Security/Meetings/SecurityAssurance/2012-05-22: Difference between revisions

Security/Meetings/SecurityAssurance/2012-05-22 (view source)

Revision as of 02:41, 23 May 2012

5,601 bytes added , 23 May 2012

no edit summary

Curtisk

canmove, Confirmed users, Bureaucrats and Sysops emeriti

2,776

edits

@@ Line 1: / Line 1: @@
 {{SecAssuranceMeetingInfo}}
 {{TOC right}}
+=Agenda=
+* Flash Update - https://mana.mozilla.org/wiki/display/INFRASEC/Block+Listing+Flash
+** We had a long internal discussion on security-group about protecting users with (very) old versions of Flash.
+** Possibilities include a soft block, an even softer "outdated" info bar, and waiting until we ship Firefox 15 with click-to-play (and a fix for https://bugzilla.mozilla.org/show_bug.cgi?id=686335 ?).
+* Bugzilla Tips - https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=22381156
+** Queries for the security team, and Bugzilla tricks that are relevant to us
+** Why is this private?
+*** Open to moving to other location, not sensitive
+* Work Week
+* [Rforbes] MarketPlace Update
+* [Paul] B2G Update
+* Security evangelism
+** Mark and David are researching Fennec's competitiveness on security and privacy features, especially against the stock Android browser.
+* [Yvan] Mentorship
+** We're picking out "good first bugs" for web security bugs
+* [decoder] Update on ASan builds
+* Blackhat / Defcon 2012 update?
+** https://wiki.mozilla.org/Security/BlackHat_2012
+* Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
+* Travel: decoder going to HITB tomorrow till Friday (meeting with imelven and Lucas)
+* Security comparison
+* https://mana.mozilla.org/wiki/display/~mcoates@mozilla.com/Comparison+points
+=Security Review Status (koenig)=
+* Number of Reviews Completed (so far this quarter): 48 (last week 59)  <-- trying to figure out how this went down
+** https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 22 (27)
+** https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =26 (32)
+* Number of Outstanding Reviews: 192 (last week 171)
+ ** https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 51
+** https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 141
+=Project Updates =
+Please don't leave blank. Add "No Update" if nothing has changed
+==Silent updates (rforbes / dveditz)==
+== B2G (Paul Theriault --> & David Chan) ==
+*(Welcome david!! :)
+ B2G Starting to be tracked a litle more, making secreview easier to plan
+ https://docs.google.com/spreadsheet/ccc?key=0AiBigu584YY7dGlNSlY0QzhJb3M5anRBa1gxalV0Y3c#gid=0
+* Gaia now more detailed in the spreadsheet - yvan we should plan external review soom tomorrow
+* Meeting with Jlebar this morning to further refine the permissions model
+* Gaia hacking day next week? Any interest?
+==Thunderbird (Dan Veditz) ==
+==Rust (Jesse Ruderman) ==
+==Mobile (David Chan --> Mark Goodwin) ==
+* no update
+==Sync  (David Chan --> Simon & Adam) ==
+* android sync update to beta before end of quarter
+==Services (David Chan --> Simon & Adam) ==
+* tokenserver review underway
+* notifications needs review
+==Social - Pancake (Mark Goodwin) ==
+Hoping for limited public release in 2 weeks' time.
+Only major worry is around CEF logging - they've implemented a mechanism in tornado for doing this, but work to actually satisfy my logging requirements will take longer than anticipated. They're asking if this is a blocker...
+* Not for beta release. Yes for public release
+==Jetpack, Add-on SDK, Add-on Builder (Dan Veditz) ==
+==JS (Christian Holler) ==
+* IonMonkey fuzzing going on, bug frequency decreasing (horray!). \o/
+* First round of OOM testing on IonMonkey complete
+* Differential testing can start soon
+==DOM, XPConnect (Jesse Ruderman) ==
+==Layout, Style (Jesse Ruderman) ==
+==Automation Tools (Gary Kwong) ==
+* MozTrap went live to production, thanks to everyone who helped w/ secreviews
+* [decoder] domfuzz addon now deployed on Tegras (Fennec Native) for fuzzing
+==Web Developer Tools (Mark Goodwin) ==
+* Busy week; Netmonitor review yesterday (this is looking mostly OK), remote debugger / debugger UI review coming on Thursday. Please attend if possible; debugger exposes powerful functionality.
+== Networking (Christoph Diehl) ==
+* SMS PDU https://bugzilla.mozilla.org/show_bug.cgi?id=741876#c3
+* planning to look at SRTP as soon as SMS is finished to complete WebRTC fuzzing.
+== Graphics (Christoph Diehl) ===
+* VP8 fuzzing as requested by dveditz
+== Networking ( Media / Codecs) ==
+== Market (Raymond Forbes) ==
+==Firefox APIs (Raymond Forbes) ==
+* finishing up review of mozApps navigator
+==Payment Flow (Raymond Forbes) ==
+==App Sync (David Chan) ==
+* client review underway
+==Dynamic API Security Model (Raymond Forbes) ==
+==WebRT (Raymond Forbes) ==
+==BrowserID (Yvan Boily) ==
+* RFP Responses in, evaluation upcoming
+* Continuing review of sign into browser / browsing context providers
+== Identity Services (David Chan --> Yvan Boily / Adam Muntner) ==
+* no update
+==Addons.M.O (Raymond Forbes) ==
+==Bugzilla.M.O (Mark Goodwin & Eric Parker) ==
+* Still awaiting some fixes to TellUsMore before I can close out review (but looks good)
+* Outstanding whitehat reported bugs - please investigate/triage
+==Mozillians (Raymond Forbes) ==
+==MDN (Raymond Forbes) ==
+==SUMO (Kitsune) () ==