SecurityEngineering/MeetingNotes/09-05-13

Agenda 5-Sep-2013

• Q3 Goals Recap
• Summit stuff
  • Innovation Fair http://mzl.la/summit2013-fairs
• review discussion from last week (r- vs clearing r?): https://wiki.mozilla.org/SecurityEngineering/CodeReviewGuidelines
  • tl;dr: be clear if you need something, don't let reviews linger obscenely long.
  • Current text: "Get agreement from your potential reviewer that they are willing and able to do the review, before requesting review in bugzilla. This includes expectations about scheduling."
  • Proposed text:

Reviewee: If you need a review in a specific timeframe, please ping the reviewer and let them know of the urgency/timeline. Reviewer: Respond in a resonable amount of time with either a review or information on when you can do the review. 'You should not go longer than a week without any communication with the reviewee' 'Going longer than a week without any communication with a reviewee is longer than reasonable.'

• • Some history on the review cunundrum: http://taras.glek.net/blog/2011/12/05/24-hour-reviews/

https://groups.google.com/forum/#!topic/mozilla.dev.platform/DVY7-DKQiaU

• • Up-front communication is useful and helpful.
  • r- vs r? clearing? Just r-, it's clearer and half a +.
• cookie stats
  • Email monica if you want to work on the third party data storage problem
• OOO/PTO/Schedule for rest of quarter
  • networking + seceng workweek is uncertain
  • check the calendar
• TRIBE summary
  • focus on understanding your strengths/weaknesses and how interact with others
  • come out with concrete methods to help you improve
  • https://wiki.mozilla.org/People:TRIBE#Dates_.26_Locations

Q3 Goals

• [ON TRACK] Finish first phase of Sandboxing
  • Outcome: seccomp in e10s/Larch or on nightly + clear roadmap
  • DRI: Sid
    • Consult : E10S contributions to make it reasonably usable in nightly. (without extensions/plugins) assign: ALL as appropriate
    • Implement : [NEW] Fix window.crypto to work in E10S}
    • Implement : [NEW] Fix CSP tests to work in E10S garrett + sid
    • Implement : [AT RISK] land seccomp for Linux (min bar for sandboxing) keeler - part of an old patch for bug 790923
    • Research : [NEW] Prioritize secomp tightening steps, begin executing it sid
    • Research : [NEW] Create story/plan for addon compatibility monica
• [ON TRACK] Cookie Clearinghouse
  • Outcome: Identify feasibility and nail down spec: https://github.com/CookieClearinghouse/protocol/wiki/Proposed-List-Formats
  • DRI: Monica
  • Tasks:
    • Implement : [NEW] spec out and make go/nogo decision on implementation
    • Consult : [NEW] drive Stanford effort to stable spec
• [AT RISK] Implement alternative revocation checking mechanisms
  • Outcome: must-staple + pinning + insanity on by default in nightly
  • DRI: Camilo
  • Tasks:
    • Implement : [AT RISK] Enable insanity::pkix validation by default on nightly
    • Implement : [AT RISK] Land key pinning
    • Implement : [AT RISK] Land must-staple support
• [ON TRACK] SafeBrowsing 2.0
  • Outcome: App reputation whitelist on by default in nightly
  • DRI: Monica
  • Tasks:
    • Implement : [NEW] Land app reputation system with whitelist support