Security/Meetings/SecurityAssurance/2012-09-18
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- [Jesse] Meeting with Coverity tomorrow: 1pm Mountain View 3A
- [yvan] Goals for meeting should be: get continuously up-to-date scans (which might require us uploading instrumented builds daily), a few new logins, and someone on our side who will look at the scan results.
- [dveditz] My old login works! But the current scan is a year old.
- [dveditz, choller] Let's start with specific warning types (rather than specific areas of the code)
- [Jesse] I have some tweets for @mozsec! Tweet away!
- https://bugzilla.mozilla.org/show_bug.cgi?id=62178
- security.mixed_content.block_active_content, security.mixed_content.block_display_content
- Currently a silent block
- We still need to work on UI for each kind of block, and then block active content by default.
- enablePrivilege removal - link to mrbkap's posts?
- https://blog.mozilla.org/mrbkap/2012/09/12/security-checks-and-enableprivilege-in-gecko-part-1/
- https://bugzilla.mozilla.org/show_bug.cgi?id=546848
- Let's wait for the "what web sites should do now" parts 3 and 4 before tweeting
- UserCSP
- https://bugzilla.mozilla.org/show_bug.cgi?id=62178
- [gkw] Ideas for MozCamp Asia
- asan / valgrind / fuzzing ionmonkey
- Who else wants to go to MozCamp Asia? Yvan, Paul, Curtis, michal`, mgoodwin
- Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q3+Goals
- [yvan] Security Deputies
- who will help: mgoodwin, psiinon, curtis
Security Review Status (koenig)
- Completed in Q3 2012:
- Number of Reviews Completed (so far this quarter):51(36)
- Number of Outstanding Reviews: 144(158)
Operations Security Update (Joe Stevensen)
No Update
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault, David Chan)
- testing is progressing. We are almost ready to write the dom access tests
Thunderbird (Adam Muntner)
Rust (Jesse Ruderman)
Mobile (Mark Goodwin)
- Secreview on Monday for the new updater
Sync (Simon Bennetts & Adam Muntner)
Services (Simon Bennetts & Adam Muntner)
Social - Pancake (Mark Goodwin)
- No update
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- IonMonkey landed \o/
- [decoder] Fuzzing with --no-ti on x86/ARM to somewhat resemble ARMv6 configuration
- [gkw] jsfunfuzz already randomly chooses to fuzz w/ --no-ti
DOM, XPConnect (Jesse Ruderman)
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
Web Developer Tools (Mark Goodwin)
- Secreview soon for HTML Tree Editor (need to schedule)
- Have been having fun hacking on CSP bits
Networking (Christoph Diehl)
- Fuzzing WebRTC - https://bugzilla.mozilla.org/show_bug.cgi?id=fuzzing-webrtc
Graphics (Christoph Diehl) =
- No update
Networking ( Media / Codecs)
Market (Raymond Forbes)
Firefox APIs (Raymond Forbes)
Payment Flow (Raymond Forbes)
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID
Identity Services (David Chan)
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
- No updates
Mozillians (Raymond Forbes)
MDN (Raymond Forbes)
SUMO (Kitsune) ()
AddressSanitizer (Christian Holler)
- `make check` now green on try
- \o/
- Remaining mochitest-1 blocker patch reviewed, landing soon
- Remaining defects (orange) filed and waiting for fixes