Security/Meetings/SecurityAssurance/2012-09-11

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

  • [Michael] Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q3+Goals
  • Code coverage
    • [decoder] Let's focus on files that have had recent security patches
      • [decoder] Should “this file is poorly covered” bugs be security-sensitive?
        • [jesse] Public. +1
    • [jesse] Also good are tests that help the fuzzer (reftests, crashtests, property_database.js)
  • [Curtis] Privacy Reviews
    • I had assumed that as we do a secreview, we should be doing a privacy

review - is this the case?

    • yes, but in some cases an explicit privacy review might be required to support other efforts. Examples include technical privacy reviews that we do to support reviews by the legal team.
    • Current reviews and process https://wiki.mozilla.org/Privacy/Reviews
  • [Jesse] Meeting with Coverity next week
    • Coverity is a static analysis tool for c++ and java; and they want to meet with us.
    • adamm already talking to some people from coverity
  • [Tanvi] Firefox Security Roadmap - https://wiki.mozilla.org/Security/Roadmap (and https://wiki.mozilla.org/Privacy/Roadmap if we have time).
  • [pauljt] brown bag security talks
   ** one response! moar!!!!
   ** old brown bags - https://wiki.mozilla.org/WebAppSec#Presentations
  • [yvan] Security Conference in 2013
  • [yvan] policy for review scheduling/prioritization
- https://people.mozilla.com/~ckoenig/ <-- prioritization tool

Coverity-interested people: Jesse, abillings, dveditz, yvan, adamm, pauljt, reed

Security Review Status (koenig)

  • Completed in Q2 2012:
  • Number of Reviews Completed (so far this quarter):36(26)

https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-06-30;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org;list_id=4355971

  • Number of Outstanding Reviews: 158(167)

https://bugzilla.mozilla.org/buglist.cgi?chfieldto=Now;chfield=bug_status;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;list_id=4355973

Operations Security Update (Joe Stevensen)

none today. all systems nominal.  :-)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

[cdiehl] Fixed bootstrap-mac.sh - patching/building GCC 4.6 on MacOS 10.8 runs now nicely. [dchan] Will send out e-mail regarding b2g desktop testing. There are slight differences between b2g desktop and b2g emulator that complicate the tests [dchan] working test code

  • prompting on b2g emulator
  • installing/uninstalling apps with different apptypes, though retrieving the apptype is failing
  • adding / removing permissions

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

  • Mobile is challenging at the moment
    • We've had (another) feature fly in under the radar (kind of) <-- which one
    • Currently in discussions with mfinkle about avoiding repeats
    • Any advice gladly received
  • Upcoming secreviews:
    • 787483 (arm6)
    • 785077 (reader mode)
    • 785080 (new updater)

Sync (Simon Bennetts & Adam Muntner)

Services (Simon Bennetts & Adam Muntner)

Social - Pancake (Mark Goodwin)

  • No update

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

  • IonMonkey landed on mozilla-central this morning!
  • [decoder] Testing range analysis patch for IonMonkey by mjrosenb

DOM, XPConnect (Jesse Ruderman)

  • [Jesse] Improved how ASan calls atos (faster stack traces on Mac)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

  • No update

Web Developer Tools (Mark Goodwin)

  • New feature for review soon: HTML Tree editor (similar to the old one!) 787481

Networking (Christoph Diehl)

  • No update

Graphics (Christoph Diehl) =

  • Added publisher for B2G emulator
  • Added H264, AAC, MP3 pits for B2G

Networking ( Media / Codecs)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID (yvan)

  • 3rd party review complete
  • beta for new persona site coming up

Identity Services (David Chan)

  • No update

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

  • No update

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Meetings/SecurityAssurance/2012-09-11&oldid=469843"