Standing Agenda

• Q3 Goals Recap ( https://wiki.mozilla.org/SecurityEngineering/2013/Q3Goals#Q3_Goals )
• Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
• Detailed discussion of features or outstanding issues as time permits
• Additional Items
• Upcoming events, OOO/travel, etc.
• Planning for next meeting (chair selection, etc)

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/2013-10-24

Q4 Goals:

• Sandboxing
  • Outcome: Next set of steps towards a exploit-containing platform.
  • DRI: sid (+keeler +christoph)
  • Tasks:
    • [NEW] Implement: Chromium-sandbox: make it possible to compile and activate on mozilla-central - (keeler + bbondy)
    • [NEW] Implement: b2g/e10s security feature tests: Get CSP tests passing in e10s with help from overholt on platform team (garrett + sid + mwobensmith)
• Roadmaps
  • Outcome: More visibility and aim for our team's projects.
  • DRI: monica (+sid +garrett +cviecco +briansmith)
  • Tasks:
    • [NEW] Consult: security roadmap update (sid + briansmith + product teams)
    • [NEW] Consult: privacy roadmap update (monica + sid + product teams)
    • [NEW] Consult: anonymity (tor) roadmap update (sid + mikeperry)
• NetSec
  • Outcome: Massive improvement in channel security for SSL sites that want protection from decryption.
  • DRI: briansmith (+cviecco)
  • Tasks:
    • [NEW] Land Insanity::PKIX - bug 878932 (briansmith + cviecco)
    • [NEW] Implement: TLS 1.2 enabled on nightly requires server intolerance + telemetry (cviecco + briansmith)
• Mixed Content wrap up
  • Outcome: Mixed script is blocked widely on the web in a stable way (and has no more urgent follow-ups.)
  • DRI: christoph (+tanvi)
  • Tasks:
    • [ON TRACK] Implement: redirect bug - bug 418354 (starting)
    • [DONE] Implement: don't show mixed content on http pages - bug 909920 (may require content policy api changes) (under review)
    • [ON TRACK] Implement: missing notification - bug 915951 (in progress)
    • [ON TRACK] Implement: persistency for child tabs - bug 906190 (under review)
• CSP
  • Outcome: Wider adoption of CSP when Firefox supports these features (and beginning of CSP v1.1)
  • DRI: garrett (+sid)
  • Tasks:
    • [ON TRACK] Implement: script nonce landed behind a pref. bug 855326 (garrett + sid)
    • [ON TRACK] Implement: script hash landed behind a pref. bug 883975 (garrett + sid)
    • [DONE] Evaluate: profile CSP on desktop and B2G to develop a plan to optimize CSP by rewriting in C++ or otherwise (https://bugzilla.mozilla.org/show_bug.cgi?id=924337#c26) [garrett + christoph] (FAST PATH PROOF: bug 927493)

Agenda 31-Oct-2013 ☠

CHAIR: KEELER

• What can we adopt in https://wiki.mozilla.org/SecurityEngineering/CodeReviewGuidelines ?
  • JST lint: http://www.johnkeiser.com/cgi-bin/jst-review-cgi.pl
  • Developer productivity etherpad: https://etherpad.mozilla.org/kHpv9jvGMj
  • Bootcamp etherpad: https://etherpad.mozilla.org/mozbootcamp - Would be great for engineering new hires
• We could use some liason or assistance from other teams, especially front-end. This will help us with patches in the other bits of FIrefox. Or we could choose someone from our team to become more of an expert in this area (via training and perhaps a firefox workweek), so that we have someone to go to on bugs where we get stuck and aren't getting responses.
  • Volunteers for becoming the resident front-end Firefox expert? [ put your name here ]
  • Approach members of teams from which you'll need help -- early on before you get deep into a project. Try to bring them with you to fix the bug or design the feature.
• (FYI) Mike from Tor can use Try now to test the browser bundle!
• Next meeting 7-Nov-2013?
  • CHAIR: Christoph
  • https://wiki.mozilla.org/SecurityEngineering#Who_is_involved

Action Items:

• Monica: test out jst lint and see how it does
• Everyone: look at the etherpads for code guidelines (above) and have an opinion ready for next week.