Security/Meetings/SecurityAssurance/2012-10-30

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

  • Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q4+Goals
    • [mcoates] If you have goals that rely on other people, contact them this week.
  • [curtisk] - SkyDogCon rundown
    • Fun, physical CTF
  • [mcoates] B2G & Marketplace "Attestation of security" that a cell phone carrier requested. A lot of it is about making sure malicious software can't take over the phone. The document isn't public, but mcoates and pauljt have access to it.
  • [mcoates] B2G updates. We're discussing this with bizdev. https://mana.mozilla.org/wiki/display/SECURITY/FirefoxOS-Updates
  • [mgoodwin] Fennec Addons
  • [gkw] Please test your B2G dogfood phone (if you have one) for security issues
    • e.g. javascript protocol was not disabled in the B2G browser ( bug 804446 )
    • at webapi meeting today they mentioned that some mochitests were running on b2g
    • [jesse] Can someone go through all the fixed Firefox frontend security bugs, and make sure B2G isn't vulnerable to the same things?
  • [jesse] consistent severity ratings
  • [joes] New OpSec Engineer position
  • [joes/kang] Update on SPAM/PHISHING email issues
  • [gkw] Will/Has Sandy affect(ed) Mozilla?
    • [michal`] somewhat, maybe some CDN nodes are down, also google's closest 8.8.8.8 went down with their NYC data center. Nothing big.
  • [gkw] Still no news on MozCamp Asia 2012 paid staff attendees yet
    • Unofficial events start on 15 Nov SG time
    • About 2 weeks left, flights are very expensive and should need approval due to the short timeframe, if folks do get to go
  • [stefan] update from the new guy
  • Team meetup update
    • Maybe one in late Feb and another in summer (coinciding with our security conference), both in North America
  • [mcoates] Goals for individual development
    • What are you enjoying, what are you not enjoying, what do you want to do more of?
    • You'll be discussing this stuff with your manager soon.

Security Review Status (koenig)

Operations Security Update (Joe Stevensen)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

  • testing still broken

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

Sync (Simon Bennetts)

No update

Services (Simon Bennetts & Adam Muntner)

No update

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

  • [gkw] JS work week was last week, it went pretty well!
  • [decoder] Fuzzing with ARM emulation now possible without using full VMs but rather userspace emulation (better speed and scalability).

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

  • No update

Web Developer Tools (Mark Goodwin)

  • No update

Networking (Christoph Diehl)

  • No update

Graphics (Christoph Diehl) =

  • No update

Networking ( Media / Codecs)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

  • No update

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)

  • mozilla-beta builds under ASan, soon regular builds