• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• Meeting structure
• [mcoates] MWC Update
• [al] Secure Bugmail & Encryption
• [curtisk] Update on triage & radar
• Collusion launched - http://www.mozilla.org/en-US/collusion/
• Bugzilla Changes
  • https://wiki.mozilla.org/Security/Reviews/Bugzilla_Components
• Review Requests
  • https://wiki.mozilla.org/Security#Request_a_Security_or_Privacy_Review
  • https://wiki.mozilla.org/Security/Reviews/Review_Request_Form
• We do have a "security" Github Team now in the Mozilla Account
  • If you have a Github account, ping me (decoder) on IRC. (<= add to new hire)
  • We can use this for public repositories to provide our tools to public
  • Needs Wiki documentation to give overview about our public stuff in the future
• Other topics?

Out of Memory

• (decoder) OOM testing on JS engine and Firefox (~ 5 mins)
  • js shell: -A num
  • decoder's first tool: binary search to find the maximum useful value for -A, then try every value under it
  • decoder's second tool: instrument all fallible allocations with a callback that gets a backtrace. lets you simulate OOM for a specific caller. this even works for firefox!
    • currently testing one mochitest at a time and filing multiple bugs from it.
    • bugs found by this tool are easiest to reproduce if you have the tool
• (jesse) We should increase use of infallible allocators, especially the default interfaces for hashes/strings/arrays
• all bugs so far seem to be failures in propogating the allocation failure: OOM is ignored immediately; functions can fail but have return type void; long caller chains have a missing propogation leak
• outside the JS engine, the crashes have all been safe crashes (guaranteed near null)
• decoder fixed a few of the JS engine bugs for them

Updates (remove or add as you see fit)

Silent updates (rforbes / dveditz)

Code signing

B2G (Paul Theriault)

• B2G Demo is now done, more chance to engage (will raise at meeting today)
• B2G are planning to migrate some of their code from their github back into Mozilla Central
• Hence many secreviews are in the pipeling.
• Note that there will also be non-mozilla code which will need review (e.g. radio daemon code etc)

Thunderbird (Dan Veditz)

Rust (Jesse Ruderman)

• The Servo mailing list is starting to get active

Mobile (David Chan)

• no update, MWC this week

Sync (David Chan & Yvan Boily)

Services (David Chan & Yvan Boily)

• (dchan) planning to perform an implementation review of token server this week

Social - Pancake (Mark Goodwin)

Pancake - still awaiting docs - we've got some movement on resolving Neo4j remote code exec stuff Also, st3fan's started doing the CEF work - trying to work out how it works - I'll sort out a meeting with Wil, St3fan and I Need to catch up on web / user DB stuff.

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

• [decoder] OOM testing on JS engine and browser (details in second meeting half if interested)
• [gkw/decoder] lots of work by us on fuzzing incremental GC and IonMonkey or thinking of ways to better test them
  • Planned IonMonkey testing on ARM once branch stabilizes further
• [gkw] bugs found (& fixed) while moving jsfunfuzz to Releng hardware

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

• Marionette devs just requested for feedback? on their patch (& approach) in bug 712643
• [decoder] ADB over TCP support landed by wlach on mozbase/mozdevice

Web Developer Tools (Mark Goodwin)

Made a start on the GCLI stuff - we'll need a secreview on the "shell commands via GCLI" idea

- They don't actually want to *do* this, it's more a "what are the considerations around more powerful GCLI commands"

No movement on the review for debugger, yet

Networking ( Media / Codecs)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

App Sync (David Chan)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

BrowserID idp (LDAP support for mozilla's internal stuff), Austin King will make a Security meeting about this (couple of concerns: session revocation, and not actually using BrowserID's pub key crypto over the net for the authentication)

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()