| *** blarnath is now known as d34dh0r53 | 12:08 | |
| fungi | meeting in here, starting 10 minutes from now | 14:50 |
|---|---|---|
| fungi | i didn't get a chance to put together an agenda and circulate it ahead of time, but i'm whipping one up now at https://etherpad.opendev.org/p/security-agenda | 14:50 |
| fungi | #startmeeting security | 15:01 |
| opendevmeet | Meeting started Thu Feb 2 15:01:19 2023 UTC and is due to finish in 60 minutes. The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:01 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:01 |
| opendevmeet | The meeting name has been set to 'security' | 15:01 |
| fungi | #link Agenda is at https://etherpad.opendev.org/p/security-agenda | 15:01 |
| fungi | #topic Picking a new meeting schedule | 15:01 |
| fungi | i set up a couple of polls and sent a message to the mailing list about this last week | 15:02 |
| fungi | #link Polls to work out a new meeting schedule https://lists.openstack.org/pipermail/openstack-discuss/2023-January/031908.html | 15:02 |
| fungi | the first poll is to try to figure out if people prefer a change in meeting frequency | 15:03 |
| fungi | the second is to get a feel for what days of the week are generally better for people than others | 15:03 |
| fungi | once i've got some data for those questions, i'll create another poll with more specific times to select from | 15:04 |
| fungi | the first two polls close a week from today (2023-02-09) | 15:04 |
| fungi | anybody have any questions? | 15:05 |
| fungi | if not i'll move on to the next topic on the agenda | 15:05 |
| fungi | #topic Virtual PTG | 15:06 |
| fungi | i'll send a message to the mailing list about this after the meeting, but just wanted to give anyone interested a heads up that i signed the security sig up for the virtual openinfra ptg in march | 15:07 |
| fungi | #link Virtual PTG March 27-31 https://openinfra.dev/ptg | 15:07 |
| fungi | please remember to register if you plan to participate in the ptg | 15:07 |
| fungi | we can brainstorm discussion topics in an etherpad and then use that same pad to take notes during our discussions | 15:08 |
| fungi | #link Brainstorming topics https://etherpad.opendev.org/p/mar2023-ptg-openstack-security | 15:09 |
| fungi | anybody have any questions related to the ptg? | 15:09 |
| fungi | #topic Recent OSSAs | 15:10 |
| fungi | as most of you are no doubt aware, the vmt published two ossas earlier this month | 15:10 |
| fungi | #link Arbitrary file access through custom S3 XML entities https://security.openstack.org/ossa/OSSA-2023-001.html | 15:11 |
| fungi | #link Arbitrary file access through custom VMDK flat descriptor https://security.openstack.org/ossa/OSSA-2023-002.html | 15:11 |
| fungi | given these were higher-severity bugs which got fixes developed under our embargoed report process, and the first advisories we've published since 2021-09-09, it seems to have generated renewed interest in our processes | 15:13 |
| fungi | i've been contacted by a bunch of organizations requesting addition to our advance notification list, which is great | 15:14 |
| fungi | just a reminder, if you've got a reason to need advance copies of embargoed patches, please reach out | 15:15 |
| fungi | #link Downstream stakeholders https://security.openstack.org/vmt-process.html#downstream-stakeholders | 15:15 |
| fungi | does anyone have any questions or comments about the recent advisories? | 15:15 |
| fungi | or regarding our vulnerability management process more generally? | 15:16 |
| fungi | #topic Newly public bug reports | 15:18 |
| fungi | after feedback from horizon security reviewers, i switched this one to public and marked it as a duplicate | 15:19 |
| fungi | #link CVE-2019-10768 in Angular libs < 1.7.9 https://launchpad.net/bugs/1997545 duplicate of https://launchpad.net/bugs/1955556 | 15:20 |
| fungi | that's the omnibus report about outdated js libs | 15:21 |
| fungi | anybody have anything to add on that? or about other public bugs? | 15:21 |
| fungi | #topic Anything else? | 15:22 |
| fungi | i'll leave discussion open for the next 7 minutes in case anyone has something to bring up | 15:23 |
| fungi | i'm still planning to push readme updates to horizon's xstatic packages warning users and package maintainers about the state of their embedded javascript and discouraging use directly in production | 15:24 |
| fungi | #info Please remember to fill out the surveys in the ML post linked earlier so we can find a better time when people will be able to participate | 15:29 |
| fungi | #endmeeting | 15:30 |
| opendevmeet | Meeting ended Thu Feb 2 15:30:01 2023 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:30 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/security/2023/security.2023-02-02-15.01.html | 15:30 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/security/2023/security.2023-02-02-15.01.txt | 15:30 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/security/2023/security.2023-02-02-15.01.log.html | 15:30 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!