Security/Meetings/SecurityAssurance/2012-06-26
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- Q2 Goals - Review - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
- By Friday, we shouldn't have any items listed as "On Track". Everything should be "Done" or "Missed" (or, for projects without an endpoint, "Ongoing").
- Q3 Goals Brainstorm - https://security.etherpad.mozilla.org/2012Q3-Goals
- August work week schedule/plan? - https://mana.mozilla.org/wiki/display/INFRASEC/2012+Q3+London
- OpSec hosting a gpg key signing party
- OpSec will be with Infra for two days; Then SecAssurance for the other two
- Community Members - send me recommendations -
- gkw's proposed brownbag on "Challenges to Mozilla adoption in China"
- Now scheduled for July 11, Wednesday, 12pm Pacific, Ten Forward, Air Mozilla (likely)
- Get your airfare for BlackHat (if going) & contact Gurvinder if in the bay area
- New hire starting next week - Michal P
- Please look at the zero crits proposal, and comment on it today: https://security.etherpad.mozilla.org/No-Shipped-Crits-review
Security Review Status (koenig)
- Number of Reviews Completed (so far this quarter): 70 (last week 67)
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 30 (28)
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 40 (39)
- Number of Outstanding Reviews: 194 (last week 193)
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 50 (49)
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 144 (144)
Operations Security Update (Joe Stevensen)
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault, David Chan)
- now moving to a packaged format for installed apps (some decision at the work week)
Thunderbird (Adam Muntner)
Rust (Jesse Ruderman)
- dev-servo mailing list has picked up this week
Mobile (Mark Goodwin)
- Firefox 14 is out!! Grab it, rate it, tell your friends.
- Engineering meeting is happening tomorrow; I'm hoping to attend.
Sync (Simon Bennetts & Adam Muntner)
Services (Simon Bennetts & Adam Muntner)
Social - Pancake (Mark Goodwin)
- Pancake will be submitted for App Store review any time about now; hoping to have a (limited) public release in about 2 weeks.
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- [gkw & Jesse] jsfunfuzz is now running on Releng hardware! \o/
- What's the status of Ionmonkey?
- m-c landing apparently delayed for 2-3 more weeks
DOM, XPConnect (Jesse Ruderman)
- Aryeh Gregor landed some great changes to Editor that reduce its attack surface: https://bugzilla.mozilla.org/show_bug.cgi?id=760052 and https://bugzilla.mozilla.org/show_bug.cgi?id=766387
Layout, Style (Jesse Ruderman)
- [decoder] Control harnesses for domfuzz instances on Tegras now migrated to one of our internal servers and running again.
Automation Tools (Gary Kwong)
- No update
Web Developer Tools (Mark Goodwin)
- Hackday for GCLI commands is currently in progress. Ideas can be submitted here: https://etherpad.mozilla.org/command-line-hackathon - I think there are loads of things we could do easily that would be useful for security people; the devtools team would really welcome your input.
- or, if you'd prefer to write your own (it's easy), the docs start here: https://developer.mozilla.org/en/Tools/GCLI
- Also, CSP violations will start appearing soon in the Web Console of a Nightly near you <- actually, it's in inbound now :)
Networking (Christoph Diehl)
No update - working on fuzzer internals
Graphics (Christoph Diehl) =
No update - working on fuzzer internals
Networking ( Media / Codecs)
Market (Raymond Forbes)
payments update
Firefox APIs (Raymond Forbes)
App Sync (David Chan)
no update
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
no update
BrowserID
- [yvan] Wide-ranging security review coming up. It will cover EVERYTHING BrowserID.
Identity Services (David Chan)
no update
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
No update