Security/Meetings/SecurityAssurance/2012-05-22
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- Flash Update - https://mana.mozilla.org/wiki/display/INFRASEC/Block+Listing+Flash
- We had a long internal discussion on security-group about protecting users with (very) old versions of Flash.
- Possibilities include a soft block, an even softer "outdated" info bar, and waiting until we ship Firefox 15 with click-to-play (and a fix for https://bugzilla.mozilla.org/show_bug.cgi?id=686335 ?).
- Bugzilla Tips - https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=22381156
- Queries for the security team, and Bugzilla tricks that are relevant to us
- Why is this private?
- Open to moving to other location, not sensitive
- Work Week
- [Rforbes] MarketPlace Update
- [Paul] B2G Update
- Security evangelism
- Mark and David are researching Fennec's competitiveness on security and privacy features, especially against the stock Android browser.
- [Yvan] Mentorship
- We're picking out "good first bugs" for web security bugs
- [decoder] Update on ASan builds
- Blackhat / Defcon 2012 update?
- Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
- Travel: decoder going to HITB tomorrow till Friday (meeting with imelven and Lucas)
- Security comparison
- https://mana.mozilla.org/wiki/display/~mcoates@mozilla.com/Comparison+points
Security Review Status (koenig)
- Number of Reviews Completed (so far this quarter): 48 (last week 59) <-- trying to figure out how this went down
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 22 (27)
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =26 (32)
- Number of Outstanding Reviews: 192 (last week 171)
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 51
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 141
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault --> & David Chan)
- (Welcome david!! :)
B2G Starting to be tracked a litle more, making secreview easier to plan https://docs.google.com/spreadsheet/ccc?key=0AiBigu584YY7dGlNSlY0QzhJb3M5anRBa1gxalV0Y3c#gid=0
- Gaia now more detailed in the spreadsheet - yvan we should plan external review soom tomorrow
- Meeting with Jlebar this morning to further refine the permissions model
- Gaia hacking day next week? Any interest?
Thunderbird (Dan Veditz)
Rust (Jesse Ruderman)
Mobile (David Chan --> Mark Goodwin)
- no update
Sync (David Chan --> Simon & Adam)
- android sync update to beta before end of quarter
Services (David Chan --> Simon & Adam)
- tokenserver review underway
- notifications needs review
Social - Pancake (Mark Goodwin)
Hoping for limited public release in 2 weeks' time. Only major worry is around CEF logging - they've implemented a mechanism in tornado for doing this, but work to actually satisfy my logging requirements will take longer than anticipated. They're asking if this is a blocker...
- Not for beta release. Yes for public release
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- IonMonkey fuzzing going on, bug frequency decreasing (horray!). \o/
- First round of OOM testing on IonMonkey complete
- Differential testing can start soon
DOM, XPConnect (Jesse Ruderman)
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
- MozTrap went live to production, thanks to everyone who helped w/ secreviews
- [decoder] domfuzz addon now deployed on Tegras (Fennec Native) for fuzzing
Web Developer Tools (Mark Goodwin)
- Busy week; Netmonitor review yesterday (this is looking mostly OK), remote debugger / debugger UI review coming on Thursday. Please attend if possible; debugger exposes powerful functionality.
Networking (Christoph Diehl)
- SMS PDU https://bugzilla.mozilla.org/show_bug.cgi?id=741876#c3
- planning to look at SRTP as soon as SMS is finished to complete WebRTC fuzzing.
Graphics (Christoph Diehl) =
- VP8 fuzzing as requested by dveditz
Networking ( Media / Codecs)
Market (Raymond Forbes)
Firefox APIs (Raymond Forbes)
- finishing up review of mozApps navigator
Payment Flow (Raymond Forbes)
App Sync (David Chan)
- client review underway
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID (Yvan Boily)
- RFP Responses in, evaluation upcoming
- Continuing review of sign into browser / browsing context providers
Identity Services (David Chan --> Yvan Boily / Adam Muntner)
- no update
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
- Still awaiting some fixes to TellUsMore before I can close out review (but looks good)
- Outstanding whitehat reported bugs - please investigate/triage