| gouthamr | has anyone seen private bug reports against projects referencing blackduck security scans? | 22:35 |
|---|---|---|
| gouthamr | here's one: https://bugs.launchpad.net/manila/+bug/2106619 ; please share your LP if you'd like to view it.. but i suspect the reporter was running this scanner tool against other OpenStack components too | 22:36 |
| JayF | fungi: ^ is this another case where VMT notifications didn't go out | 22:36 |
| gouthamr | it flags a bunch of python libs specified in our requirements.txt as "operational risk" because they may be outdated, deprecated, vulnerable, or unmaintained | 22:37 |
| gouthamr | ah, enlighten me :D | 22:37 |
| JayF | that looks 100% invalid to me, I'll run it by VMT | 22:37 |
| gouthamr | ++ will add vmt group to the visibility because i could use help | 22:38 |
| JayF | I can see it; so clearly perms are right. Sometimes the email notifications miss or are very late. | 22:39 |
| gouthamr | ack, hey do you know what all tweaks one has to do on Launchpad to properly secure a project? i.e., a dummy's guide to configure security bug stuff properly | 22:43 |
| gouthamr | i wanted to bubble that up to PTLs as they're fixing their coresec groups, post this thing merging: https://review.opendev.org/c/openstack/governance/+/944817 | 22:44 |
| JayF | going to take this up in PM | 22:47 |
| gouthamr | tyty | 22:47 |
| fungi | gouthamr: i want to say someone opened one of those for cinder recently as well, and i basically just switched it to public and let them mark it as invalid for the project | 23:07 |
| fungi | ah, yes, here: https://bugs.launchpad.net/cinder/+bug/2106615 | 23:08 |
| fungi | seems virtually identical | 23:09 |
| fungi | as for notifications, it's possible that a member of the vmt needs to manually subscribe it to receive notifications for every single bug project in lp that we should be following. i did subscribe us to the "openstack" superproject (which manila is already configured as "part of" in lp), but that alone may be insufficient | 23:14 |
| fungi | we've added new projects for vmt oversight so rarely that it's possible this is a step that only ttx and markmc remembered to do for the first dozen-ish openstack repos | 23:15 |
| JayF | I got a notification, it just was a good 10 minutes behind the message in IRC | 23:39 |
| JayF | I might propose an update to the VMT process document explicitly calling out certain types of reports as not appropriate for our kind of project | 23:40 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!