Personal tools

Security/Meetings/2011-10-05

From MozillaWiki

Jump to: navigation, search

Contents

Non-feature work

  • working group is going
  • criteria is being discussed
  • this list right now is overly granular, will need to be whittled down

Mobile Locale Picker

  • is what they're doing with Aurora/Nightly in line with our best practices ?
    • currently done with xpi over plain http as an add-on for the locale
    • no, they should be protected in some fashion
  • imelven will file a bug against nightly/aurora for this
  • should we file a bug for release even though it's still 'in progress' ?
  • imelven will file a bug for this - XML file should come over SSL, other XPI's come with hash over SSL
  • there is javascript on AMO that installs addons, this gets the hash and downloads the file ddons, this gets the hash and downloads the file over SSL
    • should be done the way it's done for addon and client updates today

Mobile Permissions

  • bug to explain why Fennec wants permissions
  • mbrubeck is thinking about writing a blog post on permissions for Fennec
  • there's ongoing debate about asking for permissions we don't need yet for a better update flow as opposed to being very tight with permissions and only asking for things we actually use
  • debate about whether writing the document will help - 'people only read the market description, don't follow links in it' - but we don't explain why we require whatever permissions anywhere
  • imelven will check if there's a tool to audit permisisons on Android
  • imelven will follow up with Michelle Luna (mobile SUMO)

Moz Camps

  • attendance?
    • Gary - Kuala Lumpur
  • curtis has been invited by Gen Kanai to one in Malaysia to talk sec via yammer

DerbyCon / Louisville Infosec roundup [curtis]

Sec Review Triage

  • moved to Oct-12 in Zombocom
    • will cover untriaged radar items, bugs and assignments

Curtis Travel

  • Trip 17-22 oct
    • will arrive late on 17 so will work from home till mid-day EST then depart

Blog post roundup

DNT round-up

Goals Discussion

  • Remember: Q4 is a short quarter
  • We generally try to have 3 goals per quarter, but may also list other planned activities.
  • We've been asked to consider "mobile first", "how will we use telemetry", and "e10s"

Goals for other teams

Goals for us

  • Telemetry/User Research ? - are there probes or Test Pilot studies we could use to get some useful info ?
    • Get stats on features we want to kill off (enablePrivilege, E4X <- done)
    • Frequency of cert errors (counting each of: expired, self-signed, wrong domain) and OCSP success/failures (nonresponses, server errors, revoked, valid) and frequency of mixed-content encountered (bucket mixed display and mixed scripting)
      • this will help us decide how to prioritize (or de-prioritize) future work on SSL failures, revocation, mixed content work
  • Privacy: unify our reviews (sec/priv) with User Data Council (UDC)
    • make it easy and smooth to get all the right eyeballs involved at the right times.
  • Mobile Fuzzing
    • Get LangFuzz to ARM architecture (Linux/Tegra)
    • Get LangFuzz to mobile (Browser on Android)
      • LangFuzz mobile has dependency on Jetpack
  • Get a plan for sec release quality finalized and ready to socialize (related to non-feature prioritization)

Other things we'll be doing