| *** bauzas8 is now known as bauzas | 00:49 | |
| opendevreview | Jeremy Stanley proposed openstack/ossa master: OSSA-2026-002 / CVE-2026-24708 https://review.opendev.org/c/openstack/ossa/+/977105 | 14:42 |
|---|---|---|
| fungi | rosmaita: tonyb: ^ expedited review/approve requested if either of you is around | 14:42 |
| rosmaita | fungi: ack, in a meeting now, will look at the top of the hour | 14:43 |
| fungi | no worries, i can self-approve once check succeeds, advisory is due out at the top of the hour | 14:44 |
| opendevreview | Merged openstack/ossa master: OSSA-2026-002 / CVE-2026-24708 https://review.opendev.org/c/openstack/ossa/+/977105 | 15:01 |
| fungi | i'm trying to notify mitre about the publication so they can switch the cve detail on, but their webform isn't submitting for me at the moment | 15:11 |
| fungi | tried another browser and it went through | 15:15 |
| *** croeland1 is now known as croelandt | 15:25 | |
| fungi | oops, looks like we might have had a mismatch on cve numbers in one part of ossa-2026-002, i'll work on errata for that | 16:35 |
| opendevreview | Jeremy Stanley proposed openstack/ossa master: OSSA-2026-002 Errata 1 https://review.opendev.org/c/openstack/ossa/+/977142 | 16:47 |
| fungi | rosmaita: ^ looks like it was a typo we missed when reviewing the original draft in the bug attachment | 16:47 |
| rosmaita | oops | 16:48 |
| rosmaita | fungi: LGTM ... not sure there's anyone else around, want me to merge it? | 16:54 |
| fungi | yes please | 16:55 |
| rosmaita | done | 16:55 |
| fungi | i'll get the revised publication circulated once it's up on security.o.o | 16:55 |
| opendevreview | Merged openstack/ossa master: OSSA-2026-002 Errata 1 https://review.opendev.org/c/openstack/ossa/+/977142 | 17:11 |
| fungi | going over https://orcwg.org/files/cra/resources/white-paper-on-open-source-software-stewards-and-cra.pdf i think the only major thing in there we're not doing today is documenting how we collaborate with other open source projects, e.g. notifying upstreams of dependencies when someone misreports a bug to us that really should have gone to them | 18:47 |
| fungi | we have done exactly that a number of times in the past, but never included it in our reporting policy | 18:47 |
| fungi | i'll try to write up something brief about that, to include in our reporting.rst | 18:48 |
| opendevreview | Jeremy Stanley proposed openstack/ossa master: Reporting vulnerabilities in other software https://review.opendev.org/c/openstack/ossa/+/977152 | 19:00 |
| fungi | there we go | 19:00 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!