Security/Meetings/2011-08-24

All-hands activities

• Maybe we'll shuttle to Santa Cruz and zipline
• {schedule} http://www.cvent.com/events/all-hands-september-2011/event-summary-cd987c1d4050481a8189e5ce60384c93.aspx?i=3364e6e3-4c2f-4a61-9ea5-8621ab0bb4bf

Web APIs

• Intersection with other projects (WebApps, B2G, JetPack)

B2G installation and permissions (gal, bsmith)

• B2G trying to figure out installation and permissions model
• B2G team is eager to get this figured out
• This might have its own standing meeting for a short time
• Touches UX and security
• Lucas thinks we need UX testing to get this right.

This meeting: schedule

• Overlap with mobile meeting, makes it difficult for any of us to embed in that meeting.
  • Mobile meeting likes their half-hour offset.
  • They take good notes, so it's not too bad if we (Ian) can only attend the first half.

Bug lifecycle (curtis)

• Last week, a few of us had a meeting about bug lifecycle.
• "Feature work" and "Quality work" require different methods of prioritization. Our lifecycle is somewhat effective at prioritizing and driving features, but not quality. (Quality can include security and performance issues as well as bugs)
  • smooney, who runs CrashKill, feels similarly.
  • "Just turn up the volume" is not a good solution, because everyone turns up the volume and all we have is noise.
  • We should not be fighting against engineering and engineering management!
  • Remind everyone that people choose Firefox based on its reputation for security and performance.
• Lucas (and others) have been chatting with engineering management, and will continue for another week or two and hope a proposal comes out of it.
• This could be an all-hands topic. We'll try to have a strawman proposal to present there.
• This could help us with the sg:moderate backlog.
• Publishing "security bug backlog" stats. Can be framed as visibility, competition, or shaming.
  • Google is doing this in sort of a game style (bugs must be killed), turning stuff into games seems to motivate people even more.

Long-term support

• Meeting on Friday (warp core at 1pm) (organized by kevin)
• Jesse is skeptical that adding a new LTS will actually help get users off of Firefox 3.6.
• Jesse shared draft blog posts "Rapid releases and security" and "Preventing users from falling out of support" with the team.

Full Screen API (curtis)

• Chris Blizzard really wants a full screen API by Firefox 9
• https://wiki.mozilla.org/Gecko:FullScreenAPI
• http://robert.ocallahan.org/2011/08/securing-full-screen.html
• https://bugzilla.mozilla.org/show_bug.cgi?id=545812
  • Jesse has been having detailed conversations with roc in this bug (and on IRC)