Thursday, 2022-03-03

« Tuesday, 2022-03-01 Index Friday, 2022-03-11 »
*** ricolin is now known as Guest111207:59
*** ricolin_ is now known as ricolin07:59
*** ricolin_ is now known as ricolin14:13
* fungi is around if folks want to meet15:02
gagehugosorry Im late15:17
gagehugo#startmeeting security15:18
opendevmeetMeeting started Thu Mar  3 15:18:01 2022 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.15:18
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:18
opendevmeetThe meeting name has been set to 'security'15:18
gagehugo#link https://etherpad.opendev.org/p/security-agenda agenda15:18
fungiohai15:19
gagehugoApologies for the late start, in another meeting and lost track of time15:20
gagehugo#topic PTG15:20
fungino worries, i'm in two other meetings at the same time15:20
gagehugoheh15:20
gagehugoSo the PTG is in roughly 1 month15:20
gagehugoI was going to cancel next month's meeting since we'll have a session that week anyway15:21
gagehugoThe current time we are scheduled is Monday April 4th 2100-2300 UTC15:21
gagehugo#link https://etherpad.opendev.org/p/security-sig-ptg-zed ptg agenda15:21
gagehugoI'll get that etherpad setup today15:21
gagehugoand an email sent out15:21
fungithanks!15:22
gagehugo#topic open discussion15:22
gagehugoI believe the security-specs repo is now officially retired?15:22
gagehugounless I missed a step15:23
fungiyes, i think so15:23
fungii remember the governance change merging, which is generally the final step15:23
gagehugook good15:23
gagehugoThat's all I had for updates, do you have anything fungi?15:24
fungii may have mentioned it late last year, but i'm noodling on starting a discussion with the community about the security landmine that is horizon's xstatic wrappers for javascript libraries15:24
gagehugooh geez15:25
fungii think the idea at the begining was that it would give us a way to reference js libs from python as dependencies, particularly for testing, but that distros would de-vendor the actual javascript and substitute whatever actual versions of those libs they were already packaging separately15:26
gagehugohmm15:26
fungiunfortunately the reality is that they seem to have simply packaged the xstatic wrappers along with the embedded javascript15:26
gagehugoah15:27
fungiso openstack has become a redistributor of other people's javascript libs, usually outdated versions of them with known security vulnerabilities15:27
gagehugoyeah, that's not great15:28
fungiand distros are just shipping those as-is15:28
fungithis has come to a head with a recent report to ubuntu about how their packages of things like xstatic-angular and xstatic-jquery have known vulnerabilities, but this gets increasingly complicated because the upstream fixes for those are not things horizon has successfully updated to yet15:29
fungiunlike our actual python dependencies, we don't have anything along the lines of global-requirements/upper-constraints to push projects to support latest versions of js libs15:30
fungiso they just bitrot and are mostly ignored15:30
fungiso anyway, i have concerns. i've had concerns for a long time but the situation seems to be getting worse rather than better15:30
fungiwhat i don't really have yet is good suggestions15:31
gagehugook15:32
fungiif people have ideas they want to share here in the meeting, or reach out to me with after, it's appreciated15:32
fungionce i bring the subject to a wider audience on the openstack-discuss ml, maybe there will be more ideas15:32
gagehugoThat is a good idea15:32
gagehugoI think I remember us discussing making an OSSN for log4j last meeting as well?15:38
fungiyes, i haven't seen any volunteers there15:38
fungialso the vulnerability:managed governance tag removal is on hold waiting for the openstack website to no longer rely on it for the project info pages15:38
fungithere's a high priority request in to the webdev contracting company the foundation uses to manage that website to remove those bits15:39
fungibut i don't have any eta15:39
fungiour (vmt/sig) side though is complete. the security site is updated as is the project team guide15:40
fungier, not the project team guide, sorry, it was the security handbook15:40
gagehugook cool15:40
fungianyway, it's just the governance change which is still not merged15:41
fungii also noticed, in making that change to the security manual, that it's still referring to the security-analysis repo... we could talk about whether that's still relevant too, or whether it's under-utilized and should be retired15:42
gagehugomight be a good PTG discussion15:43
fungii'll add it to the pad15:44
fungiit was another outgrowth of the now defunct ossg15:45
fungithe remnants of the security sig lack the review bandwidth for what that was designed to be15:45
gagehugo:(15:46
gagehugoyeah15:46
fungibut also nobody seems to be using it anyway15:47
gagehugofungi: anything else for this meeting?15:49
funginothing else from me, nope15:50
fungithanks for chairing, gagehugo!15:50
gagehugoThanks fungi!15:50
gagehugo#endmeeting15:50
opendevmeetMeeting ended Thu Mar  3 15:50:45 2022 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:50
opendevmeetMinutes:        https://meetings.opendev.org/meetings/security/2022/security.2022-03-03-15.18.html15:50
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/security/2022/security.2022-03-03-15.18.txt15:50
opendevmeetLog:            https://meetings.opendev.org/meetings/security/2022/security.2022-03-03-15.18.log.html15:50
« Tuesday, 2022-03-01 Index Friday, 2022-03-11 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!