Security/Meetings/SecurityAssurance/2013-03-19
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Contents |
Agenda
- gsoc - https://etherpad.mozilla.org/assurance-gsoc
- goals - update them!
- team meeting - will have time for google/facebook meetup
- also Jesse, Curtis to coordinate fuzzing meetup
- Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdEI4SlE0eGRWdkN5bXBpbV8wcjNzNUE
- Metrics
- https://security-review-statistics.vcap.mozillalabs.com/
- Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
- fbraun and paul are top closers \o/
- marking bugs verified - should be done when all dependant bugs from a review are resolved
- [Jesse] I'd prefer if we requested a Bugzilla feature for 'search for bugs that have no open dependencies' rather than manually marking bugs as verified.
- [yvan] But we sometimes want to mark the security review bugs as 'verified' when all dependencies are fixed
- [Jesse] I'm totally confused. And why do we care about the status of the security review metabugs anyway? We should just mark the individual bugs as sec-low or sec-want, and track them independently of what metabugs they block.
- [freddyb] I said that I mark them as resolved/fixed once *my* work is done and check the blockers and mark them as verfied fixed once patched..
- [yvan] _______ ??
- [curtisk] Let's discuss this more at the meetup. I'll add it to the agenda.
- AMA - r/netsec requested an AMA, will be on March 27th
- When you 'do an AMA' for a subreddit like r/netsec, does it get crossposted to r/IAmA or what?
- It will be posted in r/netsec, and cross-posted to r/IAmA (along with hacker news, the mozilla security blog, etc)
- https://etherpad.mozilla.org/security-ama
- [Jesse] March 27 is also the day of a major asm.js announcement :/
- We might get some questions about asm.js
- [yvan] I can add a link to another reddit article
- Some people (especially the PR team) might be too distracted to help us
- [yvan] I can circulate PR tips before our AMA
- We might get some questions about asm.js
- You really want to be listed, so you can (1) not be rate-limited in commenting and (2) get flair ('Mozilla' or 'Firefox' plus your listed role)
- [jesse, freddyb] Let's prepare canned responses rather than having a huge first post. More interactive and easier to get into the questions.
- When you 'do an AMA' for a subreddit like r/netsec, does it get crossposted to r/IAmA or what?
Upcoming Speaking Engagements
(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )
- Maybe mgoodwin @ Sheffield Hallam on why things like Persona are a good idea
* psiinon might be talking about ZAP in Venezuela (remotely) on Friday (having failed to connect to Chile today;) * freddyb at hackinparis, June 21 https://www.hackinparis.com/schedule
Planned Blog Posts
Security Review Status (curtisk)
- Completed in Q4 2012: 50
https://security-review-statistics.vcap.mozillalabs.com/weekly < 61 completed!!!
- without deadline fixed
Operations Security Update (Joe Stevensen)
Project Updates
Please add your name to the update so we know who to follow up with
Firefox Desktop
- Devtools work week last week. Lots of very awesome stuff - see Paul Rouget's summary here: http://paulrouget.com/e/devtoolsnext/ - more details available (speak to me if you're interested)
Firefox Mobile
Firefox OS
- [gkw] pandaboards are somewhat unreliable. Certain chassis connection issues have been fixed, infrastructure is beginning to stabilise
Firefox Core
- [decoder] OdinMonkey landed on mozilla-central, still testing it
- [gkw,decoder] BaselineCompiler testing still going on
- [gkw,decoder] Special fuzzing requested for bug 849014 and bug 850070