Thursday, 2022-05-05

« Wednesday, 2022-05-04 Index Saturday, 2022-05-07 »
fungireminder, we're meeting in ~10 minutes14:50
* fungi puts the kettle on14:50
fungi#startmeeting security15:00
opendevmeetMeeting started Thu May  5 15:00:18 2022 UTC and is due to finish in 60 minutes.  The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'security'15:00
funginot sure who else is around, but i put an agenda together in the usual spot15:01
fungi#link https://etherpad.opendev.org/p/security-agenda15:01
fungiwe skipped the april meeting in favor of (virtually) getting together at the ptg, so this is our first regular meeting since the ptg15:02
fungi#topic PTG recap15:03
fungi#link https://etherpad.opendev.org/p/security-sig-ptg-zed15:05
fungithat's where we took some notes15:05
fungiwe covered a few topics, some of which are broken out into activities in today's meeting agenda15:06
fungiwe talked about finding more volunteers to expand the vmt15:07
fungibig thanks to d34dh0r53 and dmendiza[m] for expressing interest in getting involved there!15:07
d34dh0r53o/15:08
d34dh0r53you're welcome15:08
fungithankfully, things have been fairly quiet on the vmt front for the past month, so i haven't had much opportunity for engagement with our new recruits on anything yet15:08
dmendiza[m]🙋‍♂️                                                                                                                             ad15:08
fungiit looks like i had one action item from the vmt coverage expansion discussion which i've neglected to work on yet15:09
fungi#action fungi adjust the repos-overseen doc to also mention the vmt is available to assist projects even if their repos are not explicitly opted into oversight15:09
fungii'll get into other stuff from the ptg later in today's agenda15:10
fungianyone have anything ptg-related to add which isn't on the meeting agenda already?15:10
fungi#topic Interim SIG chair15:12
fungimany thanks to gagehugo for chairing the sig (for i can't even remember how many years it's been now)!15:12
fungi#link http://lists.openstack.org/pipermail/openstack-discuss/2022-April/028251.html15:13
fungias he mentions in that ml post, he's unable to continue chairing the sig, so we need one or more new (co)chairs15:14
fungigiven the lack of responses, there's a wip change which i'll amend to set myself as interim chair, though i'm happy to entertain other co-chairing or replacement chairs from anyone with interest15:15
fungi#link https://review.opendev.org/83963215:15
fungiwe'll also need a similar change to the openstack/governance-sigs repository officially setting the chair(s) for the sig15:16
fungi#action fungi push/amend sig chair update changes15:16
fungiif anyone's up for it, speak up now or feel free to reach out to me any time after the meeting15:17
fungi#topic Activities: retiring security-analysis repository15:19
fungithis was something we spent some time discussing at the ptg15:19
fungithe references to the security-analysis repo were already removed from the ossa repo and thus from the security site when i was working on importing the vulnerability:managed governance tag documentation15:20
fungithe repository itself has yet to be retired, so i'll take care of the next steps, which i believe will be as follows:15:21
fungi#action fungi send an announcement to the openstack-discuss list about moving documentation out of security-analysis to individual project repos15:21
fungi#action fungi follow retirement process from project teams guide/infra manual to retire security-analysis15:22
fungiif anyone is interested in doing either or both of those things, i'm happy to help provide guidance15:22
fungi#topic Activities: horizon xstatic javascript library wrappers plan15:24
fungiwe covered this some in the security sig ptg session, and i also had a lengthy discussion with horizon contributors in their session about it15:25
fungii still owe the openstack-discuss ml a discussion starter about what can be done15:28
fungiand the current pitfalls with what we have15:29
fungi#action fungi initiate openstack-discuss thread on the topic of xstatic packages and js dependency handling15:29
fungi#topic Activities: removing references to defunct security blog15:31
fungithis has come up in the past, and i just noticed when looking back over the main page of the security.openstack.org site that we still refer to it15:31
gagehugoo/15:32
gagehugoapologies for being late15:32
fungino worries! i've been taking things slowly15:32
fungithe "openstack security blog" was being managed by some of the more active openstack security group folks in years past, but it was abandoned around 5 years ago15:33
fungiit would probably be good if someone who's a member of the openstack-security org on github could wind it down more cleanly there, but i don't know who had or still has access to do that (it's not me, at the very least)15:34
fungihyakuhei seems to have probably set it up originally, and i see indication that lhinds might have been the last one approving pull requests in it15:35
fungiat any rate, what i *can* do is remove references to it from the security.openstack.org site, so i'll push up a change to do that and further simplify the page in the process15:36
fungi#action fungi propose change to remove security blog references from ossa repo15:36
fungi#topic Recently public security bug reports15:38
fungiwe've only had one of note since the ptg, and it was marked invalid by the vmt:15:38
fungi#link https://launchpad.net/bugs/197093215:38
fungii'm looking forward to progress on the rbac work, particularly the idea of dropping the ambiguous "admin" role, which will hopefully solve a lot of this sort of confusion15:39
gagehugomore documentation would be nice15:39
fungiyeah, if anyone has time and interest in making that particular pitfall more easily spotted by users/operators, that would be awesome15:40
fungi#topic Recent vulnerabilities in or related to OpenStack15:42
fungii noticed these advisories for dpdk this morning:15:42
fungi#link https://www.openwall.com/lists/oss-security/2022/05/05/115:42
fungi#link https://www.openwall.com/lists/oss-security/2022/05/05/215:42
fungiunfortunately there's not a ton of detail in the ml posts, and their bugzilla requires a login to see whatever's at the urls they linked for more information15:43
fungithe first one might be arbitrary code execution, but i'm not sure how the vulnerable function call is reached, so i can't be positive15:44
fungithe second is called out as a potential denial of service due to resource exhaustion15:44
fungii'm bringing them up because i know some openstack deployments rely on dpdk features, so this might be of interest to a subset of our operators15:45
fungiif anyone's got a burning desire to do a bit more research and write up an ossn (openstack security note) about these, i'm sure that would be welcome15:46
fungi#topic Anything else?15:46
fungii'll give everyone a few minutes in case someone has something to bring up before i end the meeting15:47
fungii'll take that as a "no." thanks for coming! see you on thursday, june 2, when we'll have a (hopefully short) meeting to talk about anything of interested related to the summit happening in berlin the following week15:50
gagehugothanks fungi!15:50
fungier, anything of interest, i mean15:50
fungi#endmeeting15:50
opendevmeetMeeting ended Thu May  5 15:50:59 2022 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:50
opendevmeetMinutes:        https://meetings.opendev.org/meetings/security/2022/security.2022-05-05-15.00.html15:50
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/security/2022/security.2022-05-05-15.00.txt15:50
opendevmeetLog:            https://meetings.opendev.org/meetings/security/2022/security.2022-05-05-15.00.log.html15:50
« Wednesday, 2022-05-04 Index Saturday, 2022-05-07 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!