• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• Team Meeting Structure
  • Everyone in attendance is nice for team cohesion & remote people
  • Send updates outside of team meeting e.g. what's going on +1
  • Less frequent standing meeting for entire team, use secreview slots if we have something to talk about
    • Problematic if remoties have enough notice; makes remoties lonely
  • More frequent standing meeting for subteams (Firefox security, web app security, etc)
    • So we can have more in-depth discussions
• Java
  • https://blog.mozilla.org/security/2012/08/28/protecting-users-against-java-security-vulnerability/
  • Click-to-play won't be ready until Firefox ~18. We just shipped Firefox 15, so our main knob is "soft-block" (disable the plugin for all users, but allow users to re-enable it).
  • Let us[?] know if you know how widespread attacks are, when Oracle will ship a fix, or other relevant info.
  • http://www.reddit.com/r/technology/comments/yyiu7/disable_java_now_users_told_as_0day_exploit_hits/
    • Some redditors are posting instructions for turning on the not-so-great hidden prefs for click-to-play in Firefox 15.
  • mcoates is in discussion with firefox decision-makers (asa, etc). imelven, abillings are involved too.
  • Can we at least get http://www.mozilla.org/en-US/plugincheck/ to not just say "you're up to date"? [yvan filing...
• Upcoming travel
  • Monday is a US holiday (Labor Day)
  • mcoates in ireland next week at AppSecIreland
• decoder's talk at usenix: http://www.youtube.com/watch?v=mCIog3FaGco
  • yay
• Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q3+Goals

Security Review Status (koenig)

• Completed in Q2 2012: 43 (<-- Q2?)
• Number of Reviews Completed (so far this quarter): 23(16)

https://bugzilla.mozilla.org/buglist.cgi?list_id=4199053;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-06-30;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org

• Number of Outstanding Reviews: 164(160)

https://bugzilla.mozilla.org/buglist.cgi?list_id=4199057;chfieldto=Now;chfield=bug_status;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request

• sec-review? (not in Security Assurance) 102
• https://bugzilla.mozilla.org/buglist.cgi?type0-1-0=equals;list_id=4199090;field0-1-0=flagtypes.name;field0-0-0=component;value0-1-0=sec-review%3F;value0-0-0=Security%20Assurance;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;bug_status=RESOLVED;bug_status=VERIFIED;bug_status=CLOSED;type0-0-0=notsubstring;query_format=advanced

Operations Security Update (Joe Stevensen)

Securing all the things.

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

• working on api tests

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

• Much fun has been had fixing an issue in about:reader. (thanks to dveditz, imelven for help with this)
• we've got secreview bugs filed for about:reader and the new updater - scheduling will be dependent on dvetitz's availability
• They're looking at UX options for safe browsing - we like this :)

Sync (Simon Bennetts & Adam Muntner)

Services (Simon Bennetts & Adam Muntner)

Social - Pancake (Mark Goodwin)

• Work underway on French Toast (pancake v2, if you like).
  • UI experiments mostly taking place on Android, most of the backend work is a continuation of the existing software.

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

• [decoder] ParallelArray implementation has landed on mozilla-central and introduced several security-sensitive bugs. Working on improving the communication chain here to get more testing before landing such things.
• [decoder & gkw] IonMonkey stabilizing on all platforms, down to 20 fuzz bugs (some of them stale and need manual retesting due to ARM platform involved).

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

• [decoder & gkw] JSBugMon can now automatically bisect JS bugs in bugzilla in conjunction with autoBisectJs

Web Developer Tools (Mark Goodwin)

• Devtools work week planned for late september
• Nothing to report

Networking (Christoph Diehl)

• Release of Faulty the IPC fuzzer: http://people.mozilla.com/~cdiehl/faulty/ - further ideas are welcome. Original bug: https://bugzilla.mozilla.org/show_bug.cgi?id=516716

Graphics / Codecs (Christoph Diehl) =

• No real update - working on Q3 goals.

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

• No update

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()