canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Security/Meetings/SecurityAssurance/2012-05-01: Difference between revisions
Jump to navigation
Jump to search
Security/Meetings/SecurityAssurance/2012-05-01 (view source)
Revision as of 13:49, 2 May 2012
, 2 May 2012no edit summary
(Created page with "{{SecAssuranceMeetingInfo}} {{TOC right}}") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{SecAssuranceMeetingInfo}} | {{SecAssuranceMeetingInfo}} | ||
{{TOC right}} | {{TOC right}} | ||
=Agenda= | |||
* | |||
* Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals | |||
* [mcoates] Company wide updates | |||
* [yvan / curtis] Reviews - Refining handling & scoping effort, time, | |||
* [mcoates] 1on1s | |||
* [mcoates] Kilimanjaro | |||
** https://wiki.mozilla.org/Kilimanjaro | |||
** https://wiki.mozilla.org/Kilimanjaro/ProductDraft | |||
** We will prioritize reviews that are blocking Kilimanjaro, starting with WebRT | |||
* [mcoates] Work Week | |||
** When: Late June, Early July? - (Infra: London Aug 12) Aug 13-17, 20-24, Sept | |||
*** http://www.doodle.com/ | |||
*** Where: Europe - London? | |||
*** Berlin in Oktober? ahem. AppSecUSA October 22 – 26, 2012 | |||
*** Including volunteers/community members, or employees only? - Want to include some community | |||
* [Jesse] Google upped their bug bounty for web sites (but not for Chrome) | |||
** http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html | |||
** http://www.infoworld.com/t/hacking/bug-bounty-hunters-weigh-in-googles-vulnerability-reporting-program-191710 - Jesse was quoted :) \o/ | |||
* [mcoates] Embedded team members: remember that you can ask for help from other security team members; you don't have to do everything yourself. | |||
* [mcoates] Bugzilla mail tips & tricks | |||
** https://etherpad.mozilla.org/bugzilla-filter-tips | |||
* [decoder] We got Linux Firefox+ASan builds on try now, if you need one, ping me. \o/ | |||
=Meeting Notes= | |||
* | |||
* | |||
* | |||
=Security Review Status (koenig)= | |||
Number of Reviews Completed (so far this quarter): 40 (last week 16) <-- nice work | |||
https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 21 | |||
https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =19 | |||
Number of Outstanding Reviews: 172 (last week 129) | |||
https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 50 | |||
https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 122 | |||
=Project Updates = | |||
Please don't leave blank. Add "No Update" if nothing has changed | |||
==Silent updates (rforbes / dveditz)== | |||
== B2G (Paul Theriault) == | |||
* Browser API is a bit more defined now (iframe mozbrowser) https://wiki.mozilla.org/WebAPI/BrowserAPI | |||
*B2G workweek in san diego next week | |||
** Define security review process/get team onboard | |||
** Review draft Web App Permission Process | |||
*Security reviews started moving slowly, but most features are not completed | |||
** Documenting threats in the meantime | |||
==Thunderbird (Dan Veditz) == | |||
==Rust (Jesse Ruderman) == | |||
* Upcoming “lifetimes” feature could be awesome. Moves the “pass by reference” concept into the typesystem and makes more general. | |||
** http://smallcultfollowing.com/babysteps/blog/2012/04/25/references/ | |||
** http://pcwalton.github.com/blog/2012/04/23/why-lifetimes/ | |||
==Mobile (David Chan) == | |||
* no update | |||
==Sync (David Chan & Yvan Boily) == | |||
* still working on sync 2.0 | |||
==Services (David Chan & Yvan Boily) == | |||
* notifications review being scheduled | |||
==Social - Pancake (Mark Goodwin) == | |||
Much frantic bug fixing going on in prep for public release. Some security stuff outstanding, but they won't be progressing without resolving. | |||
==Jetpack, Add-on SDK, Add-on Builder (Dan Veditz) == | |||
==JS (Christian Holler) == | |||
* [gkw] More ESR fuzzing | |||
* [gkw] Pushed along some Valgrind issues on TBPL | |||
==DOM, XPConnect (Jesse Ruderman) == | |||
==Layout, Style (Jesse Ruderman) == | |||
==Automation Tools (Gary Kwong) == | |||
* Great feedback again for us getting ateam secreviews back on track | |||
** Embedding is effective | |||
==Web Developer Tools (Mark Goodwin) == | |||
I'm having fun on a first bug :D - little else to report. | |||
== Networking (Christoph Diehl) == | |||
* Going to port Server-Sent DOM Events to Peach | |||
* Still working on SPDY v3 | |||
== Graphics (Christoph Diehl) === | |||
* Going to re-test some older items with ASAN builds (graphite, icon, bitmap) | |||
* Filed more Opus bugs | |||
== Market (Raymond Forbes) == | |||
Launching soon? | |||
==Firefox APIs (Raymond Forbes) == | |||
==Payment Flow (Raymond Forbes) == | |||
==Apps in the Cloud (David Chan) == | |||
* client needs review | |||
==Dynamic API Security Model (Raymond Forbes) == | |||
==WebRT (Raymond Forbes) == | |||
==BrowserID == | |||
- 3rd party review to be pushed | |||
== Identity Services (David Chan) == | |||
* working on sign into browser | |||
==Addons.M.O (Raymond Forbes) == | |||
==Bugzilla.M.O (Mark Goodwin & Eric Parker) == | |||
TellUsMore review is happening late this / early next week. | |||
==Mozillians (Raymond Forbes) == | |||
==MDN (Raymond Forbes) == | |||
==SUMO (Kitsune) () == | |||