Security/Meetings/SecurityAssurance/2012-06-19
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- Q2 wrapping up
- Start thinking about Q3 goals
- Bugzilla whine query for basecamp bugs in the Security Assurance component
- Work Week
- time boxing
- skill matching
- prioritization
- Sec Reviews
- We completed 70 this quarter, but we have 200 in the queue (see queries below).
- Not all of these require meetings or major effort.
- Note that b2g reviews warp these stats somewhat (~60 reviews that cant be closed due to unfinished features, or waiting on fixes)
- [decoder] Blog posts: Can we decrease the time required to blog something?
- What slows you down?
- For the current post, sign-off by mcoates (not saying he should work faster but maybe we can adjust the process, esp. if it's unlikely to touch PR affairs :D)
- Other browsers, plugins, other vendors -- consult with PR
- Numbers of bugs, number of security bugs -- consult with Michael
- Other posts -- peer review is sufficient
- What slows you down?
- [gkw] Secreviews of addons that ship with the Firefox China Edition
- One of the addons disables DEP to improve compatibility with some plugin :/
- https://bugzilla.mozilla.org/show_bug.cgi?id=704038 is likely to be the bug
- One of the addons disables DEP to improve compatibility with some plugin :/
- [gkw] NPAPI plugins in China
- Flash very prevalent
- Plugins common esp for migrating away from ActiveX
- Why are they moving from ActiveX to another proprietary thing, instead of moving to the Web?
- The company itself [which company? e.g. banks, i don't think i can name them... yet?] does the migration, we are merely in an advisory role
- Firefox gets plugins for MP3 because of patents, while Chrome supports it.
- Employee Reviews:
https://mana.mozilla.org/wiki/display/INTRANET/Do+Track%3A+Mozilla+Feedback+Process
- Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
- [dchan] OOO 7-4 to 7-13
- [decoder] PTO on Friday
Security Review Status (koenig)
- Number of Reviews Completed (so far this quarter): 67 (last week 63)
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 28 (27)
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =39 (36)
- Number of Outstanding Reviews: 193 (last week 185)
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 49 (46)
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 144 (139)
Operations Security Update (Joe Stevensen)
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault, David Chan)
- One profile per app proposal being worked out this week - implications for sandboxing/permissions possibly
Thunderbird (Adam Muntner)
Rust (Jesse Ruderman)
Mobile (Mark Goodwin)
- No update
Sync (Simon Bennetts & Adam Muntner)
Services (Simon Bennetts & Adam Muntner)
Social - Pancake (Mark Goodwin)
- Still preparing for initial AppStore release
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- [decoder] LangFuzz now supports several new JS constructs taken from Harmony (Default Parameter Values, Rest Parameter and "for-of" constructs).
DOM, XPConnect (Jesse Ruderman)
- [decoder] Control server for domfuzz instances on Tegras is being migrated (no fuzzing right now), will move this to one of our own servers for better reliability.
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
Web Developer Tools (Mark Goodwin)
- Possible GCLI command hackday for 26th. More info here: https://bugzilla.mozilla.org/show_bug.cgi?id=724055
- Hacking on first bug \o/
Networking (Christoph Diehl)
- Added fuzzer for Hayes's unsolicited AT commands. - Closed SecReview 763922
Graphics (Christoph Diehl) =
- Relocated WebGL DOM fuzzer from peacock to Peach with some bug fixes.
Networking ( Media / Codecs)
Market (Raymond Forbes)
Firefox APIs (Raymond Forbes)
Payment Flow (Raymond Forbes)
App Sync (David Chan)
- no update
- Dan had some questions on navigator.apps?
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID
Identity Services (David Chan)
- no update
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
- No update
