Security/Meetings/2011-12-14

From MozillaWiki
Jump to: navigation, search

Silent Update Post Mortem (imelven)

  • should this be a seperate meeting? sounds like yes.
  • we will set up a separate meeting to discuss this (we can use an open secreview slot)
  • paper bsmith mailed out is pretty interesting and worth taking a skim through

Address Sanitizer (decoder)

Security Communications (curtisk)

  • discuss https://intranet.mozilla.org/User:Curtisk/CommsSchedule
    • goal 1 lightning talk per year, 1 brownbag per year, 2 blog posts per month to get us talking about security of some type
      • [jesse] one lightning talk a month is way too much
      • [jesse] if we don't have anything to say, we shouldn't be boring people with old stuff, and we really don't want to waste everyone's time (and our reputation) on a lightning talk
    • [curtisk] why old stuff and I propose ppl have at least one interesting thing per year
  • [jesse] the "trading" idea is almost as much a waste of time, especially if you're looking for someone to trade with
    • [curtisk] group seems to think trading is not a big deal
  • [jesse] we'll have much higher quality communication with a process that's driven by [having something to talk about] rather than [being given an artificial, stressful, adversarial, open-ended task based on a calendar]. We had enough of those in college.
  • [jesse] counterproposal: in security team meetings, we notice things that we want to talk about, and by the end of the meeting it's clear who is going to write about it, in what medium, and when. We should talk about ASAN and choose a medium because ASAN is interesting, not because there's a time-driven schedule.
    • [curtisk] this seems like a rush that would not be good for that person
      • [jesse] huh? are you worried that one person would be doing a lightning talk, a brownbag, and a blog post? I don't think "all three" is going to be the most common answer to "what's the best medium for this announcement?"
    • [jesse] and if you haven't said anything in public for a year, you chat with curtis or your manager about that, or people look at you more when things come up in meetings
  • [curtisk] if that were true we we would be doing it already as that is the current model that is not working
    • [jesse] We haven't tried my proposal.
  • [bsterne] talking about product is generally more interesting than talking about process (??)
  • [tanvi] in a case where you don't have a topic directly related to your work, there are lots of security concepts and issues that you may be interested in and could have a brownbag or brainstorming session about (???)
  • [jesse] we've been quiet because we've been behind on security features. we're not going to fix that by deciding to talk more; we're going to fix that by adding security features.
  • [curtisk] as an additional option, we can find someone external to do a security talk instead of talking ourselves.

Resolution: keeping the schedule for now, can be edited. I will move the sched to https://intranet.mozilla.org/SecurityTeam:EditorialCalendar

Mobile Updates

  • the nightly updater is broken - people will have to manually update to get off last night's nightly
  • click to play plugins has mostly landed in mobile - the platform work here

will help push the feature along on desktop - there's a pref to always/never/click-to-play for plugins

    • Does this help with enforced click-to-play for outdated plugins?
      • good question - it might ?
    • last piece (the platform code) is delayed due to current tree closure - they might try for special approval for this
    • looking for people to test it !
  • local db is mostly finished and should land very soon - the plan is to ship with this and probably not provide an option to use system store in 1.0 (being driven by needs of sync)

Sync Update (dchan)

Fuzzing on Releng machines

  • DOM fuzzer is running on pvt machines
  • jsfunfuzz should be on them too, getting privs
    • gkw will work this out with Jesse

ESR decision

Brown Bags

  • curtisk had a great brown bag about finding one's towel last Friday (which was great!)
    • Neurobiology of decision making
      • imelven is trying to find the moz brown bag recording
        • The brown bag takes some time to get finalized, it should be somewhere on the Brown Bag page on Intranet
  • gkw has scheduled "Fuzzing at Mozilla" for Jan 25, 2012, Wednesday noon
    • Was first presented at MozCamp Asia

Security Questionnaire (decoder)

  • As mentioned last week, we have a preliminary questionnaire that got good feedback from different people in secteam: https://intranet.mozilla.org/User:Choller@mozilla.com/SecreviewQuestionnaire
  • We should make a decision as a team if this approach seems worth pursuing before any further work is done
  • Can we test the questionnaire with some of the teams we are embed in?
    • Testing the whole thing requires at least a proof-of-concept implementation except if you want to evaluate it manually (face to face) with certain people

Privacy Reviews

  • Opened two reviews for wider/public discussion in dev.planning a week ago: got little feedback, but will continue posting batches of reviews to elicit input
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Meetings/2011-12-14&oldid=378872"