Security/Meetings/SecurityAssurance/2012-05-01
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
- [mcoates] Company wide updates
- [yvan / curtis] Reviews - Refining handling & scoping effort, time,
- [mcoates] 1on1s
- [mcoates] Kilimanjaro
- https://wiki.mozilla.org/Kilimanjaro
- https://wiki.mozilla.org/Kilimanjaro/ProductDraft
- We will prioritize reviews that are blocking Kilimanjaro, starting with WebRT
- [mcoates] Work Week
- When: Late June, Early July? - (Infra: London Aug 12) Aug 13-17, 20-24, Sept
- http://www.doodle.com/
- Where: Europe - London?
- Berlin in Oktober? ahem. AppSecUSA October 22 – 26, 2012
- Including volunteers/community members, or employees only? - Want to include some community
- When: Late June, Early July? - (Infra: London Aug 12) Aug 13-17, 20-24, Sept
- [Jesse] Google upped their bug bounty for web sites (but not for Chrome)
- [mcoates] Embedded team members: remember that you can ask for help from other security team members; you don't have to do everything yourself.
- [mcoates] Bugzilla mail tips & tricks
- [decoder] We got Linux Firefox+ASan builds on try now, if you need one, ping me. \o/
Security Review Status (koenig)
- Number of Reviews Completed (so far this quarter): 40 (last week 16) <-- nice work
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 21
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =19
- Number of Outstanding Reviews: 172 (last week 129)
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 50
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 122
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault)
- Browser API is a bit more defined now (iframe mozbrowser) https://wiki.mozilla.org/WebAPI/BrowserAPI
- B2G workweek in san diego next week
- Define security review process/get team onboard
- Review draft Web App Permission Process
- Security reviews started moving slowly, but most features are not completed
- Documenting threats in the meantime
Thunderbird (Dan Veditz)
Rust (Jesse Ruderman)
- Upcoming “lifetimes” feature could be awesome. Moves the “pass by reference” concept into the typesystem and makes more general.
Mobile (David Chan)
- no update
Sync (David Chan & Yvan Boily)
- still working on sync 2.0
Services (David Chan & Yvan Boily)
- notifications review being scheduled
Social - Pancake (Mark Goodwin)
Much frantic bug fixing going on in prep for public release. Some security stuff outstanding, but they won't be progressing without resolving.
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- [gkw] More ESR fuzzing
- [gkw] Pushed along some Valgrind issues on TBPL
DOM, XPConnect (Jesse Ruderman)
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
- Great feedback again for us getting ateam secreviews back on track
- Embedding is effective
Web Developer Tools (Mark Goodwin)
I'm having fun on a first bug :D - little else to report.
Networking (Christoph Diehl)
- Going to port Server-Sent DOM Events to Peach
- Still working on SPDY v3
Graphics (Christoph Diehl) =
- Going to re-test some older items with ASAN builds (graphite, icon, bitmap)
- Filed more Opus bugs
Market (Raymond Forbes)
Launching soon?
Firefox APIs (Raymond Forbes)
Payment Flow (Raymond Forbes)
Apps in the Cloud (David Chan)
- client needs review
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID
- 3rd party review to be pushed
Identity Services (David Chan)
- working on sign into browser
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
TellUsMore review is happening late this / early next week.