| opendevreview | Jeremy Stanley proposed openstack/ossa master: repos-overseen: VMT is happy to assist any project https://review.opendev.org/c/openstack/ossa/+/844444 | 13:02 |
|---|---|---|
| opendevreview | Jeremy Stanley proposed openstack/ossa master: Drop references for the old security blog https://review.opendev.org/c/openstack/ossa/+/844451 | 13:17 |
| opendevreview | Jeremy Stanley proposed openstack/security-doc master: Use permalink for Barbican security analysis https://review.opendev.org/c/openstack/security-doc/+/844468 | 14:43 |
| fungi | remember, our monthly security sig meetings begins in 15 minutes! | 14:45 |
| opendevreview | Jeremy Stanley proposed openstack/security-analysis master: Retirement Step 2: Remove Project Content https://review.opendev.org/c/openstack/security-analysis/+/844490 | 14:49 |
| fungi | just a heads up, my broadband connection decided to die just before the top of the hour, so i'll be chairing the meeting from a wireless modem | 15:04 |
| fungi | apologies for the delay | 15:04 |
| fungi | #startmeeting security | 15:05 |
| opendevmeet | Meeting started Thu Jun 2 15:05:05 2022 UTC and is due to finish in 60 minutes. The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:05 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:05 |
| opendevmeet | The meeting name has been set to 'security' | 15:05 |
| gagehugo | o/ | 15:05 |
| fungi | #link https://etherpad.opendev.org/p/security-agenda Meeting Agenda | 15:05 |
| fungi | #topic Prior actions | 15:05 |
| fungi | fungi adjust the repos-overseen doc to also mention the vmt is available to assist projects even if their repos are not explicitly opted into oversight | 15:06 |
| fungi | #link https://review.opendev.org/844444 (openstack/ossa) repos-overseen: VMT is happy to assist any project | 15:06 |
| fungi | fungi push/amend sig chair update changes | 15:06 |
| fungi | #link https://review.opendev.org/844446 (openstack/governance-sigs) Security SIG chair rotation | 15:06 |
| fungi | #link https://review.opendev.org/844448 (opendev/irc-meetings) Security SIG chair rotation | 15:07 |
| fungi | fungi propose change to remove security blog references from ossa repo | 15:07 |
| fungi | #link https://review.opendev.org/844451 (openstack/ossa) Drop references for the old security blog | 15:07 |
| fungi | fungi send an announcement to the openstack-discuss list about moving documentation out of security-analysis to individual project repos | 15:08 |
| fungi | #link https://lists.openstack.org/pipermail/openstack-discuss/2022-June/028816.html Retiring security-analysis process and repo | 15:08 |
| fungi | fungi follow retirement process from project teams guide/infra manual to retire security-analysis | 15:08 |
| fungi | #link https://review.opendev.org/844463 (openstack/governance) Remove security-analysis repo from Security SIG | 15:08 |
| gagehugo | I can review those today | 15:09 |
| fungi | #link https://review.opendev.org/844468 (openstack/security-doc) Use permalink for Barbican security analysis | 15:09 |
| fungi | #link https://review.opendev.org/844490 (openstack/security-analysis) Retirement Step 2: Remove Project Content | 15:09 |
| fungi | thanks gagehugo! | 15:09 |
| fungi | there will be more, but my network outage was inconveniently timed to push the rest up yet | 15:09 |
| fungi | #action fungi complete retirement process for security-analysis | 15:10 |
| fungi | also i've been meaning to add d34dh0r53 and dmendiza[m] to the review group in gerrit so they can help review those as well | 15:12 |
| fungi | (sorry for the slowness on my end, this wireless modem is pretty terrible) | 15:12 |
| fungi | #action fungi add new volunteers to review groups | 15:12 |
| d34dh0r53 | dmendiza[m] is on PTO but I can take a stab at reviewing those as well | 15:13 |
| fungi | #action fungi initiate openstack-discuss thread on the topic of xstatic packages and js dependency handling | 15:13 |
| fungi | i did not get to that yet | 15:13 |
| fungi | thanks d34dh0r53! i'll let you know once you have +2 privs, hopefully as soon as my isp pulls their head out of their socket | 15:13 |
| d34dh0r53 | fungi: thanks! | 15:14 |
| fungi | #topic Activities: Publishing OSSNs | 15:14 |
| fungi | as some of you may or may not be aware, we have redundant copies of security notes presently | 15:14 |
| fungi | #link https://opendev.org/openstack/security-doc/src/branch/master/security-notes Security Notes in Git | 15:15 |
| fungi | #link https://wiki.openstack.org/wiki/OSSN Security Notes in Wiki | 15:15 |
| fungi | also the process info is currently in the wiki rather than in git | 15:15 |
| fungi | looking for volunteers interested in moving the process documentation into git (i guess into the security-doc repo), and retiring all the content on the wiki | 15:16 |
| fungi | to those of you here now, or anyone reading the minutes after the meeting, feel free to reach out to me if you want to help with that | 15:17 |
| fungi | it would be nice to get the ossn review process streamlined to be closer to how we review ossa documents, but even just moving the process documentation over and dropping the wiki copies will help | 15:18 |
| fungi | i'll keep this topic on the meeting for next month, and can action any volunteers we happen to get | 15:18 |
| fungi | er, on the agenda for the meeting next month i mean | 15:18 |
| fungi | anybody have any input on the idea? if not, i'll move on to the next topic on the agenda | 15:19 |
| fungi | #topic Recently public security bug reports | 15:21 |
| fungi | #link https://launchpad.net/bugs/1975830 Horizon doesn't provide ACL on Instance level | 15:22 |
| fungi | this was more of a mis-filed feature request | 15:22 |
| fungi | i switched it to a normal bug report and added the security tag for visibility | 15:23 |
| fungi | that's the only one i can think of since the last meeting | 15:24 |
| fungi | if someone with an interest in instance-level console access security (obviously the api is as much or more of a problem than the dashboard), feel free to follow up there | 15:25 |
| fungi | #topic Recent vulnerabilities in or related to OpenStack | 15:25 |
| fungi | i'm not aware of any obvious new ones here, but if anything public has come to anyone's attention we can take some time in the meeting to discuss | 15:26 |
| fungi | buzz about the log4j vulnerabilities seems to have died down, so an ossn for that is probably no longer particularly urgent | 15:27 |
| fungi | okay, seems like nobody else has anything for this either | 15:30 |
| fungi | #topic Anything else? | 15:30 |
| fungi | i'll give it a few minutes before i wrap it up, in case there are other issues folks want to bring up | 15:30 |
| fungi | i'm in berlin next week for the open infrastructure summit, but will be trying to keep an eye on any immediate concerns (vmt-related or otherwise) as time allows | 15:31 |
| fungi | if anybody wants to catch up in-person and is also going to be there, i'm happy to coordinate schedules | 15:32 |
| fungi | there are also some infosec-oriented talks on the conference schedule we're likely to bump into one another at | 15:33 |
| fungi | we actually have a "security" track again for the first time in a while | 15:33 |
| fungi | #link https://openinfra.dev/summit-schedule#track=390&view=calendar OpenInfra Summit Security Track Sessions | 15:34 |
| fungi | 10 different talks in the track | 15:35 |
| fungi | if you filter by title keyword instead, there's another one in the containers track | 15:38 |
| fungi | "Lotsa security: confining the extra security layer" | 15:38 |
| fungi | and also of course, tons of security-relevant discussions happening at the forum | 15:39 |
| fungi | "Next Steps for FIPS in OpenStack" | 15:39 |
| fungi | "Unrestricted Ansible in Zuul" | 15:40 |
| fungi | "Deprivileging of Service Accounts Between Individual OpenStack Services" | 15:41 |
| fungi | i expect there will be some ongoing rbac discussions too | 15:42 |
| fungi | since it doesn't appear anyone else has something to bring up, i'll close this down 15 minutes early. thanks everyone! | 15:45 |
| fungi | #endmeeting | 15:45 |
| opendevmeet | Meeting ended Thu Jun 2 15:45:06 2022 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:45 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/security/2022/security.2022-06-02-15.05.html | 15:45 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/security/2022/security.2022-06-02-15.05.txt | 15:45 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/security/2022/security.2022-06-02-15.05.log.html | 15:45 |
| opendevreview | Merged openstack/ossa master: repos-overseen: VMT is happy to assist any project https://review.opendev.org/c/openstack/ossa/+/844444 | 16:06 |
| opendevreview | Merged openstack/ossa master: Drop references for the old security blog https://review.opendev.org/c/openstack/ossa/+/844451 | 16:10 |
| opendevreview | Merged openstack/security-doc master: Use permalink for Barbican security analysis https://review.opendev.org/c/openstack/security-doc/+/844468 | 16:12 |
| opendevreview | Jeremy Stanley proposed openstack/security-analysis master: Retirement Step 2: Remove Project Content https://review.opendev.org/c/openstack/security-analysis/+/844490 | 16:30 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!