SecurityEngineering/MeetingNotes/08-01-13
From MozillaWiki
Agenda 08-01-13
- Q3 Goals Recap
- Upcoming PTO/Travel (if you're traveling or OOO, let us know!)
https://l33t.etherpad.mozilla.org/travel
- mmc will make a zimbra calendar, maybe it will suck less
- 3rd party cookie exception for persona - https://github.com/mozilla/browserid/issues/3520
- does it work for "from visited"? Yes; you only need to add an exception if you disable third party cookies completely.
- Side-Installed AddOns. Should we disable and prompt at each release?
- Tools for distributed teamwork
- http://oduinn.com/images/2013/WeAreAllRemoties-Haas-feb2013.pdf (warning: large file)
- https://floobits.com/ ? nxclient/server?
- Reanimating the working session -- good place to do group reviews or peer programming?
- During the working session, everyone picks one patch to review from the review list below.
- Be nice :) Be explicit about feedback. What just needs more comments/info. Ask why a certain strategy was decided instead of saying it needs to be changed to a different strategy without fully understanding the background. Don't extend the scope... if you want more things than what's in the bug, file a separate bug for it.
Reviews
- Does this belong on the intranet wiki? https://intranet.mozilla.org/SecurityTeam or public?
(copy and paste link)
- Let's help each other out!
- If you are working on a bug and it's not assigned to you in bugzilla, please take it.
- Quicksearch for bugs assigned to us with pending feedback or review flag:
- search string = assign:ddahl,kwilson,briansmith,sstamm,mmc,dkeeler,tanvi,cviecco,grobinson review? OR feedback?
- Link: https://bugzilla.mozilla.org/buglist.cgi?cmdtype=runnamed&namedcmd=seceng%20waiting%20for%20reviews - Try Again (You have to find and add it via "shared searches" in bugzilla's "preferences").
Q3 Goals
- [ON TRACK] Finish first phase of Sandboxing
- Outcome: seccomp in e10s/Larch or on nightly + clear roadmap
- DRI: Sid
- Tasks:
- Consult : E10S contributions to make it reasonably usable in nightly. (without extensions/plugins)
- Implement : [NEW] Fix window.crypto to work in E10S
- Implement : [NEW] Fix CSP tests to work in E10S
- Implement : [NEW] land seccomp for Linux (min bar for sandboxing)
- Research : [NEW] Prioritize secomp tightening steps, begin executing it
- Research : [NEW] Create story/plan for addon compatibility
- [ON TRACK] Cookie Clearinghouse
- Outcome: Identify feasibility and nail down spec
- DRI: Monica
- Tasks:
- Implement : [NEW] spec out and make go/nogo decision on implementation
- Consult : [NEW] drive Stanford effort to stable spec
- [ON TRACK] Implement alternative revocation checking mechanisms
- Outcome: must-staple + pinning + insanity on by default in nightly
- DRI: Camilo
- Tasks:
- Implement : [AT RISK] Enable insanity::pkix validation by default on nightly
- Implement : [NEW] Land key pinning
- Implement : [NEW] Land must-staple support
- [ON TRACK] SafeBrowsing 2.0
- Outcome: App reputation whitelist on by default in nightly
- DRI: Monica
- Tasks:
- Implement : [NEW] Land app reputation system with whitelist support
- Implement : [NEW] Switch SafeBrowsing to use HTTPS