canmove, Confirmed users
120
edits
Security/Meetings/2011-06-15: Difference between revisions
no edit summary
(→Agenda) |
No edit summary |
||
| Line 11: | Line 11: | ||
==Discussion== | ==Discussion== | ||
* [Curtis] SecReview Bugs - Feedback from engineering team on our ideas === | |||
** file-a-bug-to-move-channels got shot down | |||
** up to Sec Team to file "blocker" bugs | |||
** Bugs that come out of security review meetings should have [sg:] markings | |||
* [Curtis] Should we mark priorities [sgpri:P3] or targets [sgtarg:Fx6] in addition to severities [sg:moderate] | |||
** Priorities -- probably not | |||
** Targets -- use the normal tracking flags, so we agree with release drivers | |||
* [Curtis] Adding a Bugzilla keyword/whiteboard like "security-review-wanted". | |||
** Seems best to add a pair of short keywords, "sec-review-needed" and "sec-review-complete". | |||
** "sec-review-needed" will include scheduled, Curtis can keep track | |||
** Done. went with sec-review-* for similarity with other keywords | |||
* [Curtis] Adding a Bugzilla patch flag like "security-implementation-review". | |||
** On hold while we see whether the "sec-review-needed" bug keyword and "r?dveditz" are sufficient. | |||
* [Lucas] Embedding team members | |||
** sec team member will attend the feature team's meetings, contribute to design, and potentially contribute to implemenation. (expensive; expect to spend at least a few hours a week) | |||
** need to identify which projects want/need embedded sec team member. Candidates: Mobile, F1, Sync, Jetpack, Apps, Mozilla ID, | |||
** who on the security team? imelven (mobile), dchan (F1), curtisk (Identity), bsterne (Apps), dveditz (Jetpack/Add-on builder), bsmith (Sync) | |||
* [Curtis] Telemetry | |||
** Implementation Review? (none/some/all) (client/server) | |||
** Server review: https://bugzilla.mozilla.org/show_bug.cgi?id=655746 | |||
** Owners for items from Telemetry review/discussion | |||
** [bsmith] Follow-up bug: different (non-aborting) error handling strategy for future release. | |||
** [Sid?] Follow-up bug: in future histogram collections should come from a single file that can be audited, rather than allow instantiation from any random part of the code. | |||
** [bsmith /mcoates] Code hosted on GitHub--like many other parts of Mozilla--will review policy at next joint secteam/infrasec-security meeting. | |||
** [taras] Follow-up bug: Mobile data usage--must minimize the size of data sent--gzip, more-efficient-than-JSON encoding. (bug 661578) | |||
** Next course of action | |||
* [David] Blackhat/DEFCON hotels | |||
** https://intranet.mozilla.org/ConferencesSchedule/Blackhat2011 | |||
** Milk & Cookies party? | |||
* [Lucas] Review scheduling | |||
** Would it help if everyone on the security team tried to keep specific times open every week? | |||
** Should we avoid Fridays? Bad for NZ and Europe | |||
* [Lucas] Questions re SF office | |||
** Lucas and Ian will probably be based in SF office. bsmith might. | |||
* [dveditz] Security fix verification | |||
** QA team is becoming less interested in putting resources on the 3.6 branch | |||
** Automated tests are good, but they leave the risk that what the developer fixed isn't the right bug. | |||
** Should we invite reporters to verify fixes? We do, for externally reported bugs. | |||
** ??? will chat with Matt, manager of the QA team | |||
* [dveditz] Let's use the public #security channel more and the private channel less | |||