Security/Meetings/SecurityAssurance/2012-05-08

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

  • Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
  • Please start using the new keywords, for now use both keywords and whiteboard tags while we convert bugzilla queries
  • Look at examples for types of things that qualify for keyword ratings at https://wiki.mozilla.org/Security_Severity_Ratings/Proposals. We need to get this current and then add the web ones.
    • we expect this to be keywords full time by 18-May
    • we need the teams to get the list of team keywords finalized (csec-, wsec-, opsec-)
      • it's up to each subteam to make these lists by 2012-05-18
      • do we have WIP/candidate lists?
        • apparently not :/
  • Triage (CritSmash, etc)
    • Allow other teams to triage the bugs and us in an advisory capacity
  • How can we ensure security bugs are visible to relevant developers?
    • It's hard to work on bugs you can't see.
    • Currently, we tend to CC managers/delegators who then CC the right developer. This kinda works, but isn't so great.
    • For web site bugs: everyone who can land code that runs directly on a web site should have access to its security bugs. (Currently, the bugzilla group is mostly managers, plus security people and "web site drivers")
    • For browser bugs: Jesse wants JS engine developers to be able to see JS engine bugs. Perhaps component owners (e.g. dmandelin for js engine) should be able to grant access.
      • [jesse] Note that access to land on mozilla-central is binary, so it can't be tied to "who can land code in the component"
      • [yvan] I will ask dkl how much work it would be to add these granular access controls to Bugzilla
    • Who controls the "default CC list" feature? This is one way to give more people access, but it involves spam. Only Bugzilla admins can add people.
  • Secreview Documentation

Meeting Notes

  • [gkw] PTO / OOO thursday - friday

Security Review Status (koenig)

  • Number of Reviews Completed (so far this quarter): 53 (previous weeks 40,16)
    https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 25
    https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =28 
  • Number of Outstanding Reviews: 169 (previous weeks 172,129)
    https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 50 
    https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 119 

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault)

Thunderbird (Adam)

  • no update

Rust (Jesse Ruderman)

  • [Jesse] Chatted with Niko about his Borrowing and Borrowing Errors posts. I had ideas about how to make more errors static and more code simple.

Mobile (David Chan)

  • no update

Sync (David Chan & Yvan Boily)

  • no update

Services (David Chan & Yvan Boily)

  • no update

Social - Pancake (Mark Goodwin)

No Update

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

  • [gkw] More ESR fuzzing done
  • [gkw, Jesse] Getting closer to jsfunfuzz-in-the-pool
  • [Jesse, gkw] Getting closer to jsfunfuzz-random-flags working again (and better than ever)
  • [decoder] jsfunfuzz now running on two Tegras (Part of ARM Fuzzing Goal)

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

  • No Update

Web Developer Tools (Mark Goodwin)

  • No Update

Networking (Christoph Diehl)

  • finally going to set up a b2g phone for sms/bluetooth fuzzing

Graphics (Christoph Diehl) =

  • closing security reviews for Graphite 2, ICO and BMP encoders
  • filing bugs for Graphite 2
  • filing bugs for Icon decoder

Market (Raymond Forbes)

  • Official friends and family beta launch happens tomorrow.

Firefox APIs (Raymond Forbes)

  • no update

Payment Flow (Raymond Forbes)

  • Met with Stripe to further understand their offerings. I still have concern about PCI compliance but they claim their auditors have blessed the strategy.

App Sync (David Chan)

  • server api review completed
  • progressing on client review

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

  • no update

BrowserID

  • RFP issued yesterday

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

  • no update

Bugzilla.M.O (Mark Goodwin & Eric Parker)

  • No Update(TellUsMore review is progressing)

Mozillians (Yvan Boily)

MDN (Raymond Forbes)

  • no update

SUMO (Kitsune) ()

  • no update