| JayF | The requirements for being a VMT-managed project suggest you need a security liason and links here: https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management which contains /many/ emeritus contributors who are no longer active | 15:28 |
|---|---|---|
| JayF | Is there a new way to indicate your security liason? I thought you only put one in projects.yaml if it was DPL, but IMBW | 15:28 |
| JayF | if you can point me in the correct direction I'll update the docs as needed | 15:28 |
| fungi | it's not been well formalized. i tend to check governance first and then the wiki page and then fall back on the ptl | 15:30 |
| fungi | i would love for it to be better formalized, but how we do that needs some discussion i suppose | 15:30 |
| fungi | mostly it doesn't matter since we use the security reviewer groups in defect trackers as the first line of contact on a vulnerability, and only need a liaison as a point of escalation | 15:31 |
| fungi | so it rarely comes up, but we do still need it as a fallback | 15:31 |
| JayF | you mind if I add a note there to the effect of "by default, the PTL or any members of the project that are also in the VMT are considered security liason" | 15:32 |
| JayF | s/members/cores/ | 15:32 |
| JayF | I don't love, tbh, that the wiki lists out of date contacts for security, even if someone almost seems like they'd have to be *intentionally* looking at the wrong thing to get there | 15:33 |
| fungi | yes | 15:33 |
| fungi | sounds great to me | 15:33 |
| JayF | for purposes of checking the boxes for Ironic to be VMT-managed, I'm going to skip this as I think it's obvious for us | 15:33 |
| JayF | and I'll update that doc once I get to the end and ensure we're in good shape | 15:33 |
| fungi | also, the out of date liaisons are a big part of why i was pushing for dpl liaisons to reaffirm every cycle | 15:34 |
| JayF | I was also pushing for that. Well, it wasn't my idea, but when I heard it I <3 it | 15:34 |
| fungi | though obviously the dpl liaisons don't cover all of it | 15:34 |
| JayF | https://review.opendev.org/c/openstack/ossa/+/928005 is PTL approved now, and over half the active cores were asking about it's status this morning, so I think we have consensus | 17:00 |
| JayF | I've removed my W-1 and will start adjusting config on the repos now, but IMO that can land now | 17:00 |
| JayF | fungi: when you get a chance, can you help show me how to mash buttons to setup LP for VMT stuff? It's not documented in the checklist afaict | 17:01 |
| fungi | JayF: i'm not really around today or tomorrow, travelling for family stuff, but could i help walk you through it on monday if that's soon enough? | 21:46 |
| JayF | Honestly, I'm not in any kind of hurry to get it done other than clearing it off my todo list | 21:47 |
| JayF | we've treated ironic vulns as if they were VMT for a while anyway | 21:47 |
| fungi | it involves me figuring out an lp project where i have full owner access to be able to identify the right bits to click on | 21:47 |
| JayF | so you take your time and we can look next week (I may not be around Monday; it's my birthday so might try to sneak out) | 21:47 |
| fungi | oh! yes you should | 21:47 |
| JayF | fungi: I think some of the issue may be "full owner access" not being held by me (or julia when she checked) | 21:47 |
| fungi | i expect to be around all next week, so any time is fine | 21:47 |
| fungi | and yeah, that's an added complexity, but since i'm (for unrelated reasons) in the openstack-admins team on lp too i may be able to fix that while we're at it | 21:48 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!