| fungi | reminder, monthly security sig meeting in ~90 minutes | 13:30 |
|---|---|---|
| fungi | meeting in 5 (i should assemble some sort of agenda!) | 14:55 |
| fungi | #startmeeting security | 15:02 |
| opendevmeet | Meeting started Thu Sep 1 15:02:00 2022 UTC and is due to finish in 60 minutes. The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:02 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:02 |
| opendevmeet | The meeting name has been set to 'security' | 15:02 |
| fungi | #link https://etherpad.opendev.org/p/security-agenda Meeting Agenda | 15:02 |
| fungi | #topic Prior Actions | 15:02 |
| fungi | #link https://meetings.opendev.org/meetings/security/2022/security.2022-07-07-15.00.html Minutes from last meeting | 15:03 |
| fungi | we skipped the august meeting due to my lack of availability, so many apologies | 15:03 |
| fungi | fungi initiate openstack-discuss thread on the topic of xstatic packages and js dependency handling | 15:04 |
| fungi | i finally got around to that | 15:04 |
| fungi | #link https://lists.openstack.org/pipermail/openstack-discuss/2022-August/029825.html XStatic and JS dependencies | 15:04 |
| fungi | i also posted a followup message tagged with a bunch of relevant deployment and packaging teams/sigs in order to hopefully bring it to their attention | 15:05 |
| fungi | that was posted a month ago, and to date there have been zero responses, not even from the horizon maintainers, unfortunately | 15:06 |
| fungi | probably we should see about getting it added as a horizon ptg discussion topic | 15:06 |
| fungi | #action fungi propose xstatic discussion topic on horizon ptg agenda | 15:07 |
| fungi | the other two action items from last meeting are still incomplete, so apologies... i'll re-add them to track | 15:07 |
| fungi | #action fungi add new volunteers to embargo-notice ml | 15:07 |
| fungi | #action fungi update ossn/security-doc members in gerrit and launchpad | 15:08 |
| fungi | i started looking into those, and i should probably clean up old members while i'm at it | 15:08 |
| fungi | in particular, the ossn core review group in gerrit does not contain any current contributors at all, and the security doc group has a lot of retired contributors still in it. i have a feeling i'll discover the same in the corresponding launchpad groups | 15:09 |
| fungi | prometheanfire is also not one of the embargo-notice ml moderators, i can't remember if that was on purpose or merely an oversight | 15:10 |
| fungi | anyway, that | 15:10 |
| fungi | 's all i had for action items from last meeting | 15:10 |
| fungi | #topic Pending Reviews | 15:10 |
| fungi | #link https://review.opendev.org/q/is:open+project:openstack/ossa Open change reviews for openstack/ossa | 15:10 |
| prometheanfire | I feel like that's an oversight, I don't remember ever moderating that ml | 15:11 |
| fungi | that's currently empty! i'll try to remember to add our other repos next time, there are probably some we could clean up for ossn and security-doc | 15:11 |
| fungi | prometheanfire: i'll add you to the list owners for it if you like, it's mostly a means for us to review downstream stakeholder messages before sending | 15:12 |
| prometheanfire | I don't need to be an owner / monderator, just member most likely | 15:12 |
| fungi | ahh, okay. the idea was that the vmt members would help maintain that ml, but it's certainly not obligatory | 15:13 |
| fungi | #topic Public Bug Reports | 15:13 |
| fungi | #link https://bugs.launchpad.net/ossa/+bugs?field.information_type%3Alist=PUBLIC&field.information_type%3Alist=PUBLICSECURITY | 15:13 |
| fungi | #link https://launchpad.net/bugs/1981813 Compute service fails to restart if the vnic_type of a bound port changed from direct to macvtap (CVE-2022-37394) | 15:15 |
| fungi | that's in progress but stalled for the past ~6 weeks looks like | 15:15 |
| fungi | #link https://review.opendev.org/850003 Gracefully ERROR in _init_instance if vnic_type changed | 15:16 |
| fungi | is the proposed fix in master, and has review priority set, but no activity there for several weeks | 15:16 |
| fungi | anyone want to prod the nova reviewers to try and not end up carrying this vulnerability into the zed release? | 15:17 |
| fungi | #action fungi reach out to nova reviewers about 850003 | 15:18 |
| fungi | #link https://launchpad.net/bugs/1980954 Resource leak with HTTPBadRequest in StaticLargeObject.get_slo_segments | 15:18 |
| fungi | it appears the swift folks merged a couple of fixes for that, and so 2.30.0 (their latest release from master) is supposedly no longer impacted | 15:19 |
| fungi | it's been pretty quiet though, and nobody responded to my question about backports, so we should probably assume the maintainers have limited interest in any backporting for that, switch it to class b1, and encourage interested community members to either write up an ossn about it or make backports (in which case we can switch back to class a and publish an advisory) | 15:21 |
| fungi | #action fungi switch bug 1981813 to class b1 for now | 15:22 |
| fungi | the other 6 public bugs in lp are years old since their last updates, so we should probably assume limited community interest and ignore unless someone revives them | 15:24 |
| fungi | #action fungi switch advisory tasks for old public security bugs to won't fix for now | 15:24 |
| fungi | #topic PTG Planning | 15:25 |
| fungi | #link https://lists.openstack.org/pipermail/openstack-discuss/2022-August/029823.html Any interest in getting together at the PTG? | 15:26 |
| fungi | that was back when it was still going to be in-person | 15:27 |
| fungi | tonyb replied that he's interested in having a security sig session, but maybe now that it's going virtual more of you are interested in participating? | 15:27 |
| fungi | slots are already starting to fill up | 15:28 |
| fungi | #link https://ptg.opendev.org/ptg.html PTG Schedule | 15:28 |
| fungi | i can try to pick an hour at a time when folks think will be convenient. are there any preferences, or conflicts with other teams i should try to avoid? | 15:29 |
| fungi | at a minimum i'll not book it over top the tc sessions or the diversity and inclusion wg session, and try to avoid intersecting barbican or keystone times | 15:30 |
| fungi | #action fungi schedule an hour at the ptg for the security sig | 15:30 |
| fungi | anybody else have anything ptg-related? | 15:31 |
| fungi | i'll take your silence as a resounding no | 15:34 |
| fungi | #topic Open Discussion | 15:34 |
| fungi | what else ya got? | 15:34 |
| fungi | seems like a whole lot of nothing. next meeting will be in here on thursday october 6 at 15:00 utc | 15:38 |
| fungi | thanks everyone! | 15:38 |
| fungi | #endmeeting | 15:38 |
| opendevmeet | Meeting ended Thu Sep 1 15:38:51 2022 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:38 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/security/2022/security.2022-09-01-15.02.html | 15:38 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/security/2022/security.2022-09-01-15.02.txt | 15:38 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/security/2022/security.2022-09-01-15.02.log.html | 15:38 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!