« previous week | index | next week »

• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Contents 1 Agenda 2 Planned Blog Posts 3 Speaking Engagements 4 Security Review Status (curtisk) 5 Operations Security Update (Joe Stevensen) 6 Project Updates 6.1 Silent updates (rforbes / dveditz) 6.2 B2G (Paul Theriault, David Chan) 6.3 Thunderbird (Adam Muntner) 6.4 Rust (Jesse Ruderman) 6.5 Mobile (Mark Goodwin) 6.6 Sync (Simon Bennetts) 6.7 Services (Simon Bennetts & Adam Muntner) 6.8 Jetpack, Add-on SDK, Add-on Builder (Dan Veditz) 6.9 JS (Christian Holler) 6.10 DOM, XPConnect (Jesse Ruderman) 6.11 Layout, Style (Jesse Ruderman) 6.12 Automation Tools (Gary Kwong) 6.13 Web Developer Tools (Mark Goodwin) 6.14 Networking (Christoph Diehl) 6.15 Media / Graphics (Christoph Diehl) = 6.16 Peach (Christoph Diehl / Raymond Forbes) = 6.17 Market (Raymond Forbes) 6.18 Firefox APIs (Raymond Forbes) 6.19 Payment Flow (Raymond Forbes) 6.20 Dynamic API Security Model (Raymond Forbes) 6.21 WebRT (Raymond Forbes) 6.22 BrowserID 6.23 Identity Services (David Chan) 6.24 Addons.M.O (Raymond Forbes) 6.25 Bugzilla.M.O (Mark Goodwin & Eric Parker) 6.26 Mozillians (Raymond Forbes) 6.27 MDN (Raymond Forbes) 6.28 SUMO (Kitsune) () 6.29 AddressSanitizer (Christian Holler)

Agenda

• [mcoates] Freddy's back!
  • Freddy (Frederik Braun) will be in SF this week, MV next week, and near Cologne, Germany afterwards.
  • "I work on: making Mozilla's web applications more secure: security reviews, automation and the like"
• [mcoates] Goals - 2013 Q1 Goals
  • Will be on google doc.
  • Work with your manager this week
  • Company goals are not yet locked down.
  • Each of us should aim to have 4-5 goals: 3 supporting team quarterly goals; 1 supporting a year-long project; 1 supporting personal growth (?)
• [mcoates] Metrics
  • Bugs Filed (use sec keyword), Reviews Completed (by assigned to)
  • Only bugs with sec-* keywords are counted in this project.
    • [jesse] I think you should also count unrated bugs in core-security.
      • But then if the bug becomes public, while still not having a sec-* rating, it won't be counted.
        • [decoder] That's rare.
        • Should we add a "sec-needs-rating" keyword that can also go on public bugs?
          • [gkw] We currently mark the bug as conservatively as possible, e.g. sec-critical / high
            • [rforbes] But this will inflate sec-critical bug numbers
• [mcoates] Weekly meeting template
  • Firefox Dekstop / Mobile, Firefox OS, Web Apps, Operations Sec
• [jesse, pauljt] How do we mark Review Request bugs if we (current employees) don't intend to work on them, but they're still possibly useful for volunteers to pick up? I'd prefer not to use WONTFIX.
  • This question only applies to client features, since web sites don't go up until they're reviewed.
  • [yvan] We could use the 'mentor' whiteboard tag
    • http://www.joshmatthews.net/deck.js/mentor/
    • [dchan] jdm's search page - http://www.joshmatthews.net/bugsahoy/?
    • [jesse, curtis] We'll exclude bugs with 'sw:mentor' from the "Stale security reviews" query
  • [yvan] Champions and other developers are possible assignees
  • [curtis] Also note that "needinfo?" excludes bugs from the official "Stale security reviews" query
  • https://etherpad.mozilla.org/stale
• [yvan] - Documenting the results of security reviews
  • This gives us a chance to improve our , and is something to show when the world asks "why shouldn't this feature scare the crap out of me?"
  • Examples
    • https://wiki.mozilla.org/Security/Reviews/Identity/browserid
    • https://wiki.mozilla.org/Security/Reviews/F1
    • https://wiki.mozilla.org/Security/Reviews/SocialAPI
  • link to what's needed?

Is this the blog post? https://blog.mozilla.org/security/2012/05/08/speeding-up-security-reviews/ yes

• [curtisk] communications for Jan
  • https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c
• [decoder] Planning to visit HITB Conference 2013 in April in Amsterdam. Will check with Lucas who is going (some SecEng people usually attend this). Freddyb might also be interested in going.
  • CFP open
• [David Chan] B2G coming down to the line (15/1) help with updates & browser API review would be great
  • [gkw] And also testing your Unagi device
• [raymond] I've been looking at bug bounty stats (especially bounties for our web sites), and will have recommendations
• [psiinon] Zest preso
• Review Security Radar Page - https://wiki.mozilla.org/Security/Radar

Planned Blog Posts

• [decoder] https://security.etherpad.mozilla.org/SecurityBlogSecurityCoverage
  • needs a publish date

Speaking Engagements

• (Who) : Date: Name of Event : Talk Title: Link
• OWASP Bay Area Meeting at Mozilla SF - Tues, Jan 8
• Simon Bennetts : Feb 2-3 : FOSDEM : Talking about ZAP :)
• Raymond Forbes : Feb 27 - March 2 : Nullcon

Security Review Status (curtisk)

• 
• Completed in Q4 2012: 50
• Number of Reviews Completed (so far this quarter): 4
  • https://bugzilla.mozilla.org/buglist.cgi?list_id=4619884;resolution=FIXED;chfieldto=2013-03-31;query_format=advanced;chfield=resolution;chfieldfrom=2013-01-01;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
• Number of Outstanding Reviews: 129
  • https://bugzil.la/comp%3A%22security%20assurance%3A%20review%20request%22
• Number of Reviews Ready For Review: 67
  • https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20%2Bsw%3A%22pending%22%20-flag%3A%22needinfo%22
• Number of reviews without risk rating:54
  • https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20-sw%3A%22%5Bneeds%20info%5D%22%20-sw%3A%22%5Bscore%3A%22
• Number of reviews without deadline set:117
  • https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_due_date;query_format=advanced;resolution=---;type0-0-0=isempty;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
• Find Yours:
  • MIssing Risk Rating (Yours)
  • Without Deadline (Yours)

Operations Security Update (Joe Stevensen)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

- Review status: https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0Ap-jgPe0UrMhdE9SMm5xNzBwTk13UHBCcUdQazNUQ1E#gid=0 - Project deadline still 15th Jan - High priority reviews outstanding

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

• No update (unless Stefan has one)

Sync (Simon Bennetts)

Services (Simon Bennetts & Adam Muntner)

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

• Working on parallel jit-tests, to allow more tests in the test suite

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

• No update

Web Developer Tools (Mark Goodwin)

• No update

Networking (Christoph Diehl)

• No update

Media / Graphics (Christoph Diehl) =

• gUM is not pref'ed on by default

Peach (Christoph Diehl / Raymond Forbes) =

• Working on FruitFarm
  • https://github.com/posidron/FruitFarm/wiki/Screenshots

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)