canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Security/Meetings/SecurityAssurance/2012-05-08: Difference between revisions
Security/Meetings/SecurityAssurance/2012-05-08 (view source)
Revision as of 13:10, 9 May 2012
, 9 May 2012no edit summary
(Created page with "{{SecAssuranceMeetingInfo}} {{TOC right}}") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{SecAssuranceMeetingInfo}} | {{SecAssuranceMeetingInfo}} | ||
{{TOC right}} | {{TOC right}} | ||
=Agenda= | |||
* Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals | |||
* Please start using the new keywords, for now use both keywords and whiteboard tags while we convert bugzilla queries | |||
* Look at examples for types of things that qualify for keyword ratings at https://wiki.mozilla.org/Security_Severity_Ratings/Proposals. We need to get this current and then add the web ones. | |||
** we expect this to be keywords full time by 18-May | |||
** we need the teams to get the list of team keywords finalized (csec-, wsec-, opsec-) | |||
*** it's up to each subteam to make these lists by 2012-05-18 | |||
*** do we have WIP/candidate lists? | |||
**** apparently not :/ | |||
* Triage (CritSmash, etc) | |||
** Allow other teams to triage the bugs and us in an advisory capacity | |||
* How can we ensure security bugs are visible to relevant developers? | |||
** It's hard to work on bugs you can't see. | |||
** Currently, we tend to CC managers/delegators who then CC the right developer. This kinda works, but isn't so great. | |||
** For web site bugs: everyone who can land code that runs directly on a web site should have access to its security bugs. (Currently, the bugzilla group is mostly managers, plus security people and "web site drivers") | |||
** For browser bugs: Jesse wants JS engine developers to be able to see JS engine bugs. Perhaps component owners (e.g. dmandelin for js engine) should be able to grant access. | |||
*** [jesse] Note that access to land on mozilla-central is binary, so it can't be tied to "who can land code in the component" | |||
*** [yvan] I will ask dkl how much work it would be to add these granular access controls to Bugzilla | |||
** Who controls the "default CC list" feature? This is one way to give more people access, but it involves spam. Only Bugzilla admins can add people. | |||
* Secreview Documentation | |||
** Working Drafts at https://etherpad.mozilla.org/oLeUVAihZI and https://intranet.mozilla.org/User:Yboily@mozilla.com | |||
** Blog post at https://security.etherpad.mozilla.org/13 | |||
=Meeting Notes= | |||
* [gkw] PTO / OOO thursday - friday | |||
* | |||
=Security Review Status (koenig)= | |||
* Number of Reviews Completed (so far this quarter): 53 (previous weeks 40,16) | |||
https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 25 | |||
https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =28 | |||
* Number of Outstanding Reviews: 169 (previous weeks 172,129) | |||
https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 50 | |||
https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 119 | |||
* Web Sec Bugs: | |||
** https://bugzil.la/UNCONFIRMED%2CNEW%2CASSIGNED%2CREOPENED%20group%3Awebsites-security%2B-component%3A%22Security%20Assurance%3A%20Review%20Request%22%2B-sw%3A%22infrasec%22%2B-kw%3A%22sec-%22%0A | |||
=Project Updates = | |||
Please don't leave blank. Add "No Update" if nothing has changed | |||
==Silent updates (rforbes / dveditz)== | |||
== B2G (Paul Theriault) == | |||
*Draft Permissions Model: https://wiki.mozilla.org/Apps/Security | |||
*Draft Permission Matrix (wip): https://wiki.mozilla.org/Apps/Security/Permissions | |||
* ~40 reviews assigned to me | |||
** triaging this week, should have more details in each bug to help share workload | |||
* OS/Runtime https://wiki.mozilla.org/B2G/Architecture/Runtime | |||
==Thunderbird (Adam) == | |||
* no update | |||
==Rust (Jesse Ruderman) == | |||
* [Jesse] Chatted with Niko about his [http://smallcultfollowing.com/babysteps/blog/2012/05/01/borrowing/ Borrowing] and [http://smallcultfollowing.com/babysteps/blog/2012/05/05/borrowing-errors/ Borrowing Errors] posts. I had ideas about how to make more errors static and more code simple. | |||
==Mobile (David Chan) == | |||
* no update | |||
==Sync (David Chan & Yvan Boily) == | |||
* no update | |||
==Services (David Chan & Yvan Boily) == | |||
* no update | |||
==Social - Pancake (Mark Goodwin) == | |||
No Update | |||
==Jetpack, Add-on SDK, Add-on Builder (Dan Veditz) == | |||
==JS (Christian Holler) == | |||
* [gkw] More ESR fuzzing done | |||
* [gkw, Jesse] Getting closer to jsfunfuzz-in-the-pool | |||
* [Jesse, gkw] Getting closer to jsfunfuzz-random-flags working again (and better than ever) | |||
* [decoder] jsfunfuzz now running on two Tegras (Part of ARM Fuzzing Goal) | |||
==DOM, XPConnect (Jesse Ruderman) == | |||
* Fair number of regressions from [https://bugzilla.mozilla.org/show_bug.cgi?id=650353 compartment-per-global], including security bugs | |||
==Layout, Style (Jesse Ruderman) == | |||
==Automation Tools (Gary Kwong) == | |||
* No Update | |||
==Web Developer Tools (Mark Goodwin) == | |||
* No Update | |||
== Networking (Christoph Diehl) == | |||
* finally going to set up a b2g phone for sms/bluetooth fuzzing | |||
== Graphics (Christoph Diehl) === | |||
* closing security reviews for Graphite 2, ICO and BMP encoders | |||
* filing bugs for Graphite 2 | |||
* filing bugs for Icon decoder | |||
== Market (Raymond Forbes) == | |||
* Official friends and family beta launch happens tomorrow. | |||
==Firefox APIs (Raymond Forbes) == | |||
* no update | |||
==Payment Flow (Raymond Forbes) == | |||
* Met with Stripe to further understand their offerings. I still have concern about PCI compliance but they claim their auditors have blessed the strategy. | |||
==App Sync (David Chan) == | |||
* server api review completed | |||
* progressing on client review | |||
==Dynamic API Security Model (Raymond Forbes) == | |||
==WebRT (Raymond Forbes) == | |||
* no update | |||
==BrowserID == | |||
* RFP issued yesterday | |||
== Identity Services (David Chan) == | |||
==Addons.M.O (Raymond Forbes) == | |||
* no update | |||
==Bugzilla.M.O (Mark Goodwin & Eric Parker) == | |||
* No Update(TellUsMore review is progressing) | |||
==Mozillians (Yvan Boily) == | |||
==MDN (Raymond Forbes) == | |||
*no update | |||
==SUMO (Kitsune) () == | |||
* no update | |||