• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• gsoc - https://etherpad.mozilla.org/assurance-gsoc
• goals - update them!
• team meeting - will have time for google/facebook meetup
  • also Jesse, Curtis to coordinate fuzzing meetup
• Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdEI4SlE0eGRWdkN5bXBpbV8wcjNzNUE
• Metrics
  • https://security-review-statistics.vcap.mozillalabs.com/
  • Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
    • fbraun and paul are top closers \o/
    • marking bugs verified - should be done when all dependant bugs from a review are resolved
      • [Jesse] I'd prefer if we requested a Bugzilla feature for 'search for bugs that have no open dependencies' rather than manually marking bugs as verified.
      • [yvan] But we sometimes want to mark the security review bugs as 'verified' when all dependencies are fixed
      • [Jesse] I'm totally confused. And why do we care about the status of the security review metabugs anyway? We should just mark the individual bugs as sec-low or sec-want, and track them independently of what metabugs they block.
      • [freddyb] I said that I mark them as resolved/fixed once *my* work is done and check the blockers and mark them as verfied fixed once patched..
      • [yvan] _______ ??
      • [curtisk] Let's discuss this more at the meetup. I'll add it to the agenda.
• AMA - r/netsec requested an AMA, will be on March 27th
  • When you 'do an AMA' for a subreddit like r/netsec, does it get crossposted to r/IAmA or what?
    • It will be posted in r/netsec, and cross-posted to r/IAmA (along with hacker news, the mozilla security blog, etc)
  • https://etherpad.mozilla.org/security-ama
  • [Jesse] March 27 is also the day of a major asm.js announcement :/
    • We might get some questions about asm.js
      • [yvan] I can add a link to another reddit article
    • Some people (especially the PR team) might be too distracted to help us
      • [yvan] I can circulate PR tips before our AMA
  • You really want to be listed, so you can (1) not be rate-limited in commenting and (2) get flair ('Mozilla' or 'Firefox' plus your listed role)
  • [jesse, freddyb] Let's prepare canned responses rather than having a huge first post. More interactive and easier to get into the questions.

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

• Maybe mgoodwin @ Sheffield Hallam on why things like Persona are a good idea

* psiinon might be talking about ZAP in Venezuela (remotely) on Friday (having failed to connect to Chile today;)
* freddyb at hackinparis, June 21 https://www.hackinparis.com/schedule

Planned Blog Posts

• Google Doc

Security Review Status (curtisk)

• Completed in Q4 2012: 50

https://security-review-statistics.vcap.mozillalabs.com/weekly < 61 completed!!!

• • without deadline fixed

Operations Security Update (Joe Stevensen)

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

• Devtools work week last week. Lots of very awesome stuff - see Paul Rouget's summary here: http://paulrouget.com/e/devtoolsnext/ - more details available (speak to me if you're interested)

Firefox Mobile

Firefox OS

• [gkw] pandaboards are somewhat unreliable. Certain chassis connection issues have been fixed, infrastructure is beginning to stabilise

Firefox Core

• [decoder] OdinMonkey landed on mozilla-central, still testing it
• [gkw,decoder] BaselineCompiler testing still going on
• [gkw,decoder] Special fuzzing requested for bug 849014 and bug 850070

MarketPlace

Web Apps

Services

Operation Security