|author||Christopher Diaz Riveros <email@example.com>||2018-06-27 08:50:53 -0500|
|committer||Christopher Diaz Riveros <firstname.lastname@example.org>||2018-06-27 08:50:53 -0500|
|parent||meeting logs: Added sec-meeting-2018-06-03-log (diff)|
meeting logs: Added sec-meeting-2018-06-24-log
Signed-off-by: Christopher Diaz Riveros <email@example.com>
1 files changed, 184 insertions, 0 deletions
diff --git a/sec-meeting-2018-06-24-log b/sec-meeting-2018-06-24-log
new file mode 100644
@@ -0,0 +1,184 @@
+2018-06-24 13:59:47 @ChrisADR_mobile !proj security
+2018-06-24 13:59:49 willikins ChrisADR_mobile: (firstname.lastname@example.org) a3li, ackle, blueknight, bman, chrisadr, creffett, k_f, pinkbyte, whissi, zlogene, zx2c4
+2018-06-24 13:59:53 @ChrisADR_mobile Meeting time
+2018-06-24 14:00:02 * K_F is here
+2018-06-24 14:00:06 * domhnall here
+2018-06-24 14:00:06 * MyNt1a is here
+2018-06-24 14:00:09 * ChrisADR_mobile here too
+2018-06-24 14:00:11 * Irishluck83 here
+2018-06-24 14:01:50 @ChrisADR_mobile Whissi b-man?
+2018-06-24 14:01:55 * b-man here
+2018-06-24 14:02:27 @ChrisADR_mobile b-man: are you in your laptop?
+2018-06-24 14:02:38 @b-man Nope. Should I be?
+2018-06-24 14:03:05 @ChrisADR_mobile Can you? K_F and I are in mobiles, maybe would be faster if you can lead
+2018-06-24 14:03:13 @ChrisADR_mobile Or you Whissi
+2018-06-24 14:04:01 @b-man Ok, on laptop
+2018-06-24 14:04:28 @K_F thanks.. I wont be on laptop for another 15 min or so :)
+2018-06-24 14:04:33 @ChrisADR_mobile Awesome, thanks, please first topic, I can't see it in the cellphone while writing here
+2018-06-24 14:04:40 @b-man Security Project Structure GLEP review:
+2018-06-24 14:04:56 @b-man Want to hold that one until K_F is on laptop?
+2018-06-24 14:05:09 @ChrisADR_mobile K_F: should we?
+2018-06-24 14:05:32 @K_F no.. I havent gotten around to preparing much on that anyways. thankfully slowing down a bit this week
+2018-06-24 14:06:06 @K_F good news is there was a new Norwegian record in CSWC yesterday combined with 20year anniversary party :)
+2018-06-24 14:06:23 @ChrisADR_mobile Ok, so, you have the updates in the repo, I added some stuff about motivaron and stable dropping
+2018-06-24 14:07:25 @ChrisADR_mobile If there are no objections or feedback about those paragraphs, should we move on?
+2018-06-24 14:07:48 Irishluck83 where are they located in glep?
+2018-06-24 14:07:49 @K_F yeah.. will follow up by email during week
+2018-06-24 14:08:02 @K_F Irishluck83: in a private git repo of ours
+2018-06-24 14:08:04 @ChrisADR_mobile b-man:?
+2018-06-24 14:08:11 Irishluck83 ok
+2018-06-24 14:08:13 @b-man No objections from me
+2018-06-24 14:08:19 @ChrisADR_mobile Ok fine
+2018-06-24 14:08:24 @ChrisADR_mobile Next topic?
+2018-06-24 14:08:36 @b-man GLSAMaker use cases doc
+2018-06-24 14:09:03 @b-man "I've finished a first draft of the user stories, now with a clearer idea of what
+2018-06-24 14:09:03 @b-man does every access level do and what the functionalities are, we may take a look
+2018-06-24 14:09:03 @b-man at the padawan relation with CVETool."
+2018-06-24 14:09:09 @ChrisADR_mobile Oh right, I updated some use cases, now it's fully mapped, at least what we currently have
+2018-06-24 14:09:42 @b-man In this, I would ask if there are any objections to granting access to padawans for the CVETool prior to becoming a full GLSA coordinator.
+2018-06-24 14:09:57 @ChrisADR_mobile +1
+2018-06-24 14:10:08 @b-man It seems properly using the permissions as ChrisADR_mobile has mapped for us restricts this access.
+2018-06-24 14:10:22 @ChrisADR_mobile Most likely a minor permission change in the code, but still necessary I think
+2018-06-24 14:10:24 @b-man It would be good for the padawan to be exposed to the tool early on
+2018-06-24 14:10:30 @K_F do we have any granularity in access restrictions on cvetool? e.g if adding embargoed CVEs
+2018-06-24 14:10:57 @b-man K_F: I don't think the CVE will show up in the list as it pulls from the public CVE releases.
+2018-06-24 14:11:07 @K_F not if we add it ourselves
+2018-06-24 14:11:15 @b-man If the CVE is embargoed all that should show is the boilerplate text.
+2018-06-24 14:11:26 @b-man hmmm
+2018-06-24 14:11:31 @b-man I don't follow then K_F
+2018-06-24 14:11:34 @ChrisADR_mobile Not really, if we add it the content is reserved until a public announce is made
+2018-06-24 14:11:55 @ChrisADR_mobile I mean "*RESERVED * stuff stuff....."
+2018-06-24 14:12:05 @K_F not if we add it to the tracker manually.. but indeed we normally just use boilerplate text but it discloses that there is an issue in specific packages even so
+2018-06-24 14:12:15 @b-man K_F: You mean we manually add the CVE with the privately released text?
+2018-06-24 14:12:36 @K_F doesnt even need to be privileged text.. you'll disclose the applications having issues
+2018-06-24 14:12:51 @ChrisADR_mobile I think he means the 'cvetool new CVE-NUM
+2018-06-24 14:13:06 @K_F right
+2018-06-24 14:13:07 @b-man K_F: How would they see the tracker?
+2018-06-24 14:13:21 @b-man that command puts boilerplate text in it
+2018-06-24 14:13:23 @K_F if they have access to cvetool?
+2018-06-24 14:13:44 @ChrisADR_mobile Yes, they shouldn't theoretically
+2018-06-24 14:13:57 @b-man I don't see a way to view a bug with CVETool's permissions.
+2018-06-24 14:14:03 @K_F they would see the assignment while preparing the GLSA
+2018-06-24 14:14:13 @ChrisADR_mobile They should see the boilerplate text, both in command line and web interface
+2018-06-24 14:14:33 @K_F right, but that still leaks the application
+2018-06-24 14:14:45 @ChrisADR_mobile No they don't, if the GLSA is marked as private, they can't see anything
+2018-06-24 14:14:49 @b-man I am still not following how this would expose anything, sorry.
+2018-06-24 14:15:04 @K_F they would see the bug assigned for the CVE in cvetool
+2018-06-24 14:15:06 @b-man As ChrisADR_mobile just said the GLSA would be marked private.
+2018-06-24 14:15:19 @b-man Right, but that text will be boilerplate as many texts are.
+2018-06-24 14:15:22 @ChrisADR_mobile Without private permission no
+2018-06-24 14:15:45 @ChrisADR_mobile I tested that with yury
+2018-06-24 14:16:02 @ChrisADR_mobile That only see public stuff, both in web and cli
+2018-06-24 14:16:10 @K_F but might not be much of an issue ultimately
+2018-06-24 14:16:25 @ChrisADR_mobile The thing is that we have to mark it as private while working on it
+2018-06-24 14:16:59 @b-man So, given that are you comfortable K_F/
+2018-06-24 14:17:03 @b-man ?
+2018-06-24 14:17:13 @ChrisADR_mobile Besides, right now, the only member who would have that priv is Irishluck83
+2018-06-24 14:17:37 @K_F we can always try it out for a bit anyways.. and get some more experience with it
+2018-06-24 14:17:38 * sokan here
+2018-06-24 14:17:40 @ChrisADR_mobile We can make him sign the disclosure agreement earlier, and test with him both interfaces
+2018-06-24 14:17:52 @b-man Perfect.
+2018-06-24 14:17:58 @ChrisADR_mobile Right, sounds good to me
+2018-06-24 14:18:11 @b-man I will request his permissions following the meeting.
+2018-06-24 14:18:33 @K_F that we set ourselves
+2018-06-24 14:18:42 @ChrisADR_mobile Ok so, just to make it official, please vote in the permission change
+2018-06-24 14:18:52 @b-man This will also allow us to tweak any permission models during testing
+2018-06-24 14:19:04 * ChrisADR_mobile yes
+2018-06-24 14:19:08 * b-man yes
+2018-06-24 14:19:09 * K_F yes
+2018-06-24 14:19:14 @ChrisADR_mobile Ok perfect
+2018-06-24 14:19:33 @ChrisADR_mobile I'll work on that change in the next weeks, hopefully it's not that complicated
+2018-06-24 14:19:56 @b-man I have already started looking at it and I don't believe it will be
+2018-06-24 14:19:57 @ChrisADR_mobile Ok, moving on to next topic...
+2018-06-24 14:20:05 @ChrisADR_mobile Great!!
+2018-06-24 14:20:27 @b-man Welcome to the new scouts:
+2018-06-24 14:20:50 domhnall o/
+2018-06-24 14:21:03 @ChrisADR_mobile Ahhhhh right :)
+2018-06-24 14:21:04 Irishluck83 yep welcome scouts
+2018-06-24 14:21:20 @ChrisADR_mobile Welcome fresh meat \o/
+2018-06-24 14:21:49 @b-man For all the new scouts: if you PM K_F your mailing address he will send you free cigars
+2018-06-24 14:21:58 @ChrisADR_mobile Since sokan and MyNt1a are here already, and they requested formally to join the team a while back
+2018-06-24 14:22:14 @b-man :-P
+2018-06-24 14:22:26 MyNt1a o/
+2018-06-24 14:22:26 @ChrisADR_mobile I was thinking I'd time to assign them their mentors
+2018-06-24 14:23:48 @ChrisADR_mobile So K_F, you and Whissi are the closest devs around them... How are your schedules?
+2018-06-24 14:23:59 sokan \ο
+2018-06-24 14:24:10 @K_F hectic
+2018-06-24 14:24:12 @ChrisADR_mobile Well... Busy as always, but any chance to add one more task?
+2018-06-24 14:24:16 @ChrisADR_mobile Hehe
+2018-06-24 14:24:29 domhnall ChrisADR_mobile: mentors are assigned now?
+2018-06-24 14:24:45 @b-man domhnall: We are just checking availability.
+2018-06-24 14:24:52 domhnall oh
+2018-06-24 14:24:55 @ChrisADR_mobile Well, they have requested and being working for a while
+2018-06-24 14:25:10 @b-man MyNt1a: domhnall, where are you located?
+2018-06-24 14:25:12 @ChrisADR_mobile So, meetings are a good time to see availability
+2018-06-24 14:25:13 @b-man !time MyNt1a
+2018-06-24 14:25:13 willikins b-man: I don't know where MyNt1a is, (s)he should use !time set <Continent>/<City> to let me know
+2018-06-24 14:25:15 MyNt1a germany
+2018-06-24 14:25:16 @b-man !time domhnall
+2018-06-24 14:25:16 willikins b-man: I don't know where domhnall is, (s)he should use !time set <Continent>/<City> to let me know
+2018-06-24 14:25:36 @ChrisADR_mobile MyNt1a: is Germany, domhnall USA right?
+2018-06-24 14:25:37 domhnall !time America/New_York
+2018-06-24 14:25:37 willikins domhnall: America - New York - Sun Jun 24 15:25 EDT
+2018-06-24 14:25:57 @b-man I can mentor domhnall if he would like
+2018-06-24 14:26:20 @ChrisADR_mobile domhnall: thoughts?
+2018-06-24 14:26:22 @K_F sounds good.. I can mentor MyNt1a
+2018-06-24 14:26:35 @ChrisADR_mobile MyNt1a: thoughts?
+2018-06-24 14:26:44 MyNt1a would be great :D
+2018-06-24 14:27:20 @ChrisADR_mobile Well then, sokan would be between me and Whissi, and our last scout for the other one
+2018-06-24 14:27:23 domhnall b-man: honored and i accept.
+2018-06-24 14:27:44 @b-man Well, that settles that. I will update the wiki following the meeting
+2018-06-24 14:27:57 sokan ChrisADR_mobile: sure thing, and thanks :)
+2018-06-24 14:28:00 @ChrisADR_mobile Thanks b-man
+2018-06-24 14:28:33 @ChrisADR_mobile Yes, let's wait Whissi to see that and according to that we'll add all scouts and mentors :)
+2018-06-24 14:28:44 @b-man ChrisADR_mobile: ?
+2018-06-24 14:28:55 * zlogene passes around
+2018-06-24 14:28:57 @ChrisADR_mobile No no, that was for sokan
+2018-06-24 14:29:02 @b-man ok
+2018-06-24 14:29:02 @ChrisADR_mobile b-man:
+2018-06-24 14:29:26 @ChrisADR_mobile Hi zlogene :) do you want a scout? :p
+2018-06-24 14:29:38 domhnall b-man: should you be absent, who would i difer questions to?
+2018-06-24 14:30:01 @zlogene ChrisADR_mobile: what do you mean I do not follow?:p
+2018-06-24 14:30:09 @b-man domhnall: for you and all the scouts/padawans/ninjas always feel free to ask questions in the main channel. It will also ensure you get a timely answer.
+2018-06-24 14:30:33 @ChrisADR_mobile We are assigning mentors :p would you like a mentee scout?
+2018-06-24 14:30:58 @b-man domhnall: This is also why we try to ensure matches are done by timezones.
+2018-06-24 14:31:15 @ChrisADR_mobile That leaves the floor open, any other stuff?
+2018-06-24 14:31:22 @zlogene ChrisADR_mobile: no, I am pretty feed up with teaching people being the recruiter :p
+2018-06-24 14:31:46 @ChrisADR_mobile Hahaha ohhhh :( well worth the effort :)
+2018-06-24 14:31:46 @b-man ChrisADR_mobile: zlogene is a Gentoo recruiter as well
+2018-06-24 14:32:46 @ChrisADR_mobile Ok then, for the first time... This was a nice and short meeting \o/
+2018-06-24 14:32:57 * ChrisADR_mobile bangs the gavel
+2018-06-24 14:32:57 sokan this it it? o.O
+2018-06-24 14:33:00 @K_F :)
+2018-06-24 14:33:04 @ChrisADR_mobile Thank you all!!
+2018-06-24 14:33:11 @b-man damn
+2018-06-24 14:33:15 @b-man I had a open floor thing
+2018-06-24 14:33:20 sokan ...
+2018-06-24 14:33:25 Irishluck83 nice. nice and quick. i still thing padawans should be ninjas. :)
+2018-06-24 14:33:25 sokan that was fast :D
+2018-06-24 14:33:28 @ChrisADR_mobile Oh, rewind then
+2018-06-24 14:33:29 domhnall b-man: a dance move?
+2018-06-24 14:33:36 @b-man domhnall: Only on Friday's
+2018-06-24 14:33:41 sokan nooo. no ninjga. add sith lords :D
+2018-06-24 14:33:42 Irishluck83 *think
+2018-06-24 14:33:58 @ChrisADR_mobile Ok, no open floor stuff then?
+2018-06-24 14:34:01 @b-man Yes,
+2018-06-24 14:34:04 @b-man I am typing
+2018-06-24 14:34:09 @ChrisADR_mobile Cool :)
+2018-06-24 14:34:31 sokan so ChrisADR_mobile I can easily spam you questions now with no remorse eh? :P
+2018-06-24 14:34:32 @b-man I wanted to begin the discussion of slacker marks or something similair to that for security team
+2018-06-24 14:35:06 @ChrisADR_mobile That'd reduce significantly the team hehe
+2018-06-24 14:35:13 @ChrisADR_mobile What do you propose?
+2018-06-24 14:35:39 @b-man Nothing solid yet, but I wanted to begin the discussions. I will send a mail with some rough ideas.
+2018-06-24 14:35:42 @K_F I'm not really a fan of that, if we're worried about activity we can always deal with that on case-by-case basis, but slacker mark doesn't sound useful
+2018-06-24 14:36:15 @ChrisADR_mobile Well, prepare the email, and sure, we can begin discussion and see
+2018-06-24 14:36:25 @b-man K_F: That could work too. I am not sold on the "slacker" marks piece. Just using it as an example to communicate what I am thinking.
+2018-06-24 14:36:44 @b-man I see a lot of folks as sec members who don't do anything :)
+2018-06-24 14:36:54 @ChrisADR_mobile Yea, it may be interesting topic to discuss
+2018-06-24 14:37:18 @K_F yeah, the broader topic is more interesting to discuss
+2018-06-24 14:37:25 @ChrisADR_mobile But that's for the next meeting if the mail is sent ;)
+2018-06-24 14:37:44 * ChrisADR_mobile prepares the gavel again
+2018-06-24 14:38:00 * b-man plugs his ears
+2018-06-24 14:38:03 * ChrisADR_mobile waits a couple of secs
+2018-06-24 14:38:15 * ChrisADR_mobile bangs again :)