path: root/meetings/logs/sec-meeting-2018-06-24-log

2018-06-24 13:59:47	@ChrisADR_mobile	!proj security
2018-06-24 13:59:49	willikins	ChrisADR_mobile: (security@gentoo.org) a3li, ackle, blueknight, bman, chrisadr, creffett, k_f, pinkbyte, whissi, zlogene, zx2c4
2018-06-24 13:59:53	@ChrisADR_mobile	Meeting time
2018-06-24 14:00:02	 *	K_F is here
2018-06-24 14:00:06	 *	domhnall here
2018-06-24 14:00:06	 *	MyNt1a is here
2018-06-24 14:00:09	 *	ChrisADR_mobile here too
2018-06-24 14:00:11	 *	Irishluck83 here
2018-06-24 14:01:50	@ChrisADR_mobile	Whissi b-man?
2018-06-24 14:01:55	 *	b-man here 
2018-06-24 14:02:27	@ChrisADR_mobile	b-man: are you in your laptop?
2018-06-24 14:02:38	@b-man	Nope.  Should I be?
2018-06-24 14:03:05	@ChrisADR_mobile	Can you? K_F and I are in mobiles, maybe would be faster if you can lead
2018-06-24 14:03:13	@ChrisADR_mobile	Or you Whissi
2018-06-24 14:04:01	@b-man	Ok, on laptop
2018-06-24 14:04:28	@K_F	thanks.. I wont be on laptop for another 15 min or so :)
2018-06-24 14:04:33	@ChrisADR_mobile	Awesome, thanks, please first topic, I can't see it in the cellphone while writing here
2018-06-24 14:04:40	@b-man	Security Project Structure GLEP review:
2018-06-24 14:04:56	@b-man	Want to hold that one until K_F is on laptop?
2018-06-24 14:05:09	@ChrisADR_mobile	K_F: should we?
2018-06-24 14:05:32	@K_F	no.. I havent gotten around to preparing much on that anyways. thankfully slowing down a bit this week
2018-06-24 14:06:06	@K_F	good news is there was a new Norwegian record in CSWC yesterday combined with 20year anniversary party :)
2018-06-24 14:06:23	@ChrisADR_mobile	Ok, so, you have the updates in the repo, I added some stuff about motivaron and stable dropping
2018-06-24 14:07:25	@ChrisADR_mobile	If there are no objections or feedback about those paragraphs, should we move on?
2018-06-24 14:07:48	Irishluck83	where are they located in glep?
2018-06-24 14:07:49	@K_F	yeah.. will follow up by email during week
2018-06-24 14:08:02	@K_F	Irishluck83: in a private git repo of ours
2018-06-24 14:08:04	@ChrisADR_mobile	b-man:?
2018-06-24 14:08:11	Irishluck83	ok
2018-06-24 14:08:13	@b-man	No objections from me
2018-06-24 14:08:19	@ChrisADR_mobile	Ok fine
2018-06-24 14:08:24	@ChrisADR_mobile	Next topic?
2018-06-24 14:08:36	@b-man	GLSAMaker use cases doc
2018-06-24 14:09:03	@b-man	"I've finished a first draft of the user stories, now with a clearer idea of what
2018-06-24 14:09:03	@b-man	does every access level do and what the functionalities are, we may take a look
2018-06-24 14:09:03	@b-man	at the padawan relation with CVETool."
2018-06-24 14:09:09	@ChrisADR_mobile	Oh right, I updated some use cases, now it's fully mapped, at least what we currently have
2018-06-24 14:09:42	@b-man	In this, I would ask if there are any objections to granting access to padawans for the CVETool prior to becoming a full GLSA coordinator.
2018-06-24 14:09:57	@ChrisADR_mobile	+1
2018-06-24 14:10:08	@b-man	It seems properly using the permissions as ChrisADR_mobile has mapped for us restricts this access.
2018-06-24 14:10:22	@ChrisADR_mobile	Most likely a minor permission change in the code, but still necessary I think
2018-06-24 14:10:24	@b-man	It would be good for the padawan to be exposed to the tool early on
2018-06-24 14:10:30	@K_F	do we have any granularity in access restrictions on cvetool? e.g if adding embargoed CVEs
2018-06-24 14:10:57	@b-man	K_F: I don't think the CVE will show up in the list as it pulls from the public CVE releases.
2018-06-24 14:11:07	@K_F	not if we add it ourselves
2018-06-24 14:11:15	@b-man	If the CVE is embargoed all that should show is the boilerplate text.
2018-06-24 14:11:26	@b-man	hmmm
2018-06-24 14:11:31	@b-man	I don't follow then K_F
2018-06-24 14:11:34	@ChrisADR_mobile	Not really, if we add it the content is reserved until a public announce is made
2018-06-24 14:11:55	@ChrisADR_mobile	I mean "*RESERVED * stuff stuff....."
2018-06-24 14:12:05	@K_F	not if we add it to the tracker manually.. but indeed we normally just use boilerplate text but it discloses that there is an issue in specific packages even so
2018-06-24 14:12:15	@b-man	K_F: You mean we manually add the CVE with the privately released text?
2018-06-24 14:12:36	@K_F	doesnt even need to be privileged text.. you'll disclose the applications having issues
2018-06-24 14:12:51	@ChrisADR_mobile	I think he means the 'cvetool new CVE-NUM
2018-06-24 14:13:06	@K_F	right
2018-06-24 14:13:07	@b-man	K_F: How would they see the tracker?
2018-06-24 14:13:21	@b-man	that command puts boilerplate text in it
2018-06-24 14:13:23	@K_F	if they have access to cvetool?
2018-06-24 14:13:44	@ChrisADR_mobile	Yes, they shouldn't theoretically
2018-06-24 14:13:57	@b-man	I don't see a way to view a bug with CVETool's permissions.
2018-06-24 14:14:03	@K_F	they would see the assignment while preparing the GLSA
2018-06-24 14:14:13	@ChrisADR_mobile	They should see the boilerplate text, both in command line and web interface
2018-06-24 14:14:33	@K_F	right, but that still leaks the application
2018-06-24 14:14:45	@ChrisADR_mobile	No they don't, if the GLSA is marked as private, they can't see anything
2018-06-24 14:14:49	@b-man	I am still not following how this would expose anything, sorry.
2018-06-24 14:15:04	@K_F	they would see the bug assigned for the CVE in cvetool
2018-06-24 14:15:06	@b-man	As ChrisADR_mobile just said the GLSA would be marked private.
2018-06-24 14:15:19	@b-man	Right, but that text will be boilerplate as many texts are.
2018-06-24 14:15:22	@ChrisADR_mobile	Without private permission no
2018-06-24 14:15:45	@ChrisADR_mobile	I tested that with yury
2018-06-24 14:16:02	@ChrisADR_mobile	That only see public stuff, both in web and cli
2018-06-24 14:16:10	@K_F	but might not be much of an issue ultimately
2018-06-24 14:16:25	@ChrisADR_mobile	The thing is that we have to mark it as private while working on it
2018-06-24 14:16:59	@b-man	So, given that are you comfortable K_F/
2018-06-24 14:17:03	@b-man	?
2018-06-24 14:17:13	@ChrisADR_mobile	Besides, right now, the only member who would have that priv is Irishluck83
2018-06-24 14:17:37	@K_F	we can always try it out for a bit anyways.. and get some more experience with it
2018-06-24 14:17:38	 *	sokan here
2018-06-24 14:17:40	@ChrisADR_mobile	We can make him sign the disclosure agreement earlier, and test with him both interfaces
2018-06-24 14:17:52	@b-man	Perfect.
2018-06-24 14:17:58	@ChrisADR_mobile	Right, sounds good to me
2018-06-24 14:18:11	@b-man	I will request his permissions following the meeting.
2018-06-24 14:18:33	@K_F	that we set ourselves
2018-06-24 14:18:42	@ChrisADR_mobile	Ok so, just to make it official, please vote in the permission change
2018-06-24 14:18:52	@b-man	This will also allow us to tweak any permission models during testing
2018-06-24 14:19:04	 *	ChrisADR_mobile yes 
2018-06-24 14:19:08	 *	b-man yes
2018-06-24 14:19:09	 *	K_F yes
2018-06-24 14:19:14	@ChrisADR_mobile	Ok perfect
2018-06-24 14:19:33	@ChrisADR_mobile	I'll work on that change in the next weeks, hopefully it's not that complicated
2018-06-24 14:19:56	@b-man	I have already started looking at it and I don't believe it will be
2018-06-24 14:19:57	@ChrisADR_mobile	Ok, moving on to next topic...
2018-06-24 14:20:05	@ChrisADR_mobile	Great!!
2018-06-24 14:20:27	@b-man	Welcome to the new scouts:
2018-06-24 14:20:50	domhnall	o/
2018-06-24 14:21:03	@ChrisADR_mobile	Ahhhhh right :)
2018-06-24 14:21:04	Irishluck83	yep welcome scouts
2018-06-24 14:21:20	@ChrisADR_mobile	Welcome fresh meat \o/
2018-06-24 14:21:49	@b-man	For all the new scouts: if you PM K_F your mailing address he will send you free cigars
2018-06-24 14:21:58	@ChrisADR_mobile	Since sokan and MyNt1a are here already, and they requested formally to join the team a while back
2018-06-24 14:22:14	@b-man	:-P
2018-06-24 14:22:26	MyNt1a	o/
2018-06-24 14:22:26	@ChrisADR_mobile	I was thinking I'd time to assign them their mentors
2018-06-24 14:23:48	@ChrisADR_mobile	So K_F, you and Whissi are the closest devs around them... How are your schedules?
2018-06-24 14:23:59	sokan	\ο
2018-06-24 14:24:10	@K_F	hectic
2018-06-24 14:24:12	@ChrisADR_mobile	Well... Busy as always, but any chance to add one more task?
2018-06-24 14:24:16	@ChrisADR_mobile	Hehe
2018-06-24 14:24:29	domhnall	ChrisADR_mobile: mentors are assigned now?
2018-06-24 14:24:45	@b-man	domhnall: We are just checking availability.
2018-06-24 14:24:52	domhnall	oh
2018-06-24 14:24:55	@ChrisADR_mobile	Well, they have requested and being working for a while
2018-06-24 14:25:10	@b-man	MyNt1a: domhnall, where are you located?
2018-06-24 14:25:12	@ChrisADR_mobile	So, meetings are a good time to see availability
2018-06-24 14:25:13	@b-man	!time MyNt1a
2018-06-24 14:25:13	willikins	b-man: I don't know where MyNt1a is, (s)he should use !time set <Continent>/<City> to let me know
2018-06-24 14:25:15	MyNt1a	germany
2018-06-24 14:25:16	@b-man	!time domhnall
2018-06-24 14:25:16	willikins	b-man: I don't know where domhnall is, (s)he should use !time set <Continent>/<City> to let me know
2018-06-24 14:25:36	@ChrisADR_mobile	MyNt1a: is Germany, domhnall USA right?
2018-06-24 14:25:37	domhnall	!time America/New_York
2018-06-24 14:25:37	willikins	domhnall: America - New York - Sun Jun 24 15:25 EDT
2018-06-24 14:25:57	@b-man	I can mentor domhnall if he would like
2018-06-24 14:26:20	@ChrisADR_mobile	domhnall: thoughts?
2018-06-24 14:26:22	@K_F	sounds good.. I can mentor MyNt1a
2018-06-24 14:26:35	@ChrisADR_mobile	MyNt1a: thoughts?
2018-06-24 14:26:44	MyNt1a	would be great :D
2018-06-24 14:27:20	@ChrisADR_mobile	Well then, sokan would be between me and Whissi, and our last scout for the other one
2018-06-24 14:27:23	domhnall	b-man: honored and i accept.
2018-06-24 14:27:44	@b-man	Well, that settles that.  I will update the wiki following the meeting
2018-06-24 14:27:57	sokan	ChrisADR_mobile: sure thing, and thanks :)
2018-06-24 14:28:00	@ChrisADR_mobile	Thanks b-man
2018-06-24 14:28:33	@ChrisADR_mobile	Yes, let's wait Whissi to see that and according to that we'll add all scouts and mentors :)
2018-06-24 14:28:44	@b-man	ChrisADR_mobile: ?
2018-06-24 14:28:55	 *	zlogene passes around 
2018-06-24 14:28:57	@ChrisADR_mobile	No no, that was for sokan
2018-06-24 14:29:02	@b-man	ok
2018-06-24 14:29:02	@ChrisADR_mobile	b-man:
2018-06-24 14:29:26	@ChrisADR_mobile	Hi zlogene :) do you want a scout? :p
2018-06-24 14:29:38	domhnall	b-man: should you be absent, who would i difer questions to?
2018-06-24 14:30:01	@zlogene	ChrisADR_mobile: what do you mean I do not follow?:p
2018-06-24 14:30:09	@b-man	domhnall: for you and all the scouts/padawans/ninjas always feel free to ask questions in the main channel.  It will also ensure you get a timely answer.
2018-06-24 14:30:33	@ChrisADR_mobile	We are assigning mentors :p would you like a mentee scout?
2018-06-24 14:30:58	@b-man	domhnall: This is also why we try to ensure matches are done by timezones.
2018-06-24 14:31:15	@ChrisADR_mobile	That leaves the floor open, any other stuff?
2018-06-24 14:31:22	@zlogene	ChrisADR_mobile: no, I am pretty feed up with teaching people being the recruiter :p
2018-06-24 14:31:46	@ChrisADR_mobile	Hahaha ohhhh :( well worth the effort :)
2018-06-24 14:31:46	@b-man	ChrisADR_mobile: zlogene is a Gentoo recruiter as well
2018-06-24 14:32:46	@ChrisADR_mobile	Ok then, for the first time... This was a nice and short meeting \o/
2018-06-24 14:32:57	 *	ChrisADR_mobile bangs the gavel
2018-06-24 14:32:57	sokan	this it it? o.O
2018-06-24 14:33:00	@K_F	:)
2018-06-24 14:33:04	@ChrisADR_mobile	Thank you all!!
2018-06-24 14:33:11	@b-man	damn
2018-06-24 14:33:15	@b-man	I had a open floor thing
2018-06-24 14:33:20	sokan	...
2018-06-24 14:33:25	Irishluck83	nice. nice and quick. i still thing padawans should be ninjas. :)
2018-06-24 14:33:25	sokan	that was fast :D
2018-06-24 14:33:28	@ChrisADR_mobile	Oh, rewind then
2018-06-24 14:33:29	domhnall	b-man: a dance move?
2018-06-24 14:33:36	@b-man	domhnall: Only on Friday's
2018-06-24 14:33:41	sokan	nooo. no ninjga. add sith lords :D
2018-06-24 14:33:42	Irishluck83	*think
2018-06-24 14:33:58	@ChrisADR_mobile	Ok, no open floor stuff then?
2018-06-24 14:34:01	@b-man	Yes,
2018-06-24 14:34:04	@b-man	I am typing
2018-06-24 14:34:09	@ChrisADR_mobile	Cool :)
2018-06-24 14:34:31	sokan	so ChrisADR_mobile I can easily spam you questions now with no remorse eh? :P
2018-06-24 14:34:32	@b-man	I wanted to begin the discussion of slacker marks or something similair to that for security team
2018-06-24 14:35:06	@ChrisADR_mobile	That'd reduce significantly the team hehe
2018-06-24 14:35:13	@ChrisADR_mobile	What do you propose?
2018-06-24 14:35:39	@b-man	Nothing solid yet, but I wanted to begin the discussions. I will send a mail with some rough ideas.
2018-06-24 14:35:42	@K_F	I'm not really a fan of that, if we're worried about activity we can always deal with that on case-by-case basis, but slacker mark doesn't sound useful
2018-06-24 14:36:15	@ChrisADR_mobile	Well, prepare the email, and sure, we can begin discussion and see
2018-06-24 14:36:25	@b-man	K_F: That could work too.  I am not sold on the "slacker" marks piece.  Just using it as an example to communicate what I am thinking.
2018-06-24 14:36:44	@b-man	I see a lot of folks as sec members who don't do anything :)
2018-06-24 14:36:54	@ChrisADR_mobile	Yea, it may be interesting topic to discuss
2018-06-24 14:37:18	@K_F	yeah, the broader topic is more interesting to discuss
2018-06-24 14:37:25	@ChrisADR_mobile	But that's for the next meeting if the mail is sent ;)
2018-06-24 14:37:44	 *	ChrisADR_mobile prepares the gavel again 
2018-06-24 14:38:00	 *	b-man plugs his ears
2018-06-24 14:38:03	 *	ChrisADR_mobile waits a couple of secs 
2018-06-24 14:38:15	 *	ChrisADR_mobile bangs again :)