Date: 2020-05-12
Chair: Ivan
Minutes: Bob
Participants: Alex, Standa, Jakub, Bob, Daiki, Toshi, Simo, Tomas,
Sahana, Hubert, Ondrej, Ivan, Lucie
Excused: Nikos
Chair and minutes keeper update etherpad, after the meeting the minutes
keeper sends minutes and prepares etherpad for next week -
https://wiki.brq.redhat.com/SecurityTechnologies/CryptoTeam#Meetingsandminutes
* Meeting administrivia/announcements (5 mins)
[announce this meeting chair/notes keeper]
[decide next meeting chair/notes keeper Bob -> Daiki -> Hubert ->
Sahana -> Jakub -> Simo -> Tomas -> Alexander -> Lucka -> Standa ->
Toshi -> Ondrej -> Ivan]
Next meeting chair: Bob
Next meeting minutes: Daiki
* Check of issue queries (10 min)
Report of NEW untriaged items the last two weeks and items with needinfo:
https://url.corp.redhat.com/crypto-team-chairman-reportv6 (6)
RHEL8.3:
* non-acked: https://url.corp.redhat.com/crypto-rhel83-nonacked-v1 (13)
* untriaged: https://url.corp.redhat.com/crypto-rhel83-untriaged-v1 (2)
* unscoped: https://url.corp.redhat.com/crypto-rhel83-unscoped-v2 (8)
* ON_QA bugs: https://url.corp.redhat.com/crypto-rhel83-onqa-v1 (6)
RHEL7.9:
* untriaged bugs
https://url.corp.redhat.com/crypto-rhel79-untriaged-v1 [please triage or
close; do not postpone (except for ca-certificates and nss*)] (3)
* PTOs (0 min)
Standa: May 15th
* Status report on previous action points (5 min) [note: no discussion
only status]
AI All: Skim through the Maturity Model document and give feedback.
Done
AI Hubert, Anderson and Jakub: discuss Quantum-resistant SSH Key
Exchange in a seperate meeting.
done: discussed on irc.
Chess tournament:
Interested: Standa, Hubert, Ivan, Sahana (prefer classical), Simo (I am
ok with blitz 10min or no time limit), Jakub
done :)
* Check Ready for Acceptance (10 min)
Jira:
https://projects.engineering.redhat.com/secure/RapidBoard.jspa?rapidView=3019
* Update on running theses and internship (1 min)
Hubert: (timing attacks with tlsfuzzer): new PR I need to review
Hubert: (cipherscan TLS 1.3 support): no update
Interns:
Frantisek: new PR I need to review
Norbert: presentation and demo at monthly meeting
MUNI + Red Hat collaboration on post-quantum crypto + side-channel
resistance:
https://docs.google.com/document/d/1qQlkawjxXkaz05aseCDXAgGEdZtkcY7MdtxJXsaRQo8/edit#heading=h.5m4tl0gyigmi
no update
* Update on running projects (3 min)
Daiki: QUIC and HTTP/3
https://projects.engineering.redhat.com/browse/CRYPTO-398
no progress
* Deadlines
2020-01-21: RHEL-8.2 bugs require exception or blocker
2020-01-27: RHEL-8.1.0.z Batch 2 - Errata in REL_PREP
2020-02-11: RPL for 7.9 deadline
2020-02-25: Q4 review SST meeting
2020-02-25: Fedora 32 Beta Freeze
2020-02-29: Q4 Ends
2020-03-26: RHEL-7.9 bugs require exception or blocker
2020-03-30: RHEL 8.1.0.3 all Errata in REL_PREP [openssl]
2020-03-30: RHEL 8.2 all Errata in REL_PREP
2020-03-31: RHEL 8.3 RPL SST deadline
2020-04-24: Mid quarter Review and planning completion
----> we are here <-----------------------------------------
2020-06-01: Firefox 78 Beta freeze
2020-06-02: OpenSSL 3.0 Beta release (feature freeze)
2020-06-30: Firefox ESR 78.0 release
2020-07-13: RHEL-7.9 all Errata on REL_PREP
* Discussion (25 mins)
Alex: let's vote on results-yesterday project proposal
(https://projects.engineering.redhat.com/browse/CRYPTO-1198)
Alex wants to know what the process to move forward.
Simo: we just need to vote
Vote: Approved, no objections.
Simo: Be sure to reply to any requests to this Jira card in a timely
manner. Management may ask time critical questions here.
Standa: You need to explicitly watch a bug, even if you own the card to
get notifications.
Tomas: In 8.2 custom crypto-policies bring python into the minimal
rhel-8 container image - should we make the update-crypto-policies a
subpackage pulled in via "Recommends"?
Tomas: in fedora we use this method.
Simo: why would we worry about this in RHEL.
Tomas: customers may ignore the Recommends and not get
update-crypto-policies. There may be a work around would be to put the
tool in, but put a runtime warning.
Simo: Better to not have the tool. Just do the Recommends and customers
that need the tool can figure out if they bypass recommends.
AI Tomas: Put the crypto-policies bug in the 8.3 errata
Tomas: Heads-up - Thunderbird (which we ship in RHEL) will from version
78 require Botan crypto library :(
Simo: why? what is it used for?
Kai Engert said on nss-dev ML: "For OpenPGP we're using the RNP and
Botan libraries. [...] We'll NOT bundle GnuPG because of its GPL license."
Bob: You can build it without it but you wont get PGP.
Simo: ideally we want this support as a plugin in EPEL.
Simo: make sure RHEL thunderbird knows about.
AI: Tomas make sure there is a downstream RHEL bug for Botan issue
in Thunderbird.
Alex: definition of done for 'fix tests on Fedora': passes in Beaker on
x86? has a reviewed TCMS run? passes in rey?
Alex: I kinda assumed 'having a TCMS run', but I'm fine with downgrades
it others consider it an overkill
Alex: What I definitely don't like, is waiving fingertip-induced
failures, this can mask bugs
Simo: shouldn't we turn on gating when they pass?
?: that seems too much.
Standa: isn't gating part of the completion criteria.
?: Not all tests are gating.
Standa: A log of the run is good.
Hubert: that's not really necessary. Just self verification is sufficient.
Jakub: TCMS doesn't always work well in presentation. Fast moving Fedora
could be an issue in stability.
Alex: OK enabling gating if the gating is required.
Simo: We don't need to specify at this point.
Anderson: Already enabled CI via koji-dispatcher for running tests in
Fedora.
https://projects.engineering.redhat.com/browse/CRYPTO-1518
Standa: We'll rerun all the tests in the future.
Decision: If the tests are passing, we can close the test cards. New
cards will created in the next run with more explicit completion criteria.
Standa: RHEL-8.3 - what is the situation with gnutls?
Alex: I believe automated test coverage is complete, don't know when
we'll have the builds
Daiki: new builds expected next week.
Toshi: openssl license issue.
Tomas: the new openssl license should be compatible with GPL 3.0 (not
GPL 2.0 only).
Toshi: gnutls is LGPL3+ or GPL2+.
Tomas: LGPL is 2.0 ok. It depends on what the almagomation license.
Simo: the amount of code is not used.
Toshi: we can also get the code from the other repository that has a
better license, but it's not kept in synch with openssl and already is
missing patches.
Tomas: the code has diverged and will likely never get merged.
Simo: leave upstream to deal with the general problem. Just do the RHEL
patch.
AI: Toshi will talk with gnutls upstream about licensing issues and
check with intel about the license for the RHEL patch.
Toshi: We create a group for repos to upstream tests:
https://gitlab.com/redhat-crypto/tests
Currently, I added tests for libssh and set up a Fedora container image
for the CI. The CI use tmt to run the tests.
Simo: fedora has beakerlib?
Toshi: There's a beakerlib package in fedora, but it's out of data.
There are some failures.
Standa: Good work.
Toshi: It's good background for the interop project.
Simo: Question about a card for presenting the Crypto overview. He has
the presentation, but need a time to present it.
Simo: Calendar is very full.
Simo: possibly Thursday 5pm Brno, 11a.m EDT, 8am PDT.
* Action items and decisions
AI: Tomas make sure there is a downstream RHEL bug for Botan issue in
Thunderbird.
Decision: If the tests are passing, we can close the test cards. New
cards will created in the next run with more explicit completion criteria.
AI: Toshi will talk with gnutls upstream about licensing issues and
check with intel about the license for the RHEL patch.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
