Security/Meetings/SecurityAssurance/2012-05-08
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
- Please start using the new keywords, for now use both keywords and whiteboard tags while we convert bugzilla queries
- Look at examples for types of things that qualify for keyword ratings at https://wiki.mozilla.org/Security_Severity_Ratings/Proposals. We need to get this current and then add the web ones.
- we expect this to be keywords full time by 18-May
- we need the teams to get the list of team keywords finalized (csec-, wsec-, opsec-)
- it's up to each subteam to make these lists by 2012-05-18
- do we have WIP/candidate lists?
- apparently not :/
- Triage (CritSmash, etc)
- Allow other teams to triage the bugs and us in an advisory capacity
- How can we ensure security bugs are visible to relevant developers?
- It's hard to work on bugs you can't see.
- Currently, we tend to CC managers/delegators who then CC the right developer. This kinda works, but isn't so great.
- For web site bugs: everyone who can land code that runs directly on a web site should have access to its security bugs. (Currently, the bugzilla group is mostly managers, plus security people and "web site drivers")
- For browser bugs: Jesse wants JS engine developers to be able to see JS engine bugs. Perhaps component owners (e.g. dmandelin for js engine) should be able to grant access.
- [jesse] Note that access to land on mozilla-central is binary, so it can't be tied to "who can land code in the component"
- [yvan] I will ask dkl how much work it would be to add these granular access controls to Bugzilla
- Who controls the "default CC list" feature? This is one way to give more people access, but it involves spam. Only Bugzilla admins can add people.
- Secreview Documentation
- Working Drafts at https://etherpad.mozilla.org/oLeUVAihZI and https://intranet.mozilla.org/User:Yboily@mozilla.com
- Blog post at https://security.etherpad.mozilla.org/13
Meeting Notes
- [gkw] PTO / OOO thursday - friday
Security Review Status (koenig)
- Number of Reviews Completed (so far this quarter): 53 (previous weeks 40,16)
https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 25
https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =28
- Number of Outstanding Reviews: 169 (previous weeks 172,129)
https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 50
https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 119
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault)
- Draft Permissions Model: https://wiki.mozilla.org/Apps/Security
- Draft Permission Matrix (wip): https://wiki.mozilla.org/Apps/Security/Permissions
- ~40 reviews assigned to me
- triaging this week, should have more details in each bug to help share workload
- OS/Runtime https://wiki.mozilla.org/B2G/Architecture/Runtime
Thunderbird (Adam)
- no update
Rust (Jesse Ruderman)
- [Jesse] Chatted with Niko about his Borrowing and Borrowing Errors posts. I had ideas about how to make more errors static and more code simple.
Mobile (David Chan)
- no update
Sync (David Chan & Yvan Boily)
- no update
Services (David Chan & Yvan Boily)
- no update
Social - Pancake (Mark Goodwin)
No Update
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- [gkw] More ESR fuzzing done
- [gkw, Jesse] Getting closer to jsfunfuzz-in-the-pool
- [Jesse, gkw] Getting closer to jsfunfuzz-random-flags working again (and better than ever)
- [decoder] jsfunfuzz now running on two Tegras (Part of ARM Fuzzing Goal)
DOM, XPConnect (Jesse Ruderman)
- Fair number of regressions from compartment-per-global, including security bugs
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
- No Update
Web Developer Tools (Mark Goodwin)
- No Update
Networking (Christoph Diehl)
- finally going to set up a b2g phone for sms/bluetooth fuzzing
Graphics (Christoph Diehl) =
- closing security reviews for Graphite 2, ICO and BMP encoders
- filing bugs for Graphite 2
- filing bugs for Icon decoder
Market (Raymond Forbes)
- Official friends and family beta launch happens tomorrow.
Firefox APIs (Raymond Forbes)
- no update
Payment Flow (Raymond Forbes)
- Met with Stripe to further understand their offerings. I still have concern about PCI compliance but they claim their auditors have blessed the strategy.
App Sync (David Chan)
- server api review completed
- progressing on client review
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
- no update
BrowserID
- RFP issued yesterday
Identity Services (David Chan)
Addons.M.O (Raymond Forbes)
- no update
Bugzilla.M.O (Mark Goodwin & Eric Parker)
- No Update(TellUsMore review is progressing)
Mozillians (Yvan Boily)
MDN (Raymond Forbes)
- no update
SUMO (Kitsune) ()
- no update