Security/Meetings/SecurityAssurance/2013-03-19

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

  • gsoc - https://etherpad.mozilla.org/assurance-gsoc
  • goals - update them!
  • team meeting - will have time for google/facebook meetup
    • also Jesse, Curtis to coordinate fuzzing meetup
  • Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdEI4SlE0eGRWdkN5bXBpbV8wcjNzNUE
  • Metrics
    • https://security-review-statistics.vcap.mozillalabs.com/
    • Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
      • fbraun and paul are top closers \o/
      • marking bugs verified - should be done when all dependant bugs from a review are resolved
        • [Jesse] I'd prefer if we requested a Bugzilla feature for 'search for bugs that have no open dependencies' rather than manually marking bugs as verified.
        • [yvan] But we sometimes want to mark the security review bugs as 'verified' when all dependencies are fixed
        • [Jesse] I'm totally confused. And why do we care about the status of the security review metabugs anyway? We should just mark the individual bugs as sec-low or sec-want, and track them independently of what metabugs they block.
        • [freddyb] I said that I mark them as resolved/fixed once *my* work is done and check the blockers and mark them as verfied fixed once patched..
        • [yvan] _______ ??
        • [curtisk] Let's discuss this more at the meetup. I'll add it to the agenda.
  • AMA - r/netsec requested an AMA, will be on March 27th
    • When you 'do an AMA' for a subreddit like r/netsec, does it get crossposted to r/IAmA or what?
      • It will be posted in r/netsec, and cross-posted to r/IAmA (along with hacker news, the mozilla security blog, etc)
    • https://etherpad.mozilla.org/security-ama
    • [Jesse] March 27 is also the day of a major asm.js announcement :/
      • We might get some questions about asm.js
        • [yvan] I can add a link to another reddit article
      • Some people (especially the PR team) might be too distracted to help us
        • [yvan] I can circulate PR tips before our AMA
    • You really want to be listed, so you can (1) not be rate-limited in commenting and (2) get flair ('Mozilla' or 'Firefox' plus your listed role)
    • [jesse, freddyb] Let's prepare canned responses rather than having a huge first post. More interactive and easier to get into the questions.

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

  • Maybe mgoodwin @ Sheffield Hallam on why things like Persona are a good idea
* psiinon might be talking about ZAP in Venezuela (remotely) on Friday (having failed to connect to Chile today;)
* freddyb at hackinparis, June 21 https://www.hackinparis.com/schedule

Planned Blog Posts

Security Review Status (curtisk)

  • Completed in Q4 2012: 50

https://security-review-statistics.vcap.mozillalabs.com/weekly < 61 completed!!!

    • without deadline fixed

Operations Security Update (Joe Stevensen)

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

  • Devtools work week last week. Lots of very awesome stuff - see Paul Rouget's summary here: http://paulrouget.com/e/devtoolsnext/ - more details available (speak to me if you're interested)

Firefox Mobile

Firefox OS

  • [gkw] pandaboards are somewhat unreliable. Certain chassis connection issues have been fixed, infrastructure is beginning to stabilise

Firefox Core

  • [decoder] OdinMonkey landed on mozilla-central, still testing it
  • [gkw,decoder] BaselineCompiler testing still going on
  • [gkw,decoder] Special fuzzing requested for bug 849014 and bug 850070

MarketPlace

Web Apps

Services

Operation Security