 14 days [2010/09/01 21:59:52] and this weird craig guy [2010/09/01 22:00:00] :-P [2010/09/01 22:00:29] "who is in the team" is another question. but i think there should be no "more or less", but the stuff should be in sync [2010/09/01 22:00:38] agreed [2010/09/01 22:00:42] yup, right [2010/09/01 22:00:49] rbu: the team is the security alias as i see it [2010/09/01 22:00:50] there used to be the powers.xml which described who can do what [2010/09/01 22:00:57] I'm happy to just be AMD64 liaison, yes :) [2010/09/01 22:01:03] + padawans et al [2010/09/01 22:01:28] padawans have not been on the security alias [2010/09/01 22:01:30] vorlon078: i think chainsaw is in the team, no? [2010/09/01 22:01:42] he's a padawan technically [2010/09/01 22:01:48] oh man [2010/09/01 22:01:53] vorlon078: you mean http://dev.gentoo.org/~falco/powers.html ? [2010/09/01 22:01:54] but now hired to the council [2010/09/01 22:01:55] huge mess here [2010/09/01 22:02:06] Chainsaw: get your butt up and join, man! :-) [2010/09/01 22:02:14] p-y: yes [2010/09/01 22:02:20] that was made by koon way back [2010/09/01 22:02:21] p-y: whoa, we'll have to move that into our project space [2010/09/01 22:02:27] indeed [2010/09/01 22:02:28] i can do that if you want [2010/09/01 22:02:34] make it so [2010/09/01 22:02:37] rbu: With my current workload, it wouldn't be fair. A colleague of mine has left, and I'm doing the job of about 3 or 4 people right now. [2010/09/01 22:03:08] brb [2010/09/01 22:03:10] okay as for security@ right now [2010/09/01 22:03:15] I'll remove klieber and asym [2010/09/01 22:03:16] Chainsaw: sucks. sorry. well, hope you get more help@work soon then [2010/09/01 22:03:25] ok, vorlon078 is brb, me too [2010/09/01 22:03:29] 5-10 minutes [2010/09/01 22:03:30] sorry [2010/09/01 22:03:32] there's probably other interesting stuff to merge in ~falco [2010/09/01 22:03:49] rbu: There's budget for an assistant next year. [2010/09/01 22:03:58] rbu: I will be looking for a Gentoo developer with commit privs. [2010/09/01 22:04:19] not too hard to find in this channel i guess [2010/09/01 22:04:23] back [2010/09/01 22:04:44] a3li: ack wrt security@ [2010/09/01 22:04:50] mhm being Chainsaw's PFY would mean access to those nice salt and vinegar crisps they have in GB [2010/09/01 22:04:59] okay [2010/09/01 22:05:30] Yes, and living in the cathedral city of Peterborough :) [2010/09/01 22:05:42] we could make a short break for keytoaster and start with team membership afterwards [2010/09/01 22:05:45] as long as it has a pub [2010/09/01 22:06:24] then we should speed things up a little [2010/09/01 22:06:28] a3li: Many pubs, yes :) [2010/09/01 22:07:07] okay, short break, let's go on at :15 [2010/09/01 22:07:26] yes [2010/09/01 22:07:30] I would actually like to go home at some point. [2010/09/01 22:07:30] the part 4 is probably the biggest and most interesting [2010/09/01 22:07:39] It is 9pm and I'm sitting at my work desk. [2010/09/01 22:08:08] Chainsaw: feel free to leave, there will be no more voting I guess. we'll have a log and you can always ask questions later [2010/09/01 22:08:22] Okay, thanks :) [2010/09/01 22:09:09] @ Quit: Chainsaw: Remote host closed the connection [2010/09/01 22:09:45] back [2010/09/01 22:11:49] <_Craig_> let's go on [2010/09/01 22:15:08] <_Craig_> hullo? [2010/09/01 22:15:21] now is :15 [2010/09/01 22:15:23] everyone back? :) [2010/09/01 22:15:23] * jaervosz is still here for a bit more [2010/09/01 22:15:26] yep [2010/09/01 22:15:31] let's move on [2010/09/01 22:15:33] ok [2010/09/01 22:15:34] okay so let's speeeeeed up [2010/09/01 22:16:05] so we sorted out the security alias I believe [2010/09/01 22:16:22] yes [2010/09/01 22:16:33] if there is nothing more about bugzilla et al, we could go on to team membership [2010/09/01 22:16:39] yes [2010/09/01 22:16:44] bugzilla is fine. defined to be == team [2010/09/01 22:16:47] @ Quit: Ford_Prefect: Ping timeout: 240 seconds [2010/09/01 22:16:54] now, let's talk about who the team is [2010/09/01 22:17:03] actually [2010/09/01 22:17:11] who is able to add people to the bugzie group? [2010/09/01 22:17:14] there is still the [2010/09/01 22:17:18] exactly [2010/09/01 22:17:29] should be the leads as well, right? [2010/09/01 22:17:34] there is a group who can do that [2010/09/01 22:17:43] i don't think there is a group [2010/09/01 22:17:45] I am currently still in it I beleieve [2010/09/01 22:17:49] a bugzie group [2010/09/01 22:17:49] people just get the bit set to be able to set it [2010/09/01 22:17:52] whatever you call it [2010/09/01 22:17:54] yes [2010/09/01 22:18:42] actually i can change that bit [2010/09/01 22:18:46] so. bottom line: team leads should have that flag? [2010/09/01 22:18:47] because i'm a recruiter [2010/09/01 22:18:55] if yes, I'll talk to idl0r later and have things sorted. [2010/09/01 22:19:01] but i don't seem to find a way to see who already has it [2010/09/01 22:19:13] a3li: that was the idea behind it at that time [2010/09/01 22:19:20] okay. I'll get it done later. [2010/09/01 22:19:26] next agenda item? [2010/09/01 22:19:27] ok, cool. [2010/09/01 22:20:06] 4) handling of the current GLSA and bug queues and how to avoid such situations in the future [2010/09/01 22:20:31] bedtime here have to get up at 5 am in the morning. However with my new job i should be available during normal working hours to help out, i'll try pinging again in here in the morning [2010/09/01 22:20:51] good night jaervosz and hope to see you around again here [2010/09/01 22:20:52] yes, that's the most important bit. we need to get everyone working again. [2010/09/01 22:20:58] so thanks jaervosz, see you! [2010/09/01 22:21:16] ok, good night [2010/09/01 22:21:27] see you tomorrow and we'll do something about that terrible backlog [2010/09/01 22:21:35] that's the spirit! [2010/09/01 22:22:03] since it was brought up earlier that the new glsamaker might help cleaning the current queue, could someone shed some light on that [2010/09/01 22:22:08] shortly [2010/09/01 22:22:28] okay. we started writing a new glsamaker as you all know [2010/09/01 22:22:33] like eta and how it can help [2010/09/01 22:22:36] it's in a near-usable state [2010/09/01 22:22:50] the goal is to have our information integrated better [2010/09/01 22:22:53] vorlon078: pong [2010/09/01 22:22:53] that is combined with the idea of "mini glsas": we have boilerplates for description that just says "xxx is affected. please review the CVEs referenced below for details." [2010/09/01 22:23:01] hey, some activity here [2010/09/01 22:23:07] <_Craig_> a3li: what kind of problems are there to solve? [2010/09/01 22:23:09] I like the idea of mini-glsas [2010/09/01 22:23:12] Falco: nice of you to show up. [2010/09/01 22:23:14] Falco: team meeting [2010/09/01 22:23:22] was at work ^^ [2010/09/01 22:23:23] p-y: me too [2010/09/01 22:23:30] <_Craig_> keytoaster: ++ [2010/09/01 22:23:34] vorlon078: we did a bunch of those a few months ago [2010/09/01 22:23:36] Hey Falco! [2010/09/01 22:23:37] and in holidays, before [2010/09/01 22:23:39] hey p-y ! [2010/09/01 22:23:45] long time we haven't got a drink [2010/09/01 22:23:46] that actually went pretty fast and decreased the backlog [2010/09/01 22:23:53] Falco: yep [2010/09/01 22:23:54] Falco: hi [2010/09/01 22:23:54] and with the new glsamaker it's *very* easy to draft those [2010/09/01 22:24:07] keytoaster: I think we should do something like that for a while again [2010/09/01 22:24:09] _Craig_: the problem we are trying to solve is, that drafting an advisory isn't efficient and just not fun [2010/09/01 22:24:21] and let me claim that about 50% of the current backlog is just minor issues [2010/09/01 22:24:27] _Craig_: you have to get information from many sources and manually combine them [2010/09/01 22:24:29] well [2010/09/01 22:24:29] hi everyone, vorlon078 , keytoaster , a3li and jaervosz !! [2010/09/01 22:24:34] hi. [2010/09/01 22:24:51] vorlon078: not only for a while, IHMO [2010/09/01 22:24:52] at this point in the agend i see two slightly different subjects [2010/09/01 22:25:18] first: how to get rid of the very old things needing a glsa [2010/09/01 22:25:29] second: how to ease things up in the future [2010/09/01 22:25:44] for the second part a better tool is part of the solution i would say [2010/09/01 22:25:52] it both boils down to motivating people and getting the new glsamaker done :) [2010/09/01 22:26:14] the currently full backlog of old stuff is demotivating [2010/09/01 22:26:22] oh btw [2010/09/01 22:26:22] yes. [2010/09/01 22:26:27] it would help to find a quick and easy way to get rid of that [2010/09/01 22:26:30] maybe it's a good occasion to review the vulnerability policy [2010/09/01 22:26:32] at the moment we don't give glsamaker access to everyone [2010/09/01 22:26:37] because it holds confidential information [2010/09/01 22:26:50] and send glsa only for really serious issues [2010/09/01 22:26:56] the new tool will have permission groups, so we can give new interested people access way earlier [2010/09/01 22:27:06] p-y: i don't consider that a good idea [2010/09/01 22:27:34] I'd rather like to send a less detailed GLSA for those B3 things [2010/09/01 22:27:40] a3li: agreed [2010/09/01 22:27:41] p-y: we could send mini GLSAs instead. just fill out affeced, unaffected versions, use the boilerplates for the rest, done. [2010/09/01 22:27:44] i.e. what other distros do, copy the CVE text [2010/09/01 22:27:45] when is it "good enough" to use? i think that's the key to everything. not be perfect, but have it running and doing 80% of the job [2010/09/01 22:27:48] a3li++ [2010/09/01 22:27:50] yes, indeed [2010/09/01 22:27:56] rbu: within the year. [2010/09/01 22:28:04] a3li: thanks for that info [2010/09/01 22:28:15] <_Craig_> <@a3li> I'd rather like to send a less detailed GLSA for those B3 things <<< ++ [2010/09/01 22:28:17] then we need to find a way with the current tools to get rid of the large queue [2010/09/01 22:28:28] * _Craig_ wants mini-glsas, too. [2010/09/01 22:28:35] rbu: to replace the old tool: drafting is completely done. we need to create the txt advisory, xml advisory, and sending mails [2010/09/01 22:28:36] then let us define mini-glsa [2010/09/01 22:29:03] vorlon078: I say that because in the past, we used to send glsas for "minor" issues (DoS) on minor packages, and we were the only distro doing so, other fixed them silently [2010/09/01 22:29:04] rbu: actually i've sorted stuff on the redmine tracker [2010/09/01 22:29:19] that's a waste of energy IMO [2010/09/01 22:29:37] p-y: the thing is when there's a B2 bug coming later. what do you do with the DoS then? [2010/09/01 22:29:43] especially given the manpower shortage [2010/09/01 22:29:48] p-y: just discard it and not include in the advisory? [2010/09/01 22:29:59] vorlon078: like http://www.gentoo.org/security/en/glsa/glsa-201006-14.xml [2010/09/01 22:30:14] oh wait, that's actually still a pretty long one [2010/09/01 22:30:30] p-y: for such things i would propose to draft the changes to the policy, send to security@ and discuss it there [2010/09/01 22:30:36] or even better [2010/09/01 22:30:37] the gentoo-security list [2010/09/01 22:30:38] vorlon078: http://www.gentoo.org/security/en/glsa/glsa-201006-05.xml [2010/09/01 22:31:04] basically just a very short description and impact [2010/09/01 22:31:44] keytoaster: ok, thanks [2010/09/01 22:32:05] very good ! (that the new glsamaker tool will have permission groups) : because only very few glsas are actually confidential [2010/09/01 22:32:08] the new glsamaker could help there by filling in the background, getting the CVEs from the bug [2010/09/01 22:33:06] so what is the easiest way for us to deal with the old waiting drafts [2010/09/01 22:33:21] what we could do is a GLSA fest(tm) [2010/09/01 22:33:25] should we do mini-glsas like those examples in the current glsamaker? [2010/09/01 22:33:30] as many people as possible ddraft GLSAs together [2010/09/01 22:33:31] or is there another way? [2010/09/01 22:33:39] make that mini glsas. [2010/09/01 22:33:43] ++ [2010/09/01 22:33:44] and after 5 hours they're sent [2010/09/01 22:33:50] but that needs at least 4-5 people [2010/09/01 22:34:07] same would be needed for bugs, btw [2010/09/01 22:34:14] a3li: yeah [2010/09/01 22:34:15] although i'd wait for the new tool [2010/09/01 22:34:23] i'm not motivated to do anything with the old one [2010/09/01 22:34:26] but I think it would be nice to clean up glsamaker queue first [2010/09/01 22:34:37] basically i start, look at the tool, and lose interest again [2010/09/01 22:34:42] actually, i don't think waiting is a good option right now [2010/09/01 22:34:52] it will just grow [2010/09/01 22:35:19] and there is currently know exact time frame for the new tool [2010/09/01 22:35:26] s/know/no [2010/09/01 22:35:49] I would be willing to do some old stuff in the old tool [2010/09/01 22:35:53] how about we'll have something that will allow us end-to-end drafting by Oct 1 [2010/09/01 22:35:54] lets say next week [2010/09/01 22:35:55] ++ we can't wait until the end of the year and pile up [2010/09/01 22:36:07] a3li: define end-to-end [2010/09/01 22:36:09] well ... we can. but it we should make that public at least [2010/09/01 22:36:12] there's also another possibility [2010/09/01 22:36:13] bug comes in to email goes out [2010/09/01 22:36:22] yes, cool [2010/09/01 22:36:32] that shouldn't take too long [2010/09/01 22:36:33] that would mainly require people motivating keytoaster and me to finish things :) [2010/09/01 22:36:42] DO IT [2010/09/01 22:36:44] that would be a great thing [2010/09/01 22:36:45] enough? [2010/09/01 22:36:45] a3li: you'll have to do the xml part, i can do the txt erb and mail stuff [2010/09/01 22:36:50] rbu: does it involve beer? [2010/09/01 22:36:58] but should not stop us from already doing some stuff with the old tool [2010/09/01 22:37:07] so maybe we can separate the effor then [2010/09/01 22:37:11] yes. you get one crate of beer and one club mate *each* [2010/09/01 22:37:12] perhaps we can commit mini .xml files to portage, before writing the full text and sending the official mail [2010/09/01 22:37:17] paid by gentoo e.v. [2010/09/01 22:37:24] keytoaster and I focus on glsamaker 2 [2010/09/01 22:37:27] the rest does our day-job [2010/09/01 22:37:31] vorlon078: perhaps you need to see the new tool in action to see what it's capable of? :D [2010/09/01 22:37:59] <_Craig_> <@a3li> rbu: does it involve beer? <<< finish glsamaker, receive beer at 27c3. [2010/09/01 22:38:01] Falco: if we do that, we all know that the full text will never be written [2010/09/01 22:38:02] <_Craig_> ;) [2010/09/01 22:38:17] p-y: possible, indeed [2010/09/01 22:38:25] oh and one important thing [2010/09/01 22:38:32] but glsa-check would be up-to-date [2010/09/01 22:38:38] with all the trouble we had and have, we should be more open about it [2010/09/01 22:38:49] and tell the users not to expect glsas in these situaions [2010/09/01 22:38:49] ++ [2010/09/01 22:38:57] i feel rather bad about the way we handled it [2010/09/01 22:39:41] me too, but anyway, users emerging world on a regular basis should be ok [2010/09/01 22:39:49] yeah those should [2010/09/01 22:40:10] but there might be users and even larger environments that don't work that way [2010/09/01 22:40:43] vorlon078: i'll add a notice at the top of the project page [2010/09/01 22:40:45] that's why i would like to see glsas go out again or an explanation why not and how to keep track of security fixes [2010/09/01 22:40:48] refering to the meeting log/summary [2010/09/01 22:41:16] of course the goal is to get the GLSA process going again [2010/09/01 22:41:45] if we don't restart sending stuff again soon, i would propose to send an explanation out to -announce [2010/09/01 22:41:51] agreed [2010/09/01 22:41:56] well we have to simply [2010/09/01 22:42:02] yes [2010/09/01 22:42:05] even if we do, actually [2010/09/01 22:42:47] ok [2010/09/01 22:43:03] so we should write something up on the current security situation in gentoo and make it public? [2010/09/01 22:43:13] no matter how we go on next month [2010/09/01 22:43:13] y [2010/09/01 22:43:17] ack [2010/09/01 22:43:18] yes [2010/09/01 22:43:19] yep [2010/09/01 22:43:24] but please don't make to too dramatic [2010/09/01 22:43:30] *it [2010/09/01 22:43:31] <_Craig_> oh no...bad news [2010/09/01 22:43:35] <_Craig_> I already see it on heise... [2010/09/01 22:43:43] right [2010/09/01 22:43:56] I can try to think of a first draft [2010/09/01 22:44:01] and if it will be on heise, your line will be as well :P [2010/09/01 22:44:23] <_Craig_> We're doomed. [2010/09/01 22:44:28] kay. [2010/09/01 22:44:36] alright [2010/09/01 22:44:37] ok, good [2010/09/01 22:44:39] next point then [2010/09/01 22:44:44] umm wait [2010/09/01 22:45:04] i can try and draft something next week [2010/09/01 22:45:12] or is there anyone else who wants to with more time [2010/09/01 22:45:18] nope [2010/09/01 22:45:29] next week is fine imo [2010/09/01 22:45:41] btw [2010/09/01 22:45:57] is there any team we should have it checked by? [2010/09/01 22:46:09] like pr? [2010/09/01 22:46:14] not that i know of [2010/09/01 22:46:31] same here [2010/09/01 22:46:48] ok [2010/09/01 22:46:50] then lets go on [2010/09/01 22:47:04] I"ll draft and send to security@g.o for review [2010/09/01 22:47:18] ok [2010/09/01 22:48:11] so for the current queue [2010/09/01 22:48:19] ok, 5. is "Any other topic" [2010/09/01 22:48:19] a tool by oct 1 [2010/09/01 22:48:25] oh, sorry [2010/09/01 22:48:36] and who ever wants to send mini-glsas with the current tool can go on [2010/09/01 22:48:38] right? [2010/09/01 22:48:49] yes [2010/09/01 22:49:01] just for the record (and the summary) [2010/09/01 22:49:02] ok [2010/09/01 22:49:10] then any other topics? [2010/09/01 22:49:16] none from me [2010/09/01 22:49:39] well if you don't want any further info about glsamaker2.. [2010/09/01 22:50:00] it seems you want to tell us info :) [2010/09/01 22:50:07] 5.1 further info about glsamaker2 [2010/09/01 22:50:17] there you go ;) [2010/09/01 22:50:21] does it make coffee? :) [2010/09/01 22:50:22] I thought it was included in 4. [2010/09/01 22:50:27] p-y: no it's not emacs! [2010/09/01 22:50:32] oh :( [2010/09/01 22:50:51] so I already talked about the idea [2010/09/01 22:50:56] integrate all info [2010/09/01 22:51:03] that also means, it'll be the new CVE tracker. [2010/09/01 22:51:18] ++ [2010/09/01 22:51:30] is there a live demo / staging server? [2010/09/01 22:51:49] I could update my trunk demo again [2010/09/01 22:51:51] yep, i'd like to see it too [2010/09/01 22:51:58] that would be great [2010/09/01 22:52:09] http://vandium.net/~keytoaster/glsamaker2-comments.ogv [2010/09/01 22:52:10] or get things rolling with infra (robbat2|na *prod*) [2010/09/01 22:52:13] that shows some comment action [2010/09/01 22:52:17] (nothing about the cve tracker) [2010/09/01 22:52:21] hot comment action! [2010/09/01 22:52:24] that's the drafting part [2010/09/01 22:52:55] http://stingray.a3li.info/~alex/cvetool-1.png and http://stingray.a3li.info/~alex/cvetool-2.png are shots of the CVE tracker [2010/09/01 22:53:40] a3li, on phone, one moment [2010/09/01 22:53:51] robbat2|na: fix overlays first, yeah [2010/09/01 22:54:33] you guys really did an awesome job, thanks [2010/09/01 22:55:22] sweet [2010/09/01 22:55:33] the images alone make me want to work again! [2010/09/01 22:55:39] yes, it has 3G [2010/09/01 22:55:40] yeah, me too [2010/09/01 22:55:41] and the wifis [2010/09/01 22:55:52] and it doesn't crash if you enter >A instead of >5 [2010/09/01 22:55:52] :P [2010/09/01 22:55:53] get it running NOW [2010/09/01 22:56:03] see the url in the title bar [2010/09/01 22:56:05] :> [2010/09/01 22:56:57] localhorst? [2010/09/01 22:57:01] lolcathost [2010/09/01 22:57:12] local toast? [2010/09/01 22:57:24] port 3000 is bad [2010/09/01 22:57:31] just wanted to add something too ;) [2010/09/01 22:57:42] we should have it on port 0 [2010/09/01 22:57:47] yeah [2010/09/01 22:58:09] sounds like we already passed the end of the meeting btw [2010/09/01 22:58:17] likely. [2010/09/01 22:58:20] oh and it should be yellow [2010/09/01 22:58:22] I hope we get back in the saddle [2010/09/01 22:58:39] is there anything anyone wants to add about glsamaker2? [2010/09/01 22:58:50] nope [2010/09/01 22:58:56] we'll get you a demo running [2010/09/01 22:59:06] that would really be great [2010/09/01 22:59:11] then we need testing and of course take suggestions [2010/09/01 22:59:17] beta rollout by october [2010/09/01 22:59:29] working 1.0 version rollout within the year [2010/09/01 22:59:39] what's within the year? [2010/09/01 22:59:45] in 2010 or within 12 months from now on? [2010/09/01 22:59:53] 2010! [2010/09/01 22:59:58] whoa [2010/09/01 23:00:01] you're optimistic :) [2010/09/01 23:00:04] er? [2010/09/01 23:00:04] i think it would be nice to have a current todo list for the team and who is 'responsible' for which task [2010/09/01 23:00:11] it won't be the final version [2010/09/01 23:00:21] floss is never final [2010/09/01 23:00:28] vorlon078: we have a redmine [2010/09/01 23:00:34] well.. glsamaker1 is final [2010/09/01 23:00:34] oh, you mean in general for security [2010/09/01 23:00:50] yeah for security [2010/09/01 23:01:01] we can get a wiki again somewhere [2010/09/01 23:01:06] a3li: good point [2010/09/01 23:01:14] *sigh* [2010/09/01 23:01:18] not another wiki discussion [2010/09/01 23:01:27] but yes, go for it [2010/09/01 23:01:32] well, for the task list an .xml in proj is fine [2010/09/01 23:01:32] yes. let's have a cvs and check in guidexml files [2010/09/01 23:01:33] i'll kill the first guy who objects [2010/09/01 23:01:58] hmpf [2010/09/01 23:02:12] * _Craig_ AFK: pizzapizza. BBL. [2010/09/01 23:02:12] okay. I think we're really done now [2010/09/01 23:02:14] vorlon078: you didn't get the joke probably :) [2010/09/01 23:02:22] keytoaster: no not at first [2010/09/01 23:02:41] and actually i simply want a list and a place to keep such stuff [2010/09/01 23:02:50] i did use our dokuwiki installation btw [2010/09/01 23:02:58] we'll arrange for something [2010/09/01 23:03:12] one last thing at the end of each meeting [2010/09/01 23:03:32] i would like to hold meetings way more often but shorter [2010/09/01 23:03:40] ++ [2010/09/01 23:03:43] way more often means more than every two years [2010/09/01 23:04:02] every three months? [2010/09/01 23:04:02] thanks vorlon078 for moderating and calling in the meeting [2010/09/01 23:04:14] and thanks to everyone who picked up tasks [2010/09/01 23:04:23] thanks to rbu for the mate [2010/09/01 23:04:24] thanks rbu for attending [2010/09/01 23:04:24] every two or three would be really good i think [2010/09/01 23:04:28] rbu: thanks [2010/09/01 23:04:59] what aboud mid october for october for the next one since we wanted to make changes then [2010/09/01 23:05:05] argh [2010/09/01 23:05:37] i would have said nov/dec, but oct might be nice in case we do have a tool to change things again [2010/09/01 23:05:46] fine with me [2010/09/01 23:05:52] good [2010/09/01 23:05:59] ok for me [2010/09/01 23:06:01] kk [2010/09/01 23:06:05] oh wait [2010/09/01 23:06:10] im on vacation then [2010/09/01 23:06:11] lol [2010/09/01 23:06:17] I have to go, gn8 all [2010/09/01 23:06:20] n8 [2010/09/01 23:06:25] p-y: good night, and thanks [2010/09/01 23:06:26] alright [2010/09/01 23:06:29] good night [2010/09/01 23:06:32] nite [2010/09/01 23:06:53] i'll write a reminder for myself for an october meeting then [2010/09/01 23:07:22] thanks for attending everyone :) [2010/09/01 23:07:29] monstermeeting [2010/09/01 23:07:32] thanks vorlon078 for doing this :) [2010/09/01 23:07:34] thanks [2010/09/01 23:08:03] @ keytoaster set topic "Last project meeting: 2010-09-01 18:30 UTC; Logs and summary available soon | This channel is only for coordinating vulnerabilities and GLSA releases. For an end-user support channel, see #gentoo | http://security.gentoo.org | New recruits: http://www.gentoo.org/security/en/padawans.xml" [2010/09/01 23:08:29] that topic is not so god [2010/09/01 23:08:31] *good [2010/09/01 23:08:42] sounds like that was our last meeting ever :) [2010/09/01 23:08:52] *sigh* [2010/09/01 23:09:02] @ keytoaster set topic "Previous project meeting: 2010-09-01 18:30 UTC; Logs and summary available soon | This channel is only for coordinating vulnerabilities and GLSA releases. For an end-user support channel, see #gentoo | http://security.gentoo.org | New recruits: http://www.gentoo.org/security/en/padawans.xml" [2010/09/01 23:10:46] log stopped here btw [2010/09/01 23:10:56] %part [2010/09/01 23:10:56] @ Left channel #gentoo-security ()