Thursday, 2022-02-03

« Monday, 2022-01-31 Index Monday, 2022-02-07 »
gagehugo#startmeeting security15:02
opendevmeetMeeting started Thu Feb  3 15:02:19 2022 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.15:02
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:02
opendevmeetThe meeting name has been set to 'security'15:02
gagehugo#link https://etherpad.opendev.org/p/security-agenda agenda15:02
gagehugoo/15:02
fungiohai15:02
fungionce again, i'm triple-booked today15:03
fungihow's things?15:03
fungii saw you got started on the security-specs retirement15:03
gagehugoYeah, doing that in my spare time15:03
gagehugogonna try to get that done this week15:03
fungiexcellent, thanks for working on it15:04
dmendiza[m]🙋15:06
fungiohai dmendiza[m]15:08
fungifrom what i understood from monday's meeting, the image encryption spec-lite in glance is still on track for yoga15:09
dmendiza[m]Hi friends!15:10
gagehugohey15:10
* fungi tries to remember what else security-relevant is going on15:12
gagehugoI believe I don't have any updates15:13
gagehugoJust currently watching it snow here15:13
fungithe thread about log4j vulnerabilities brought up that monasca and cloudkitty often use elasticsearch as a backend15:13
fungiand that kolla-ansible will deploy an elasticsearch container for those or if you ask for centralized logging15:13
fungialso sounds like it deploys apache storm, which was affected as well15:13
fungithere's probably enough material in that thread if someone wants to draft a security note about it, though i don't know that i'll have time to put it together15:14
dmendiza[m]Just a reminder for folks to keep an eye out for Secure RBAC stuff15:15
fungiyes, thank you. that's one of the topics i meant to mention15:19
fungiseems like more projects are getting on the same page since the big tc discussion before the winter holidays15:20
gagehugofungi: So an OSSN for kolla-ansible, monasca, cloudkitty?15:21
gagehugoOSH has an elasticsearch chart as well15:21
fungiyeah, i think it would be an overarching ossn talking about places openstack deployments might include (non=openstack) java-based software affected by the recent log4j vulnerabilities, and reminding operators to make sure they update those things15:23
gagehugomakes sense15:24
fungifor example, someone who deploys kolla-ansible and selects "i want central logging" may not know that's being provided by elasticsearch much less that it's affected15:24
fungiso while openstack isn't developing any software which is affected by those vulnerabilities, some openstack installers do deploy affected software written outside openstack15:25
gagehugogotcha15:29
gagehugoany other updates for this meeting?15:29
fungii can't think of anything else15:29
fungithanks for chairing, gagehugo!15:29
fungii'll keep an eye out for the remaining specs retirement changes15:30
gagehugoHave a good rest of the week everyone!15:30
gagehugo#endmeeting15:30
opendevmeetMeeting ended Thu Feb  3 15:30:41 2022 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:30
opendevmeetMinutes:        https://meetings.opendev.org/meetings/security/2022/security.2022-02-03-15.02.html15:30
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/security/2022/security.2022-02-03-15.02.txt15:30
opendevmeetLog:            https://meetings.opendev.org/meetings/security/2022/security.2022-02-03-15.02.log.html15:30
fungigagehugo: did the removal from sigs-repos get proposed to governance yet?15:30
gagehugonah I need to do that still15:54
« Monday, 2022-01-31 Index Monday, 2022-02-07 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!