Sync update

• https://wiki.mozilla.org/Privacy/Reviews/AndroidSystemStorage
• Sync native client is being worked on
• https://wiki.mozilla.org/Services/AndroidSyncFP
• https://bugzilla.mozilla.org/show_bug.cgi?id=695463
• https://wiki.mozilla.org/Services/NativeSync
• https://wiki.mozilla.org/Services/NativeSync/Bookmarks_and_History
• We should ensure we touch on all sec-review-needed bugs
• SecReview scheduled for Nov-18

Bugzilla metrics

• need feedback from team that bugs are OK
  • dveditz & bsterne to review by Friday
• curtisk wants to wrap this up

Silent Updates update

• things are on track from all sides

Mozilla Inbound security fixes (request from edmorley)

• we suggest that either the mergers apply for s-g access or email security@ directly and we will take care of it
• also possibly provide a list of who has s-g and can do this and when they're around - there's a wiki page of this already
  • http://www.mozilla.org/projects/security/secgrouplist.html

Travel / people stuff

• Gary in KL for MozCamp Asia
• Curtis back from EU MozCamp
  • interesting possible theme issue
• Curtis in MV Dec 4-9
• Sid PTO Nov 28 (Monday), Dec 1-5 (W-M)
• David PTO Nov 21 / Dec 5 (Monday)
• Thanksgiving Holiday USA Nov 24-25 - US employees unavailable

NSS extensibility

• Peter Eckersley is gathering requirements, blocking on that for now
• Feature page exists: https://wiki.mozilla.org/Privacy/Features/Handshake_checkpoint_API
• Extension point bug 644640

Protocol

• Show up on time, please
• Don't let sid be a blocker to start the meeting

Privacy Reviews

• if anyone is interested in helping with risk analysis or documenting data flows, ping sid
• https://wiki.mozilla.org/Privacy/Reviews
• Lots in the queue

SecReview stuff

• meeting invites sent for 2012
• meeting setup for triage (ever other week)
  • anyone is welcome to attend from secteam, mandatory have been invited directly
• [bsterne] Lightning talk at the next Mon meeting - Security is _not_ an Option
  • if you are making changes or shipping a new product or service that affects our users, you should be engaging with the Security Team before you ship
  • it is more expensive to fix bugs the later in the dev cycle they are found
    • even worse for design problems that aren't tackled in the design stage
  • show the "menu" of services that sec team provides, starting with lightest weight
  • this is not optional

Recent Security Reviews

Navigation Timing API Enable storing files in IndexedDB Android System

SOPA

• http://www.mozilla.org/sopa
• Add censorship bars to your website logos (http://americancensorship.org/)

Firefox 2012 Product Vision

• includes non-feature work (integrity/quality programs like security)
• Fairly big focus on security/privacy for the roadmap/vision statement from Asa