add notes from security sig yesterday

Signed-off-by: Tycho Andersen <tycho@docker.com>

reports/sig-security/2017-08-02.md

@@ -16,3 +16,22 @@ Previous meeting notes: [2017-07-19](2017-07-19.md)
   - please feel free to propose additional deep dives and discussion topics!
 
 ## Meeting Notes
+
+- Alpine Linux intro [slides](https://dev.alpinelinux.org/~ncopa/presentations/alpine-security-mission.html)
+  - Question: what's the strategy for getting rid of SUID? File capabilities?
+    - Answer: no real plan
+  - Question: what's the strategy in the face of no more public GRSecurity
+    patches?
+    - Answer: Currently forward porting last test patch, slightly risky, not a
+      good solution. May discontinue use at some point.
+  - Question: Thoughts on capabilities?
+    - Answer: fs-caps sound like a nice way to get rid of SUID bits, since
+      they're uid-independent.
+  - Question: Thoughts on LSMs?
+    - Answer: SELinux is complicated, AppArmor is simpler and perhaps better in
+      that sense, not on the roadmap currently for Alpine to implement default
+      profiles (but may be in the future)
+  - Question: What exactly is the deal with TLS?
+    - glibc does *lazy* allocation, so after pthread_create(), at some later
+      point, the actual allocation for TLS may fail, and glibc simply aborts().
+      This is one reason dlopen is a noop, but not the only reason.