Security/Meetings/SecurityAssurance/2012-04-24

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

  • Automation team work week last week in SF
    • New security review process is great, much improved (especially in speed?) [Yes!]
    • But still can be better, some slipped off the radar..
  • Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
  • [Jesse] How can we make the (hoped) fuzzer release less scary?
    • [yvan] Could we find friends in academia who have access to a large computing farm, and share it with them first?
      • Would grad students be able to make a research project out of it? "Just running the fuzzers" isn't very researchy.
        • They could update it to find more bugs
      • This could give us a sense of how many more bugs can be found using the fuzzers, thus making us more comfortable releasing them.

Meeting Notes

Security Review Status (curtisk)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

  • first part (windows service) shipped today

B2G (Paul Theriault)

Thunderbird (Dan Veditz/Adam Muntner)

  • handoff to Adam
    • pls let gkw know if any help is needed, gkw has been thunderbird-ing in the mozilla world for as long as he can remember. :)

Rust (Jesse Ruderman)

  • I brought up an issue about null characters in strings: https://mail.mozilla.org/pipermail/rust-dev/2012-April/001743.html
    • What's the alternative?
      • When calling a C API, make a copy of the string where embedded nulls are changed to "replacement character" or "non-canonical null"?
      • Use typestate to keep track of which strings might have embedded nulls?

Mobile (David Chan)

Sync (David Chan & Yvan Boily)

Services (David Chan & Yvan Boily)

Social - Pancake (Mark Goodwin)

  • Pancake is coming together nicely. Work is progressing on fixes to ES (some unforseen issues on the policy stuff) and Neo4J. Some long standing gripes on encryption between servers are bein addressed. I expect limited public release within the next fortnight.

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

  • [decoder] IonMonkey bugs have been all retriaged and marked security-sensitive if appropriate
  • [decoder] Testing ESR10 now with LangFuzz to prepare for fuzzer release

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Graphics (Jesse Ruderman)

Automation Tools (Gary Kwong)

  • We had a great work week last week in SF!
    • Spoke about our updated security review process
    • We still have stuff that dropped off the radar
  • [decoder] Talked to jmaher, working together with him to realize ASan builds

Web Developer Tools (Mark Goodwin)

  • Work is underway to move the Firebug HTTP Monitor in to Firefox (to complement and, ultimately, replace the net stuff in HUDService) - it's early days yet, but we'd likea secreview session on this (probably within a month)

Networking ( Media / Codecs)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Apps in the cloud (David Chan)

  • server code has landed
  • client code slipped from fx14 to fx15

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

- test day May 3rd

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

No update

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) (Adam)