- 1 All-hands travel (lucas)
- 2 Roadmaps and feature pages (sid)
- 3 CAs
- 4 Proposal for improvement of Security Review process (decoder)
- 5 Sync changes
- 6 Mobile etc update (ian)
- 7 Community Involvement in Security (curtisk)
- 8 Telemetry privacy
- 9 Blog post roundup
- 10 Events
- 11 New internal weekly report (bsterne)
All-hands travel (lucas)
- make sure you have it, and all is worked out
Roadmaps and feature pages (sid)
- Fleshing out feature pages for our area
- curtisk will assist with inbox triage
- If you know of features we need make pages or get with Curtis and Sid for assistance
- ding dong a root is dead
Proposal for improvement of Security Review process (decoder)
- A sequence diagram/interaction diagram/data flow could help us understand the feature
- this is more neccessary for deeper reviews and not initial reviews
- would be very helpful for theat modeling, testing plans, & penetration testing
- would help find areas of risk in the design that may not otherwise be evident
- We need to come up with a criteria and a model that everyone is comfortable with and that is not too heavy
- they want to change the crypto
- possibly give users option of _not_ having their sync key (??), and instead using just username and password
- maybe useful for pancake
- not clear what is the problem they're trying to solve (hard to scope their changes without knowing what they are trying to address)
- first draft of feature/idea by end of week
Mobile etc update (ian)
- Plugins are coming to mobile. Experimental builds have Flash, with click-to-play. Will be in nightlies soon.
- App model?
- when you're an app, when you're in browser - there's different models across devices/platforms/in browser content vs app for things like geolocation. Ian is going to talk to tarend (mobile product manager) to try and come up with a survey of how permissions vary across the landscape, to work out where mobile Firefox lands on that spectrum. the driver here is security/permission models around new stuff from WebAPI and also the forthcoming mobile web app work where web content gets 'promoted' to an app with an increase in permissions.
Community Involvement in Security (curtisk)
- what should this be?
- what would a "job" post for a volunteer look like?
- How can we reach out to community members who are interested in security, and let them know what we could use help with?
- Blogs, conferences
- Backlog of want/low/moderate bugs
- bsterne could mark some of them with the whiteboard tag [good first bug]
- Twitter account aggregating our blog posts and tweets, with official messages tweeted directly
- Ask PR for their thoughts, and what they think of tools like CoTweet
- Sid would like help looking at a backlog
- how do we get to it?
Blog post roundup
From the Mozilla community
- Jesse's posts on rapid release
From our friends
- bsterne is drafting a reply to http://lcamtuf.blogspot.com/2011/08/subtle-deadly-problem-with-csp.html
- jesse is drafting a post about root cause analysis of JS engine security bugs
- http://www.silisec.org/ tomorrow night in Sunnyvale
New internal weekly report (bsterne)
- now breaks bug counts by team (rather than component)
- now includes a "total risk score" where crits are 5 points, etc
- let's add sg:want bugs, but with a weight of 0
- coming soon: graph