| rosmaita | does this meeting still exist? https://meetings.opendev.org/#OpenStack_Security_SIG_meeting | 15:20 |
|---|---|---|
| rbachman[m] | +1 | 15:26 |
| JayF | The meeting chairs listed there haven't been active upstream in a while. | 15:33 |
| JayF | I would take that as an implication if we want meetings, we probably need to make something greenfield | 15:33 |
| fungi | yes, i was waffling on removing the meeting, but left it there in case anyone wanted to meet sometime | 16:11 |
| fungi | for a long time i ran the meeting where it was just me talking to myself, so eventually gave up | 16:12 |
| fungi | JayF: the meeting chair listed there is me, you're probably thinking of the wiki page | 16:12 |
| rbachman[m] | :( | 16:12 |
| fungi | or maybe you meant me ;) no offense taken of so | 16:12 |
| JayF | *blink* | 16:13 |
| rbachman[m] | Well in that case hello, I just thought I'd say hi here as well | 16:13 |
| JayF | I must have been scrolled to the wrong meeting | 16:13 |
| JayF | because I saw Stig and two people I didn't know listed lol | 16:13 |
| JayF | Would not have said that about you at all :D | 16:13 |
| fungi | welcome rbachman[m]! sorry i haven't replied to e-mail yet, it's been a... week | 16:13 |
| JayF | I don't mind a meeting if we have enough people for it to matter | 16:13 |
| JayF | rbachman[m]: I'll also note: VMT and Security SIG are separate beasts | 16:14 |
| fungi | the vmt is supported by the security sig, in theory. in reality it's just been the vmt members for a long time though because what we do is strictly necessary whereas the rest of what the security sig did was more optional activities within the community (still necessary in my opinion, but left unattended to due to lack of broader community interest) | 16:15 |
| rbachman[m] | No problem at all re. reply time. I'm in no rush. | 16:16 |
| rbachman[m] | Yes, but the security channel was the closest relevant one I could find here. :) | 16:16 |
| fungi | this #openstack-security irc channel and (rare) posts to the openstack-discuss mailing list with [security-sig] in the title are the extent of the security sig's existence at the moment, if you don't count occasionally reviewing boilerplate adjustments to the extremely outdated openstack security guide | 16:20 |
| fungi | and vmt work by the vmt members of course | 16:20 |
| fungi | though per https://governance.openstack.org/sigs/ i finally have a co-chair as of last week! and hopefully successor, since i've really not been doing anything to chair the sig ever since i inherited it from gagehugo when he left the project | 16:22 |
| rbachman[m] | Ok good to know I didn't miss any other chat rooms then. So yeah, no rush with the email. Once I understand the VMT work a bit better, especially how much time is involved, I can ask my bossman to see how it can be integrated with my work hours. So no big promises until then. But very interested nonetheless | 16:26 |
| JayF | co-chair is me | 16:31 |
| JayF | I don't know what shape a security sig should have in the level of interest it's at in OpenStack right now | 16:32 |
| JayF | but I want it to have a shape | 16:32 |
| rosmaita | i agree | 16:54 |
| fungi | rbachman[m]: for vmt work, a big help would be looking through https://bugs.launchpad.net/ossa and helping determine of the public ones that aren't in a closed state can be progressed in some way | 17:39 |
| fungi | the oldest one in that list was opened over 3 years ago | 17:40 |
| fungi | but switched to a security bug only a few months back, looks like | 17:41 |
| JayF | https://www.youtube.com/watch?v=EB6XYo8iduI is live about OSSA-2025-002 -- there's no new information here but feel free to link it to folks who want a high level overview. | 18:10 |
| fungi | there's definitely a growing segment of the community who internalize information better if it comes in the form of a video clip instead of plain text | 18:11 |
| JayF | I'm about to do an Ironic PTG summary video as well, now that we've published the text version. | 18:11 |
| fungi | thanks for going to the effort of recording and publishing that! | 18:11 |
| JayF | 301 redirect -> GR-OSS | 18:12 |
| fungi | heh | 18:12 |
| JayF | they keep paying me to do fun content creation work alongside OSS, I'll keep being happy :D | 18:12 |
| fungi | thanks people-who-pay-JayF-to-do-things! | 18:12 |
| JayF | The other day, we posted a short clip from the interview on the podcast with me/you/clark and it is in our top 5 for views | 18:13 |
| JayF | so the algorithm loves you :P lol | 18:13 |
| fungi | that's reassuring, since i always hate my performance on any recording i'm brave enough to watch afterward | 18:21 |
| rbachman[m] | fungi: Neat, I'll see what I can do re. the public ones | 21:50 |
| fungi | those are also, thankfully, the bulk of our vulnerability reports. we try not to let any stay private unless they're really sensitive, immediately solvable, and actively being worked on by openstack maintainers | 21:51 |
| fungi | one of the best things we did was to implement a 90-day limit on embargoed reports, which solved the problem of bugs getting opened and then sitting in perpetual private state waiting for maintainers to follow up on them | 21:54 |
| fungi | i think one of the bugs i switched to public after that went into effect had been sitting there untouched for 7 years at that point | 21:55 |
| fungi | and of course once they were public we basically closed our advisory tasks on the bugs that nobody was prioritizing work on, so now the oldest public bugs with unresolved advisory tasks are at worst a few years old, but we're really behind on checking to see whether there's any point in pushing for an advisory on most of them even once they're fixed (if ever) | 21:57 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!