All-hands travel (lucas)
- make sure you have it, and all is worked out
Roadmaps and feature pages (sid)
- Fleshing out feature pages for our area
- curtisk will assist with inbox triage
- If you know of features we need make pages or get with Curtis and Sid for assistance
Proposal for improvement of Security Review process (decoder)
- A sequence diagram/interaction diagram/data flow could help us understand the feature
- this is more neccessary for deeper reviews and not initial reviews
- would be very helpful for theat modeling, testing plans, & penetration testing
- would help find areas of risk in the design that may not otherwise be evident
- We need to come up with a criteria and a model that everyone is comfortable with and that is not too heavy
- they want to change the crypto
- possibly give users option of _not_ having their sync key (??), and instead using just username and password
- maybe useful for pancake
- not clear what is the problem they're trying to solve (hard to scope their changes without knowing what they are trying to address)
- first draft of feature/idea by end of week
Mobile etc update (ian)
- Plugins are coming to mobile. Experimental builds have Flash, with click-to-play. Will be in nightlies soon.
- App model?
- when you're an app, when you're in browser - there's different models across devices/platforms/in browser content vs app for things like geolocation. Ian is going to talk to tarend (mobile product manager) to try and come up with a survey of how permissions vary across the landscape, to work out where mobile Firefox lands on that spectrum. the driver here is security/permission models around new stuff from WebAPI and also the forthcoming mobile web app work where web content gets 'promoted' to an app with an increase in permissions.
- what should this be?
- what would a "job" post for a volunteer look like?
- How can we reach out to community members who are interested in security, and let them know what we could use help with?
- Blogs, conferences
- Backlog of want/low/moderate bugs
- bsterne could mark some of them with the whiteboard tag [good first bug]
- Twitter account aggregating our blog posts and tweets, with official messages tweeted directly
- Ask PR for their thoughts, and what they think of tools like CoTweet
- Sid would like help looking at a backlog
Blog post roundup
From our friends
New internal weekly report (bsterne)
- now breaks bug counts by team (rather than component)
- now includes a "total risk score" where crits are 5 points, etc
- let's add sg:want bugs, but with a weight of 0
- coming soon: graph