Security/Meetings/2011-06-15

From MozillaWiki
Jump to: navigation, search

Agenda

  • [Curtis] SecReview Bugs - Feedback from engineering team on our ideas
  • [Lucas] Embedding team members
  • [Curtis] Telemetry
    • Implementation Review?
    • Owners for items from Telemetry review/discussion
    • Next course of action
  • [Lucas] Review scheduling
  • [Lucas] Questions re SF office

Discussion

  • [Curtis] SecReview Bugs - Feedback from engineering team on our ideas ===
    • file-a-bug-to-move-channels got shot down
    • up to Sec Team to file "blocker" bugs
    • Bugs that come out of security review meetings should have [sg:] markings
  • [Curtis] Should we mark priorities [sgpri:P3] or targets [sgtarg:Fx6] in addition to severities [sg:moderate]
    • Priorities -- probably not
    • Targets -- use the normal tracking flags, so we agree with release drivers
  • [Curtis] Adding a Bugzilla keyword/whiteboard like "security-review-wanted".
    • Seems best to add a pair of short keywords, "sec-review-needed" and "sec-review-complete".
    • "sec-review-needed" will include scheduled, Curtis can keep track
    • Done. went with sec-review-* for similarity with other keywords
  • [Curtis] Adding a Bugzilla patch flag like "security-implementation-review".
    • On hold while we see whether the "sec-review-needed" bug keyword and "r?dveditz" are sufficient.
  • [Lucas] Embedding team members
    • sec team member will attend the feature team's meetings, contribute to design, and potentially contribute to implemenation. (expensive; expect to spend at least a few hours a week)
    • need to identify which projects want/need embedded sec team member. Candidates: Mobile, F1, Sync, Jetpack, Apps, Mozilla ID,
    • who on the security team? imelven (mobile), dchan (F1), curtisk (Identity), bsterne (Apps), dveditz (Jetpack/Add-on builder), bsmith (Sync)
  • [Curtis] Telemetry
    • Implementation Review? (none/some/all) (client/server)
    • Server review: https://bugzilla.mozilla.org/show_bug.cgi?id=655746
    • Owners for items from Telemetry review/discussion
    • [bsmith] Follow-up bug: different (non-aborting) error handling strategy for future release.
    • [Sid?] Follow-up bug: in future histogram collections should come from a single file that can be audited, rather than allow instantiation from any random part of the code.
    • [bsmith /mcoates] Code hosted on GitHub--like many other parts of Mozilla--will review policy at next joint secteam/infrasec-security meeting.
    • [taras] Follow-up bug: Mobile data usage--must minimize the size of data sent--gzip, more-efficient-than-JSON encoding. (bug 661578)
    • Next course of action
  • [David] Blackhat/DEFCON hotels
  • [Lucas] Review scheduling
    • Would it help if everyone on the security team tried to keep specific times open every week?
    • Should we avoid Fridays? Bad for NZ and Europe
  • [Lucas] Questions re SF office
    • Lucas and Ian will probably be based in SF office. bsmith might.
  • [dveditz] Security fix verification
    • QA team is becoming less interested in putting resources on the 3.6 branch
    • Automated tests are good, but they leave the risk that what the developer fixed isn't the right bug.
    • Should we invite reporters to verify fixes? We do, for externally reported bugs.
    •  ??? will chat with Matt, manager of the QA team
  • [dveditz] Let's use the public #security channel more and the private channel less
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Meetings/2011-06-15&oldid=319688"