From Fedora Project Wiki

Fedora Project Board Meeting :: Tuesday 2008-09-09

Roll Call

Attendees: Everyone on #fedora-board-meeting

Codecs (2008-05-13)

  • Need to restart discussion on fedora-advisory-board redhat com to get plans in place at the start of F10
  • Chris Aillon to make contact with Bastien Nocera to find out what current plans are
  • Waiting on bug 438225 to proceed
    • this change will enable auto-provide for codec information
    • For Fedora 10 removing Codeina and using the distribution's built-in mechanism to install packages (if 438225) is implemented
    • For Fluendo to continue to provide codecs to Fedora they will need to provide them as packages in a yum repo
    • This errs on the side of more "free-ish" software


  1. ACTION :: Paul - request feature page from developer
  2. FESCo should track bug 438225 since this falls into their mandate
  • FOLLOWUP (2008-08-05):
    • Feature page still in the works and FESCo is tracking bug 438225
  • FOLLOWUP (2008-09-09):
    • Paul Frields has pinged the RPM dev team again about that feature page, but having difficulty reaching them
    • Panu has said that he will handle bug 438225

Trademark Guidelines (2008-07-01)

  • Board would like to help guide the process of expanding the use of the Fedora trademark
  • Helpful to brainstorm by thinking of Fedora trademark usage in four ways:
  1. Things the board wants Fedora to be able to do with the trademark
  2. Things the board wants the Fedora community to be able to freely do with trademark
  3. Things the board wants other people to reasonably be expected to be able to do, but ask the Fedora Board first
  4. Things that the board never wants people to use the Fedora trademark for
  • OWNER: Paul Frields
    1. circulate ideas and foster discussion on list
    2. return feedback to the board for discussion on: 2008-08-05
    3. Latest updates: User:Pfrields/NewTrademarkGuidelines (see also discussion tab)
  • FOLLOW-UP (2008-08-05):
    • Board definitely wants a Fedora trademark of some sorts for spins and other uses--derivative works
    • Still unsure on how best to proceed on issues related to:
      1. official spins
      2. unofficial spins
      3. branded USB keys
      4. OEM pre-loads
      5. Fedora business cards
      6. Fedora apparel and conference materials (see section on Non-software goods)
    • Everyone should add uncovered use cases to wiki page (see above) ASAP
    • Paul Frields will be working with Red Hat Legal starting this week to move the process forward
  • FOLLOW-UP (2008-09-09):
    • RH Legal is reviewing them and the newest state of that page incorporates their most recent review
    • would really like to have that wrapped up by the end of the month if at all possible.
    • Related discussion about SELinux being required for spins
      • This should not block or impact trademark work
      • Will add a section to trademark guidelines to encompass issues like SELinux under using the wording "pursuant to other technical requirements"
    • ACTIONS:
      1. Continue discussion about SELinux on list
      2. Release Engineering and Spins SIG should draw up minimum technical requirements to use the Fedora name

Board Questions & Answers

  • Topics covered included:
    • Infrastructure intrusion
    • Creating a response plan
    • SELinux, custom Spins, and trademark usage
    • Infrastructure secured
  • See transcript (below) for details

IRC Transcript

The public discussion IRC log is at Meeting:Board_Public_IRC_log_20080909.

stickster <meeting> 11:02
spoleeba here 11:02
<stickster The Secretary should be arriving in a moment :-) 11:03
spoleeba stickster, stalin? 11:03
quaid hey kids 11:03
stickster Hi everybody. Max is moderating in #fedora-board-public, and I think we have a couple short agenda items to get out of the way 11:04
* stickster gives mic to poelcat 11:04
poelcat first followup item is: Board/Meetings/2008-08-05#Codecs_.282008-05-13.29 11:05
poelcat fesco meets tomorrow so if a feature page is coming it needs to be submitted ASAP 11:05
mdomsch everyone see 11:06
mdomsch ? 11:06
mdomsch that's why I love transparency and meeting minutes 11:06
skvidal mdomsch: yah - I read it 11:06
quaid OMGCRISIS! 11:06
spot does the Flash have to die this time? 11:06
stickster poelcat: I've pinged the RPM dev team again about that feature page. 11:07
f13 sorry I'm late, turns out 'cheese' will crash your system if you try to take a video. 11:07
stickster poelcat: At worst, this may fit into the overall 'new RPM 4.6' feature category 11:07
stickster And we could call out specfic new RPM features as desired 11:07
spoleeba f13, oh thats a new feature 11:08
stickster Maybe we should call that one out too? 11:08
spoleeba mdomsch, do i really have to read it? 11:08
mdomsch spoleeba, you can surmise from the title 11:08
stickster poelcat: I believe that Panu's on travel today but I've also emailed jnovy and ffesti 11:09
stickster Panu's said that he will have this in by the final dev freeze. 11:09
spoleeba mdomsch, i do love how he surmizes how i feel about the situation as a Board member 11:09
* stickster not ignoring the conversation thread on the Byfield article, just trying to get through the agenda 11:10
poelcat anything else to note on the "codecs" topic? 11:10
mdomsch stickster, agenda++ 11:10
quaid mdomsch: your fault! :D 11:11
stickster Oh, hang on -- 11:11
f13 'by the final dev freeze' seems rather late if we need to do something on top of this feature in other packages. 11:11
stickster Yeah, that's why I've sent a couple emails about it. 11:12
stickster The most recent one was yesterday. 11:12
stickster I checked the RPM git repos and didn't see the proposed patch in there. 11:12
f13 hrm. 11:14
spot do we need to say anything else about this or can we move on? 11:15
stickster I invited jnovy to talk about it, but let's move on for now. 11:15
stickster poelcat: next 11:15
poelcat prograess on update to trademark usage guidelines 11:16
stickster Ah 11:16
stickster User:Pfrields/NewTrademarkGuidelines 11:16
stickster I've been actively working on them, through last week and up until yesterday 11:16
stickster RH Legal is reviewing them, and the newest state of that page incorporates their most recent review. 11:16
stickster So, progressing. 11:16
poelcat ref: Board/Meetings/2008-08-05#Trademark_Guidelines_.282008-07-01.29 11:17
stickster I'd really like to have that wrapped up by the end of the month if at all possible. 11:17
stickster (preferably sooner) 11:17
spoleeba stickster, uhm... there needs to be a decision about whether trademark usage is going to require technical specifics 11:17
mdomsch stickster, "not disparaging to Red Hat or the Fedora Project" 11:18
mdomsch to what extent? 11:18
mdomsch presumably the board would have to enforce 11:18
stickster spoleeba: we can add a statement that says usage is pursuant to separate technical requirements 11:18
* mdomsch is not in favor of requiring selinux 11:19
stickster spoleeba: Please use the "discussion" tab and enter your comments there 11:19
spoleeba stickster, i dont have a problem with it as it stands..... there are others 11:19
ctyler stickster: I have at least one more use case for you, too 11:19
stickster spoleeba: They're free to do the same :-) 11:19
stickster spoleeba: I've invited the community repeatedly to help with use cases, etc. 11:20
spoleeba stickster, here's my point.. i dont think we can "wrap this up in a month" considering what we just had a discussion in fab 11:20
stickster Many have already, including Jeroen, BKearney, Max, others... 11:20
* stickster continues to happily accept more input 11:20
mdomsch EOM is a decent goal though 11:21
quaid +1 to pursuant to other technical requirements 11:21
quaid then we can update that list on going without jiggling the trademark rules with details it don't need 11:22
stickster quaid: Right. 11:22
stickster Legal documents and technical requirements are two different kettles of fish. 11:22
quaid thus, eomonth can work 11:22
stickster buckets of meat? 11:22
quaid eww^2 11:22
stickster baskets of asparagus 11:23
f13 mdomsch: I'm also not really in favor of seeing something out there under the Fedora name that /doesn't/ ship with selinux 11:23
spoleeba stickster, we must decide if the Board is going to continue to be one of the groups who gets to decide on technical requirements or not 11:23
stickster (for the veggiesauri) 11:23
spot i think i dated that once in college. 11:23
f13 mdomsch: under the full Fedora name, not a 'based on Fedora' or 'built on Fedora' name 11:23
quaid at least Kettle of Fish was a decent dive bar in Greenwich Village 11:23
* f13 loads the wiki page to comment 11:23
quaid +1 to continuing the SELinux et al discussion on f-a-b, as part of the technical kettle 11:23
spoleeba stickster, i have no problem with a moving target for technical requirements..but as the trademark policy stands as drafted the Board isnt going to be building those roadblocks 11:24
spoleeba stickster, and if the Board shouldnt be doing it..then we should firmly state who should be doing it 11:24
* spot coughs *rel-eng* 11:24
quaid spoleeba: explain "isn't going" 11:24
spot sorry. something stuck in my throat. 11:24
stickster spoleeba: The page indicates that the trademark owner always retains rights to the TMs, and the Board is always responsible for enforcing compliance. 11:25
f13 erm, I thought the point of the new policy was that /nobody/ had to review it, there was no blocker 11:25
spoleeba stickster, enforcing compliance.. and defining the technical hurdles are not the same 11:25
stickster RelEng has the Spins group tapped to create the technical requirements 11:25
spoleeba f13, that was what i thought as well 11:25
stickster f13: Correct? 11:25
f13 stickster: those are for things that Fedora as a project puts out for users to consume 11:26
mdomsch as long as usage is within the policy, yes, no apriori review 11:26
f13 stickster: but I thought under the new guidelines, anybody could make whatever they want, as long as it adheres to the guidelines and publish it as "Fedora" 11:26
f13 ergo there is no chance for somebody like releng to vette it for technical items 11:26
notting well, was aos being reviewed under the new or old guidelines? 11:26
f13 therefor, we need to codify technical restrictions into the policy 11:27
spoleeba mdomsch, the question becomes which group is tasked with coming up with the moving target policy 11:27
notting i don't recall saying one way or another that they can't be Fedora if they turned off selinux. i was just curious *why* they were doing it 11:27
spot notting: you should talk to bryan_kearney1 11:28
notting spot: i was the first post on the thread 11:28
mdomsch notting, f13 would like to say "if they turn of selinux, it's not Fedora". I'm not of the same opinion. :-) 11:28
quaid f13: why codify in to the policy? the policy can just state, "follow this moving target over here or don't use the mark" 11:28
f13 mdomsch: to be the top tier trademark, "Fedora", I feel that there should be a bare minimum it meets 11:28
f13 yum, selinux, etc.. 11:29
ctyler f13: that minimum should be coded somewhere else and the policy should point to it 11:29
f13 anything less than that falls to the next tier, Based on Fedora or whatever 11:29
ctyler so the policy doesn't change when the tech does 11:29
f13 ctyler: that's acceptable 11:29
f13 it still has the same net effect though 11:29
spoleeba quaid, I really would like to avoid having the Board be the group which codifies the moving policy... id rather have the Board just enforce it or arbitrate when the group who does deal with the policy gets deadlocked 11:29
f13 policy will change over time 11:29
stickster OK, so far I see a lot of us in essentially violent agreement. 11:30
quaid spoleeba: the Board cannot absolve itself of the responsibility, it can assign it to other people, and I think that chain has clearly been established! 11:31
quaid Board asked Releng, which has asked Spins, right? 11:31
stickster At least as far as decoupling and linking the technical requirements for TM usage. 11:31
quaid yes 11:31
spoleeba quaid, the fab discussion would suggest...otherwise 11:31
quaid spoleeba: don't do that 11:32
quaid spoleeba: just because one is on the Board doesn't mean you cannot be involved in the assigned task 11:32
quaid spoleeba: you saw people speaking as individuals 11:32
spoleeba quaid, but not in the context of the spins sig's communication channel 11:32
quaid for example, I am a bit of an SELinux historian and feel strongly about it, so I spoke up 11:32
spoleeba quaid, my point is... the selinux came part of the Board's step in the process... 11:32
f13 guys 11:33
quaid simply because it hasn't been codified 11:33
quaid by anyone yet 11:33
f13 we're talking about multiple things here 11:33
spot perhaps we should ask the Spins group to provide a list of "suggested minimum technical requirements" for a spin. 11:33
f13 there are the things that Fedora produces itself, which we have a clear path of review for 11:33
spot then we can argue about that ad infinitum 11:33
f13 then there are the things that individuals would be producing, under the name of Fedora 11:33
f13 where there is 0 review path, and 0 proposed review path 11:33
spoleeba quaid, are we always going to see that happen? new policy will come up at the Board step..and then have to be pushed back to the Spin SIG to deal with? 11:33
f13 my only issue is with the latter, not the former. 11:33
f13 spoleeba: my issue doesn't really involve the spin sig 11:34
quaid spoleeba: Spins/Releng needs to show the technical list early enough to the Board to get input, that's all 11:34
f13 because my issue is with the folks that will be producing content outside the spins process 11:34
quaid f13: yes, and that discussion belongs in a thread about what technical requirements we get from Spins/releng; so you can make sure SELinux is on that list with your releng hat, and we can debate in our final vetting at the Board side. 11:35
quaid spot: +1 to asking Spins (+ releng) to come up with the initial technical list 11:35
quaid and yes I think it does need Board vetting. 11:35
quaid otherwise we are passing on accountability that we cannot pass on! 11:35
f13 agreed 11:35
ctyler +1 11:36
spot +1 from me (obviously) 11:36
skvidal +1 11:36
notting +1 11:36
mdomsch +1 11:37
stickster f13: Can you own the task of starting and collecting that discussion? 11:37
stickster we really need to get to the Q&A, guys. 11:38
f13 stickster: yeah, I'll take it. add it to the ever growing list of doom. 11:38
spot the answer to all of the pending questions is: thinly sliced lunch meat 11:39
stickster OK, anything more on this? Let's move on if not 11:39
f13 damnit, now i'm hungry 11:39
* poelcat notes that wraps up previous business 11:39
poelcat back to you stickster 11:39
stickster Q&A time 11:39
stickster spevack: Go! 11:39
stickster :-) 11:40
spevack ok. 11:40
spevack we have a number of questions. 11:40
spevack there are a few about the infrastructure stuff. 11:40
spevack so give me a moment to paste them all in, and then you can sort of answer from different bits 11:40
spevack since there will be some overlap 11:40
spevack the first was from vallor: 11:40
spevack "I'm sure one of the questions on everybody's mind is the status of "Infrastructure" -- and are the rumors true that the bogusly-signed openssh packages were trojaned? (Max edit: we asked for some clarification and the response follows) I'm referring to anything and everything in the incident where systems were compromised -- and if that flows slightly into RHEL space, I think it is only prudent to explain that part of the incident, too." 11:40
spevack 11:41
spevack the second from lwnjake and nirik: 11:41
spevack "also, when might we find out more about exactly what happened to the infrastructure?" 11:41
spevack 11:41
spevack and the third from rdieter: 11:41
spevack "another hard ball, why wasn't the board informed of anything? (afaik, they're as much uninformed as anyone). or so says mr. spoleeba" 11:41
spevack 11:41
spevack that's all the infrastructure questions we have right now. 11:41
f13 I can take the last one 11:41
spevack there's two others on different topics 11:41
* spevack goes silent 11:41
f13 A few board members became aware of what was going on, due to other roles played by those board members. 11:41
f13 Some of these people were Red Hat employees, others were under a Red Hat NDA for various other reasons. 11:42
stickster The Board has no NDAs with Red Hat. 11:42
stickster Sorry, the people on the Board who are volunteers -- 11:42
stickster and have no prior formal relationship with Red Hat -- 11:42
stickster don't have any NDA. 11:43
quaid ! 11:43
f13 when it became apparent that the breakin effected Red Hat itself, and not just Fedora infrastructure, Red Hat asked for no further discussion with anybody else, unless it was approved by the people workign the issue 11:43
skvidal stickster: not the ndas would have helped in terms of disclosure... 11:43
f13 my assumption was because we at that time had no idea who had broken in and did not want to divulge any information that would leak to the wrong ears. 11:43
quaid f13: not only fair but smart assumption 11:44
f13 for better or worse, I and the other board members who were "in the know" followed that request and did not further inform any other board members 11:44
f13 people were brought into "the know" based on what we needed from them on individual issues 11:44
spoleeba so how do i feel about being a non-NDA'd Board member... 11:44
mdomsch and even then, the extent of "in the know" varied person-to-person by their duties 11:44
quaid I was personally totally unsurprised that I was kept in the dark nearly the entire time the whole world was. 11:45
stickster As is true of all security investigations, progress reports are somewhat closely contained. 11:45
spoleeba im not signing an NDA just to be on the board 11:45
f13 It's pretty easy to tear this apart post-incident, but in the heat of the moment it did not seem prudent to strain the Fedora/RH relationship by blatingly ignoring requests. 11:45
quaid since I have no role in Fedora or RHT that puts me in touch with infrastructure 11:45
f13 now, had we thought of it, we likely could have gotten approval to inform the full Fedora board of what was going on, and kept them in formed. 11:45
quaid I expected that the IT professional colleagues and community members were doing the right thing. 11:46
spot On question 1: No "bogusly-signed" Fedora packages were distributed via any official mechanism. No "bogusly-signed" RHEL packages were distributed via any official mechanism (RHN). 11:46
f13 the question really is "what value would that have added" other than having more people who could not/should not tell anybody else. 11:46
quaid f13: +1 11:46
spoleeba I think we can do a lot just by having a generally useful infrastructure incident plan..with known interaction points with Red Hat 11:46
stickster f13: I did think of it, but it was simply not possible given the sensitivity of the investigation. 11:46
quaid f13: I was hapy to not know because it wasn't my job to be in the know. 11:46
f13 stickster: fair point. 11:46
quaid spoleeba: +1 that is a great shakeout from this 11:46
quaid obvious holes in our communication plan, etc. 11:46
quaid but only after the fact 11:47
f13 absolutely 11:47
quaid how do you know is too much or too little for community folks? 11:47
f13 lmacken has agreed to work on an incident response plan 11:47
quaid to be honest 11:47
mdomsch if it had been solely a Fedora thing, we would have treated it differently I'm sure 11:47
quaid if we sent out the same thing each day, it would have been appreciated, aiui 11:47
quaid mdomsch: +1 11:47
stickster And we do have to understand that there are still places where our project touches what is essentially a commercial entity, Red Hat. 11:47
f13 mdomsch: I think so too. Fedora isn't legally responsible to a number of customers (: 11:47
skvidal mdomsch: _maybe_ 11:47
quaid stickster: same is true in other cases 11:47
quaid what if something had happened at a hosting provider that has Fedora boxen? 11:48
skvidal mdomsch: Given what I've understood after the event 11:48
quaid we would have been in the same situation 11:48
stickster Our incident response plan will need to recognize that in some situations there are going to be decision points that lead into Red Hat where we can't dictate how every detail will run 11:48
stickster Although we can set the stage -- 11:48
skvidal I'm not at all clear that we could have announced the status of things if it were purely a fedora intrusion 11:48
skvidal not w/o clearance from red hat legal, at the least 11:48
spoleeba stickster, and in the future.. possibly not Red Hat...if we have donated infrastructure services from other companies 11:48
stickster -- by setting up reasonable expectations internally and externally for how to communicate incidents like this. 11:48
ctyler I don't think anyone really minded being in the dark, but it seemed like a long time to be in the dark, especially with production systems out there 11:48
f13 skvidal: you make a good point, and I think every incident will be different and have slightly different results 11:49
spot ctyler: it takes a LONG time to audit everything in cvs. 11:49
skvidal f13: I think from here on out we can expect a lot more scrutiny in public announcements of anything like this 11:49
skvidal that's just my impression, though 11:49
quaid ctyler: I guess what bothered me during and after was the presumption that Fedora leadership had left community members high and dry in an effort to save RHT's bacon. 11:49
skvidal quaid: we left community members b/c we had no choice in the matter 11:49
skvidal wait 11:49
skvidal I'm wrong 11:49
f13 ctyler: it's pretty hard not to infuse somebody with a false sense of security, while at the same time not infusing them with a false sense of insecurity 11:50
skvidal our choices were 'do not talk about it or be in breach of contract' 11:50
mdomsch quaid, I'm not sure how common that perception i 11:50
mdomsch is 11:50
quaid mdomsch: it's what Byfield's article is around 11:50
mdomsch AFAICT, people "in the know" worked their tails off to protect our end users - our #1 priority 11:50
stickster I tried not to take any presumptions personally. 11:50
quaid total ignorance of IT practice in favor of freaking out about Red Hat. 11:50
ctyler But there's a difference between software that just says "please wait" and software that says "please wait" and has a spinning icon so you know it hasn't crashed 11:50
spevack stickster: there are a number of follow-ups whenever you are all ready for them. 11:51
ctyler we need the spinning icon 11:51
quaid but anyway, that's an old and dull adze. 11:51
spot spevack: okay, lets hear those follow-ups 11:51
quaid ctyler: ok, fair; even daily repeats of previous announcements is better than nothing. 11:51
f13 have we sufficiently hit the first 3 questions? 11:51
spevack i think you have. and the follow-ups will provide more opportunity. 11:51
spot well, i answered Q1. 11:51
skvidal f13: there's still a little un-kicked horse, I'm sure 11:51
spevack so let me paste that all in. 11:51
spevack and then give it back to you guys 11:51
spevack 11:52
spevack 11:52
f13 k 11:52
stickster I think a lot of people were frustrated about the lack of information, or the timing, and I truly sympathize. 11:52
spevack 11:52
spevack vwbusguy: "I'd like to know what security changes in regard to the repos / updates and stuff, if any other than the key change, if it hasn't been discussed yet" 11:52
spevack 11:52
spevack LyosNorezel: "why is RH's blanket restraint order still in effect? the problem's over... no? why not give a detailed explanation?" 11:52
spevack 11:52
spevack vallor: "sounds like they've brought up having an incident response plan -- I guess I have to wonder is there a security group developing such a plan...and should the board security have a private mailing list (ONLY FOR INITIAL SECURITY INCIDENTS), where they can have full disclosure with each other?" (Max edit: it was mentioned already that fedora-board-list @ is private to just the Board.) 11:52
spevack 11:52
spevack go at it 11:52
spot LyosNorezel: the investigation is _still_ ongoing. 11:52
stickster As for #2, it's *not* over. 11:52
skvidal spevack: it's an ongoing investigation - the problem is not resolved 11:52
* quaid votes that stickster give the first set of answers this time 11:52
f13 #1) we've had a number of chagnes coming up that were unrelated to the break in 11:53
stickster vwbusguy: The changes you're seeing are all happening openly and transparently. 11:53
f13 gpg signing of repodata, a more secure signing server, and better signing practices had all been under discussion before the breakin, and made more important because of the break in 11:53
stickster No one is trying to make changes to Fedora on the sly. Period, full stop. 11:53
* mdomsch is amazed, and proud, that the Fedora Infrastructure team could rebuild _every single box_ in a week, to ensure they were all clean 11:54
spevack stickster: also, nirik has mentioned that he does not feel that his and lwnjake's initial question was addressed. It was (paraphrasing) "when will we find out more about what happened?" 11:54
skvidal mdomsch: I don't think that's really at issue 11:54
f13 vallor: lmacken is part of the Fedora security SIG and he's the primary driver for the incident response plan. 11:54
f13 vallor: the plan will be developed in teh open and will be open to comment if you'd like to participate. 11:54
mdomsch skvidal, it was part of the recovery plan 11:54
f13 Unfortunately we'll find out more when ... we find out more. 11:54
stickster vallor: And I think we'd continue to use fedora-board-list for any such conversations, with the understanding -- as always -- that we try and use it as little as possible, and keep discussions open and transparent to the maximum extent. 11:55
skvidal mdomsch: 'recovery plan' might be a bit strong of a statement 11:55
spevack f13: vallor asks me to give you his thanks. 11:55
skvidal mdomsch: I mean the plan was more or less 'pull back nuke everything from orbit' 11:55
f13 the investigation is still ongoing, and while I don't have any knowledge of it, I wouldn't be surprised if there is law enforcement involved somewhere. 11:55
mdomsch granted 11:55
skvidal mdomsch: we opted to scorch the earth rather than second guess 11:55
stickster skvidal: With which plan I was in 100% agreement. 11:56
spot lwnjake: when we're told that we can by the parties running the investigation, not a second before, and not a second later. 11:56
skvidal right - but a plan with 1 step is not quite a plan :) 11:56
* stickster +1's spot. 11:56
* spot would like to point out that Byfield's chicken little attitude is really irrational. No other FOSS publicly traded company (note that I said company) has ever had to deal with anything like this before. 11:57
spot yeah, it wasn't as good as it could be, but in true FOSS fashion, we're taking lots of notes and submitting patches 11:58
skvidal spot: it would be nice to get something resembling a status update from folks internal 11:58
skvidal spot: I agree with that concern, entirely 11:58
spot it would be nice, and hopefully we'll have something new soon. 11:59
spevack stickster: when the Board is ready, there are two additional questions on different topics. 11:59
spevack then i'll start looking for other follow-ups in the public room 11:59
stickster Anything else on the intrusion matter? 12:00
stickster If not, fire away spevack! 12:00
spevack ok 12:00
spevack vallor: "sounds like they've brought up having an incident response plan -- I guess I have to wonder is there a security group developing such a plan...and should the board security have a private mailing list (ONLY FOR INITIAL SECURITY INCIDENTS), where they can have full disclosure with each other?" (Max edit: it was mentioned already that fedora-board-list @ is private to just the Board.) 12:00
spevack wait, wrong paste 12:00
spevack i already did that one 12:00
spevack 12:00
spevack 12:00
spevack 12:00
spevack bryan_kearney1: I would like to get feedback on the AOS Trademark request (Max edit: What is AOS, for those who don't know? Also, bryan is referring specifically to the SELinux question, and the "minimal set of technical requirements to call something fedora" question) 12:00
stickster AOS is appliance operating system I think 12:01
f13 we just spent 20 minutes arguing about that earlier in the meeting 12:01
f13 one problem with "release early, release often" when it comes to policy is that sometimes we're not ready :/ 12:01
spevack f13: bryan is typing a modified/follow-up question right now 12:01
spevack hang on 12:01
spoleeba f13, does the version he recently submitted with selinux set to permissive work for you..until the new trademark policy and its technical measures go into effect? 12:02
stickster Bryan has been actively partipating in the TM guidelines stuff, partly because it directly affects a projet on which he's working 12:02
f13 also, a lot of discussions got put to the side when the "incident" happened, and we're slowly bringing things back into the foreground 12:02
spot bryan_kearney1: congratulations! you have stumbled into an unimplemented section of the map. beware of grues. we're scribbling as fast as we can. ;) 12:02
spevack while we wait for bryan's follow-up, here's the other question: 12:02
spevack 12:02
spevack 12:02
spevack inode0: less touchy I think question: why no new installation media? seems a large pain to install systems with keys that we need to replace after installation?! (Max edit: rdieter says this was possibly addressed in rel-eng meetings.) 12:02
f13 spoleeba: maybe? I honestly haven't taken a moment to look at it, I've been entirely focused on getting updates out to users once again. 12:02
f13 oh, and beta. 12:02
stickster OK, let's answer John's question. 12:03
spot <nirik> inode0: because that doesn't help any of the already burned media out there, and for doing something like 9.1 there would be export approval/legal to go thru 12:03
f13 We decided not to respin media because the content on the media is verified via other means than the keys on teh packages 12:03
stickster I think the human-power cost of this is far too high vs. the current plan. 12:03
f13 and that there was already a rather large amount of pre-mastered media out in the wild, that there was no real good reason to invalidate 12:03
spoleeba f13, right... right... i realize.. im just saying that for in the meanwhile if his new kickstart is okay...then we should bless that for F10 timeframe 12:03
quaid spoleeba is correct 12:03
f13 spoleeba: it's on my list to look at. 12:03
quaid f13: thanks 12:04
quaid that's the blocker since we have no guidelines in place :D 12:04
spevack 12:04
spevack bryan_kearney1: AOS spin is still awaiting trademark approval, with selinux enabled (--permissive). We need additional feedback. I made changes per the feedback I got, and have gotten no new feedback 12:04
spevack 12:04
notting 'see the minutes from earlier in the meeting'? 12:04
spoleeba f13, as to media... are we going to leave the new release rpm with the new key..signed with the old key..up until F9 eol? 12:04
f13 we verified that the content on the media is good, we're going to re-sign the SHA1SUM file with the new key, and we're preparing our repos and mirrormanager so that fresh installs from those media will only ever hit our mirrors (the ones we control) for the updates, which will get them the transition bits to point them to the newly signed content. 12:05
spot please hold, while we determine what the minimum technical requirements will be (once we receive them from the Spins team). 12:05
f13 spoleeba: that is the plan. The repo will hold that and the PK updates and only those. Mirrormanager will force all requests to those repos into mirrors we control. 12:05
spoleeba f13, excellent... so a very small mirror pool specifically for those updates 12:05
f13 yes 12:06
spoleeba f13, yeah mirrormanager! 12:06
mdomsch spoleeba, d.f.r.c isn't really a small pool :-) 12:06
spevack stickster: there are currently no other questions queued up 12:06
spoleeba mdomsch, small is relative 12:06
stickster bryan_kearney1: to add to what notting said, I think you're seeing the effects of many of the parties involved being wrapped up in the work to get F8/F9 updates back on the horse 12:06
quaid question: 12:07
quaid what is going on with secondary marks? 12:07
* quaid waits to see if that question is clear enough :) 12:07
mdomsch quaid, the guidelines call for a new secondary mark 12:08
mdomsch "Powered by Fedora", "Derived from Fedora", something like that 12:08
stickster There are three questions -- Can we have one? What can it say? What does it look like? 12:08
spoleeba mdomsch, i seem to remember this discussion happening before..way way way back wehn 12:08
notting it has happened before. 12:09
mdomsch and will again 12:09
stickster So far, the answers I have, from talking with Red Hat Legal, are (1) Probably, (2) Not sure yet, (3) Not sure yet. 12:09
mdomsch stickster, but we could get the artwork team to start 3) 12:09
f13 am I watching a BSG episode? 12:10
spoleeba mdomsch, i could suggest a briefcase with an infinite symbol on it...oh wait..nevermind 12:10
stickster Well, it's very possible we can use the existing mark as *part* of the secondary mark. 12:10
mdomsch f13, she was boxed 12:10
stickster i.e. "Based on Fedora." 12:10
stickster Current legal minds are telling me that's not necessarily verboten. 12:10
spoleeba stickster, i like these new legal minds 12:11
mdomsch "Fedora Inside" 12:11
mdomsch + chimes 12:11
stickster Something tells me they won't be nearly as happy about a secondary mark that infringes another trademark :-D 12:11
mdomsch stickster, spoleeba +1 12:11
stickster So until we know what text we can use, and whether we can use the official logo, as part of the secondary mark, starting a design process is probably premature 12:12
quaid so this is a depedency on these trademark guidelines being finished. 12:13
stickster Especially if it comes down to, "Sure, use 'Based on Fedora'" with the official logo in XX specific configuration 12:13
ctyler so eom+art team? 12:13
stickster Because that art design will probably take about 5 minutes. 12:13
stickster In fact, I already did one myself. 12:13
* mdomsch gets out fingerpaints 12:13
ctyler uh oh 12:13
stickster (but will leave it to real artists and not dilettantes like myself) 12:13
stickster ctyler: I really, really hope so. 12:13
quaid this rolls back a bit to the AOS question 12:14
stickster So quaid +1, the guidelines need to be finished. 12:14
stickster Meaning that if there's a further dependency on technical guidelines, those need to be done pronto. 12:14
quaid the AOS with SELinux removed could use the secondary marks ... if they exist in the future. 12:14
stickster FESCo discussed this in their recent meeting too. 12:14
stickster sorry, indefinite "this" 12:14
stickster FESCo discussed technical Spin requirements in their recent meeting too. 12:15
stickster We should make sure that we, as the Board, are working in coordination with FESCo 12:16
* stickster ponders. 12:16
stickster If it's super-duper easy for anyone to use the secondary mark, and that secondary mark is a great pointer to the official project... 12:17
stickster Why will people want to bother with the primary mark? 12:17
stickster That's a rhetorical questions. 12:17
stickster *questions 12:17
* stickster gives up and shoots typist. 12:17
ctyler stickster has quit (Shot) 12:17
stickster heh 12:17
stickster OK, traffic has died, I think spevack fell asleep listening to me ramble, and there may be an empty question queue. 12:18
stickster spevack: Shall we call it? 12:19
spoleeba stickster, congratz you have just completed the full discussion about the value and danger of the sencondary mark..all inside your own head 12:19
spoleeba stickster, you will fail to sleep this evening 12:19
f13 stickster: you mean like the debian official mark vs the one everybody actually uses? 12:19
stickster f13: That's precisely why I like the idea of embedding words in the mark. 12:19
* f13 too 12:20
spevack stickster: sure 12:20
f13 I think it's a worry, but something we'll just have to deal with 12:20
f13 by continuing to make things marked with the official mark relevant and exciting to use 12:20
mdomsch It's more likely official spins with the full mark will get hosting from the project? 12:20
spevack stickster: one last thing 12:20
spevack stickster: then the queue is empty 12:20
f13 and if our best competition comes from outselves, isn't that a good ting? 12:20
stickster spevack: Oh no, that's always a bad sign. 12:20
spevack < herlo> spevack: Not sure if this is applicable to the previous 12:20
spevack discussoin in the board but, So the patches that have been 12:20
stickster :-D 12:20
spevack made and fixes that were applied to the infrastructure, did 12:20
spevack they help in solving this issue? 12:20
spevack ugh, sorry for the bad formatting 12:20
f13 mdomsch: I'm almost of the opinion that only things hosted/produced officially by the project get the full mark, but I haven't fully thought that out yet. 12:21
f13 spot: that's a +3 FAIRY SHIELD mind you 12:21
stickster We believe that the changes we've made did help, yes. It would be silly for us to claim we're now 100% IMMUNE from bad peeplez 12:21
stickster -- but -- 12:21
f13 many of the changes we made will help us to recover from future attacks 12:22
stickster as all security practitioners know, security's a process, not an end state 12:22
f13 leaving us less with our pants hanging down 12:22
f13 so that next time, we may not have to nuke from orbit and spend a month trying to get updates out again 12:22
ctyler f13: So then a spin with the full mark could use the Fedora infrastructure for spin distribution? That's a reason to aim for it over the secondary mark. 12:22
* spevack has nothing else from #fedora-board-public 12:22
spoleeba mdomsch, i think im firmly in the camp that we are going going to be officially hosting spins which go through the release process..regardless of primary/secondary mark 12:23
stickster OK, let's call it. 12:23
f13 cable guy is here, I'm out. 12:23
stickster You heard the man. 12:23
stickster </meeting> 12:23
stickster Board members, thank you for being here. 12:23
stickster Community, thank you even more for being here. 12:23
ctyler stickster, spevack, thank you both. 12:24
spoleeba we need to move this to a time so I can be drinking heavily while in this meeting 12:24
spevack my pleasure guys 12:24
stickster spoleeba: It's always happy hour somewhere. 12:24
stickster spevack: Thank you my friend 12:24
* stickster hopes he can bend poelcat's arm to do summary/log 12:24
-!- stickster changed the topic of #fedora-board-meeting to: Next public Board meeting: TBA 12:28

Generated by 2.7 by Marius Gedminas - find it at!