SecurityEngineering/MeetingNotes/08-01-13

From MozillaWiki
Jump to: navigation, search

Agenda 08-01-13

  • Q3 Goals Recap
  • Upcoming PTO/Travel (if you're traveling or OOO, let us know!)

https://l33t.etherpad.mozilla.org/travel

    • mmc will make a zimbra calendar, maybe it will suck less
  • 3rd party cookie exception for persona - https://github.com/mozilla/browserid/issues/3520
    • does it work for "from visited"? Yes; you only need to add an exception if you disable third party cookies completely.
  • Side-Installed AddOns. Should we disable and prompt at each release?
  • Tools for distributed teamwork
  • Reanimating the working session -- good place to do group reviews or peer programming?
    • During the working session, everyone picks one patch to review from the review list below.
    • Be nice :) Be explicit about feedback. What just needs more comments/info. Ask why a certain strategy was decided instead of saying it needs to be changed to a different strategy without fully understanding the background. Don't extend the scope... if you want more things than what's in the bug, file a separate bug for it.

Reviews

(copy and paste link)

  • Let's help each other out!

https://bugzilla.mozilla.org/buglist.cgi?f1=flagtypes.name&o1=equals&resolution=---&query_format=advanced&v1=review%3F&emailtype1=regexp&emailassigned_to1=1&email1=briansmith%7Cmeshekah%7Calagenchev%7Cddahl%7Cdkeeler%7Csstamm%7Cgrobinson%7Ckwilson%7Cmmc%7Ctvyas%7Ccviecco%7Ckerschbaumer

Q3 Goals

  • [ON TRACK] Finish first phase of Sandboxing
    • Outcome: seccomp in e10s/Larch or on nightly + clear roadmap
    • DRI: Sid
    • Tasks:
      • Consult : E10S contributions to make it reasonably usable in nightly. (without extensions/plugins)
      • Implement : [NEW] Fix window.crypto to work in E10S
      • Implement : [NEW] Fix CSP tests to work in E10S
      • Implement : [NEW] land seccomp for Linux (min bar for sandboxing)
      • Research : [NEW] Prioritize secomp tightening steps, begin executing it
      • Research : [NEW] Create story/plan for addon compatibility
  • [ON TRACK] Cookie Clearinghouse
    • Outcome: Identify feasibility and nail down spec
    • DRI: Monica
    • Tasks:
      • Implement : [NEW] spec out and make go/nogo decision on implementation
      • Consult : [NEW] drive Stanford effort to stable spec
  • [ON TRACK] Implement alternative revocation checking mechanisms
    • Outcome: must-staple + pinning + insanity on by default in nightly
    • DRI: Camilo
    • Tasks:
      • Implement : [AT RISK] Enable insanity::pkix validation by default on nightly
      • Implement : [NEW] Land key pinning
      • Implement : [NEW] Land must-staple support
  • [ON TRACK] SafeBrowsing 2.0
    • Outcome: App reputation whitelist on by default in nightly
    • DRI: Monica
    • Tasks:
      • Implement : [NEW] Land app reputation system with whitelist support
      • Implement : [NEW] Switch SafeBrowsing to use HTTPS