Security/Meetings/SecurityAssurance/2012-04-10
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda:
- Q2 Goal Clarification - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
- MozCamps
- LATAM Mozcamp Next Week
- who is going
- mcoates
- Month of SQL Injection Awareness - Interest in posting? (http://owasp.blogspot.com/2012/04/owasp-security-blitz-april-injection.html
- Infra's SQL Security tutorial http://www.sheeri.com/content/presenting-security-topics-percona039s-mys< -- right here raymond!
- The reason I mention WP is that, despite requiring PHP >= 5.3x, the WP community don't seem to get that they're OK using prepared statements
- WebAPIs are out...for Q2 (see B2G section)
- [decoder] Want to use Address Sanitizer on Mac? Be sure to look at bug 741258 and use LLVM/Clang trunk tip.
- [gkw] Valgrind has quite a few known false positives, so please ask around first if a bug is found.
- [dchan] K9o and services
- open questions on changes to sync
- 1.1 vs 2.0 protocol
- Persona integration
- How hard do we want to push back on maintaining current data security level?
- [Jesse] I want recovery (and other-device-not-present sync setup) passwords to be optional. Especially for BrowserID.
- [dchan] recovery passwords will not be in the initial release. They are pushing for a way so that Persona never has the encryption key in any form
- Wut then why did I have to provide a password to set up BrowserID?
- The Persona workflow will make setup for multiple devices simpler for most users, but we want to provide at least an option for user's that dont want the storage
- There is no fixed timeline on EOL current sync servers, if they are ever EOL
Meeting Notes
- Q2 Goal Clarification
- Purpose of tactical goals is to capture the major items we work on. E.g. if you spend 25% of your time on something, it should be listed as a tactical goal that rolls up to a goal for the quarter
- However, we should still perform research and experimentation as needed, regardless if it's a tactical goal. Just keep track of time commitments.
B2G
- List of APIs defined for Milestone 3 ( q2 goal)
https://docs.google.com/spreadsheet/ccc?key=0AiBigu584YY7dGlNSlY0QzhJb3M5anRBa1gxalV0Y3c#gid=0
- https://etherpad.mozilla.org/ScreenOrientationSec
- tracking b2g security here: https://wiki.mozilla.org/Security/B2G
DevTools
Creating feature pages for the ideas identified during the work week
Pancake
M3 (public release) 3-4 ish weeks away
Apps
interesting apps stuff