Security/Meetings/SecurityAssurance/2012-12-18
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q4+Goals
- We spent most of the meeting discussing where we are on Q4 goals
- Lots of green :)
- 2013 Responsibility Areas
- Dan continues "owning" Firefox (Desktop and Mobile)
- yvan - sites and services
- joes - opsec (secure all the things!)
- Firefox OS is currently unowned until we hire someone? pauljt and dchan have been working on it but there isn't a single person through which communication can flow(?)
- [curtisk] Draft blog post about security engagement - https://etherpad.mozilla.org/lnEF8AkO9g
- [curtisk] communications plan
- [sarentz] Minion 0.1 Release. Please give either the VM https://github.com/ygjb/minion/wiki/Minion-0.1-VM-Release or the site https://50.56.178.103 a try
- [yboily] Mentorships
- [rforbes] HSM Usage for key storage - https://etherpad.mozilla.org/hsm
- Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
- Stale bugs: https://bugzilla.mozilla.org/buglist.cgi?type1-0-0=lessthan;list_id=5237360;type3-0-0=substring;field0-0-0=flagtypes.name;value3-0-0=pending;value2-0-0=triage;field2-0-0=status_whiteboard;resolution=---;query_based_on=Stale;field3-0-0=status_whiteboard;type2-0-0=notsubstring;query_format=advanced;value1-0-0=2w;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=READY;bug_status=ASSIGNED;bug_status=REOPENED;type0-0-0=notsubstring;value0-0-0=needinfo;component=Security%20Assurance%3A%20Review%20Request;field1-0-0=delta_ts
Actions
- [curtisk] tag to mark stuff for long term waiting
Upcoming Speaking Engagements
- (Who) : Date: Name of Event : Talk Title: Link
- Simon Bennetts : Feb 2-3 : FOSDEM : Talking about ZAP :)
- Raymond Forbes : Feb 27 - March 2 : Nullcon
Security Review Status (curtisk)
Chart View:
- Completed in Q4 2012: (Q3=56)
- Number of Reviews Completed (so far this quarter): 48 (47)
- Number of Outstanding Reviews: 132 (132)
- Number of Reviews Ready For Review: 75 (73)
- Number of reviews without risk rating: 30 (51) <UPDATED QUERY: removes items marked needinfo?>
- Number of reviews without deadline set: 95 (122) <UPDATED QUERY: removes items marked needinfo?>
- Find Yours:
Operations Security Update (Joe Stevensen)
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault, David Chan)
- updating tests for b2g changes
Thunderbird (Adam Muntner)
Rust (Jesse Ruderman)
Mobile (Mark Goodwin)
Sync (Simon Bennetts)
No update
Services (Simon Bennetts & Adam Muntner)
No update
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- Bug 822385: Add getters/setters/methods with jitinfo to the shell
- Will make it possible to reproduce certain browser-only issues in the shell too (e.g. for fuzzing)
DOM, XPConnect (Jesse Ruderman)
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
- No update
Web Developer Tools (Mark Goodwin)
Networking (Christoph Diehl)
- Bug 820990 is blocking SDP fuzzing
Media / Graphics (Christoph Diehl) =
- Looking into cache.manifest
- Looking into JAR
Peach (Christoph Diehl / Raymond Forbes) =
- Working on FruitFarm
Market (Raymond Forbes)
Firefox APIs (Raymond Forbes)
Payment Flow (Raymond Forbes)
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID
Identity Services (David Chan)
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
Mozillians (Raymond Forbes)
MDN (Raymond Forbes)
SUMO (Kitsune) ()
AddressSanitizer (Christian Holler)
- No update