Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
Phone (Toronto): 416 848 3114 x92 Conf: 95316#
Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

Flash Update - https://mana.mozilla.org/wiki/display/INFRASEC/Block+Listing+Flash
- We had a long internal discussion on security-group about protecting users with (very) old versions of Flash.
- Possibilities include a soft block, an even softer "outdated" info bar, and waiting until we ship Firefox 15 with click-to-play (and a fix for https://bugzilla.mozilla.org/show_bug.cgi?id=686335 ?).
Bugzilla Tips - https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=22381156
- Queries for the security team, and Bugzilla tricks that are relevant to us
- Why is this private?
  - Open to moving to other location, not sensitive
Work Week
[Rforbes] MarketPlace Update
[Paul] B2G Update
Security evangelism
- Mark and David are researching Fennec's competitiveness on security and privacy features, especially against the stock Android browser.
[Yvan] Mentorship
- We're picking out "good first bugs" for web security bugs
[decoder] Update on ASan builds
Blackhat / Defcon 2012 update?
- https://wiki.mozilla.org/Security/BlackHat_2012
Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
Travel: decoder going to HITB tomorrow till Friday (meeting with imelven and Lucas)
Security comparison
https://mana.mozilla.org/wiki/display/~mcoates@mozilla.com/Comparison+points

Security Review Status (koenig)

Number of Reviews Completed (so far this quarter): 48 (last week 59) <-- trying to figure out how this went down
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 22 (27)
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =26 (32)
Number of Outstanding Reviews: 192 (last week 171)
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 51
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 141

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault --> & David Chan)

(Welcome david!! :)

B2G Starting to be tracked a litle more, making secreview easier to plan
https://docs.google.com/spreadsheet/ccc?key=0AiBigu584YY7dGlNSlY0QzhJb3M5anRBa1gxalV0Y3c#gid=0

Gaia now more detailed in the spreadsheet - yvan we should plan external review soom tomorrow
Meeting with Jlebar this morning to further refine the permissions model
Gaia hacking day next week? Any interest?

Thunderbird (Dan Veditz)

Rust (Jesse Ruderman)

Mobile (David Chan --> Mark Goodwin)

no update

Sync (David Chan --> Simon & Adam)

android sync update to beta before end of quarter

Services (David Chan --> Simon & Adam)

tokenserver review underway
notifications needs review

Social - Pancake (Mark Goodwin)

Hoping for limited public release in 2 weeks' time. Only major worry is around CEF logging - they've implemented a mechanism in tornado for doing this, but work to actually satisfy my logging requirements will take longer than anticipated. They're asking if this is a blocker...

Not for beta release. Yes for public release

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

IonMonkey fuzzing going on, bug frequency decreasing (horray!). \o/
First round of OOM testing on IonMonkey complete
Differential testing can start soon

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

MozTrap went live to production, thanks to everyone who helped w/ secreviews
[decoder] domfuzz addon now deployed on Tegras (Fennec Native) for fuzzing

Web Developer Tools (Mark Goodwin)

Busy week; Netmonitor review yesterday (this is looking mostly OK), remote debugger / debugger UI review coming on Thursday. Please attend if possible; debugger exposes powerful functionality.

Networking (Christoph Diehl)

SMS PDU https://bugzilla.mozilla.org/show_bug.cgi?id=741876#c3
planning to look at SRTP as soon as SMS is finished to complete WebRTC fuzzing.

Graphics (Christoph Diehl) =

VP8 fuzzing as requested by dveditz

Networking ( Media / Codecs)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

finishing up review of mozApps navigator

Payment Flow (Raymond Forbes)

App Sync (David Chan)

client review underway

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID (Yvan Boily)

RFP Responses in, evaluation upcoming
Continuing review of sign into browser / browsing context providers

Identity Services (David Chan --> Yvan Boily / Adam Muntner)

no update

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

Still awaiting some fixes to TellUsMore before I can close out review (but looks good)
Outstanding whitehat reported bugs - please investigate/triage

Security/Meetings/SecurityAssurance/2012-05-22

Contents