| gouthamr | tc-members: gentle reminder that we're meeting via Zoom today, and taking notes in this channel: https://wiki.openstack.org/wiki/Meetings/TechnicalCommittee#Agenda | 17:03 |
|---|---|---|
| gouthamr | in ~57 minutes | 17:03 |
| bauzas | oh, zoom | 17:03 |
| bauzas | okay, fair enough | 17:03 |
| * bauzas starts preparing the dinner now then :) | 17:03 | |
| gouthamr | :) | 17:06 |
| cardoe | Apologies I’m on PTO and don’t have a computer to Zoom with today. | 17:09 |
| gouthamr | cardoe: ack np; thanks for letting us know.. | 17:10 |
| fungi | tc meeting is going to be my 4th straight hour on a headset, so no guarantees my battery will hold out | 17:18 |
| fungi | #brutalmeetingtuesdays | 17:18 |
| spotz[m] | bauzas: you can camera off and eat, I do a good portion of my meetings like that cause back to back to back | 17:32 |
| fungi | i don't even bother to plug in a camera | 17:39 |
| noonedeadpunk | I always have a problem of finding the link :D | 17:59 |
| fungi | in the wiki above the agenda items | 17:59 |
| gouthamr | #startmeeting tc | 18:00 |
| opendevmeet | Meeting started Tue Oct 1 18:00:32 2024 UTC and is due to finish in 60 minutes. The chair is gouthamr. Information about MeetBot at http://wiki.debian.org/MeetBot. | 18:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 18:00 |
| opendevmeet | The meeting name has been set to 'tc' | 18:00 |
| spotz[m] | link link link!!!:) | 18:00 |
| noonedeadpunk | #link https://us06web.zoom.us/j/87108541765?pwd=emlXVXg4QUxrUTlLNDZ2TTllWUM3Zz09 | 18:01 |
| gouthamr | #info Today's meeting is being held primarily via video call. Action items and meeting minutes will be documented in IRC but for a full replay of the meeting, please visit the OpenStack TC youtube channel, where the recording will be uploaded soon. | 18:01 |
| gouthamr | #link https://www.youtube.com/channel/UCBuGwBXOmWHydSE09RM84wQ | 18:01 |
| gouthamr | Welcome to the weekly meeting of the OpenStack Technical Committee. A reminder that this meeting is held under the OpenInfra Code of Conduct available at https://openinfra.dev/legal/code-of-conduct. | 18:01 |
| gouthamr | Today's meeting agenda can be found at https://wiki.openstack.org/wiki/Meetings/TechnicalCommittee | 18:01 |
| gouthamr | #topic Roll Call | 18:01 |
| gmann | o/ | 18:01 |
| noonedeadpunk | o/ | 18:01 |
| bauzas | \o | 18:02 |
| gtema | o/ | 18:02 |
| JayF | o/ | 18:02 |
| gouthamr | noted absence: f r i c k l e r, c a r d o e | 18:04 |
| spotz[m] | o/ | 18:04 |
| gouthamr | courtesy ping: slaweq | 18:04 |
| slaweq | gouthamr: sorry but I don't feel well today and will not be at the meeting | 18:05 |
| slaweq | I added my absence in the wiki page | 18:05 |
| spotz[m] | Feel better! | 18:05 |
| slaweq | Thx | 18:06 |
| gouthamr | ah sorry about that; i reloaded the page now slaweq | 18:06 |
| gouthamr | hope you feel better soon | 18:06 |
| gouthamr | #topic Last Week's AIs | 18:06 |
| gouthamr | Start ML discussion about Watcher’s leaderless situation (gouthamr) | 18:06 |
| gouthamr | #link https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/3DRYZFDPVCZ45TOULOZ4R7K6BUOIHLU2/ ([tc][watcher] No leaders for project team, heading to retirement) | 18:06 |
| gouthamr | i was proposing waiting for a week before beginning the process to retire the project | 18:08 |
| gouthamr | we need some more push this week | 18:09 |
| gouthamr | bauzas: you could type out what you were trying to say | 18:10 |
| bauzas | meh | 18:10 |
| bauzas | I was saying that maybe we should use the DPL support for this cylce | 18:11 |
| gmann | ++ | 18:11 |
| gouthamr | #action gouthamr will respond to the mail thread and ask for an update this week | 18:11 |
| gouthamr | noted bauzas | 18:11 |
| gouthamr | moving on to the next AI: | 18:11 |
| gouthamr | Propose marking Kuryr-related projects inactive (gmann) | 18:11 |
| gouthamr | #link https://review.opendev.org/c/openstack/governance/+/929698 (Mark kuryr-kubernetes and kuryr-tempest-plugin Inactive) | 18:12 |
| gouthamr | ^ we had to stop the release for these projects in 2024.2 | 18:13 |
| gouthamr | gmann says we should have marked these projects inactive while we were figuring out retirement; we're backfilling this patch so our stance is clear | 18:14 |
| gouthamr | please review this patch so we can merge this week ^ | 18:14 |
| gouthamr | next AI: | 18:14 |
| gouthamr | Coordinate a cross-project session at PTG to discuss translating documentation and improving accessibility for non-English-speaking users (gouthamr) | 18:14 |
| gouthamr | #link https://etherpad.opendev.org/p/oct2024-ptg-os-tc (OpenStack TC PTG Planning Etherpad) | 18:15 |
| gouthamr | seongsoo will be leading a TC PTG discussion | 18:16 |
| gouthamr | gouthamr will be sharing a finer schedule this week | 18:16 |
| gouthamr | noonedeadpunk says there's confusion about the state of translations right now; there was someone that added horizon translations months ago; however, it wasn't proposed by the tooling | 18:17 |
| gouthamr | next AI: Monitor Zun and Kuryr release issues | 18:19 |
| gouthamr | kudos to noonedeadpunk to helping Zun fix their CI | 18:19 |
| gouthamr | #link https://review.opendev.org/c/openstack/releases/+/930554 (Do not release Kuryr in Dalmatian) | 18:20 |
| gouthamr | the release team seems to be geared to have a smooth release tomorrow: | 18:21 |
| gouthamr | #link https://review.opendev.org/c/openstack/releases/+/930752 (2024.2 Dalmatian final releases for cycle-with-rc projects) | 18:21 |
| gouthamr | #topic Meeting time | 18:22 |
| gouthamr | 18:22 | |
| gouthamr | #link https://framadate.org/openstacktc-25-1 (OpenStack TC Weekly Meeting times poll) | 18:23 |
| gouthamr | ^ there were three contenders for the meeting time | 18:23 |
| gouthamr | but for any of those slots, only 6 of us could actually make it | 18:23 |
| gouthamr | three others were "Maybe" for this slot: 1800 UTC on Tuesdays | 18:23 |
| gouthamr | the two other slots had at least one of us respond with a hard No | 18:24 |
| spotz[m] | Maybe we wait and ask again later when Slaweq is here? | 18:24 |
| gouthamr | oh, why? | 18:24 |
| gouthamr | he could be busy between 1700 and 1900 UTC on Thursdays | 18:25 |
| gouthamr | we've had a week to look at these results; and they've been visible to everyone :) | 18:26 |
| gouthamr | #agreed we keep the existing meeting time | 18:26 |
| gouthamr | #topic TC Election Liaison | 18:27 |
| spotz[m] | Needs to be someone from this cycle or not re-running | 18:28 |
| gouthamr | yes | 18:29 |
| gouthamr | we have four TC members who aren't up for election | 18:29 |
| bauzas | I can help to be the TC liaison if needed | 18:29 |
| gouthamr | thank you bauzas | 18:30 |
| gouthamr | #topic A check on gate health | 18:31 |
| gouthamr | #link https://bugs.launchpad.net/devstack/+bug/2082617 | 18:31 |
| gouthamr | devstack ceph jobs are affected by this bug a lot these days | 18:31 |
| gouthamr | still don't know the root cause here ^ | 18:31 |
| fungi | ironic noticed keystone has started breaking on postgresql: https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/message/MVHR5WZFEDOZA4ESBN5764EVP67GKOS5/ | 18:33 |
| fungi | #link ironic noticed keystone has started breaking on postgresql: https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/message/MVHR5WZFEDOZA4ESBN5764EVP67GKOS5/ | 18:33 |
| fungi | sorry, forgot to link it the first time | 18:33 |
| gouthamr | thanks fungi | 18:33 |
| gmann | gouthamr: can you hear us? | 18:34 |
| gouthamr | gmann: nope | 18:34 |
| gmann | we can hear you | 18:34 |
| gouthamr | i thought i was talking to myself | 18:34 |
| * gouthamr fixes the broken sound | 18:36 | |
| gmann | #link https://review.opendev.org/c/openstack/grenade/+/930507 | 18:36 |
| gmann | #link https://bugs.launchpad.net/python-openstackclient/+bug/2080600 | 18:37 |
| gouthamr | ^ this fix has merged in master; new OSC release is necessary along with an upper-constraint bump | 18:38 |
| gouthamr | we're going to do this after the coordinated 2024.2 release tomorrow | 18:39 |
| gouthamr | the UC update patch will execute -cross jobs to test if projects are okay with the OSC changes coming with the bump | 18:39 |
| gouthamr | TheJulia's post to the ML regarding keystone's breakage on postgres isn't a LP bug yet (please correct me if one was reported) | 18:40 |
| JayF | It's not a bug as nobody officially supports postgres anymore aiui | 18:41 |
| JayF | at least, I wouldn't personally file it as a bug | 18:41 |
| gouthamr | noonedeadpunk spotted nodepool's responsiveness has increased | 18:41 |
| JayF | the job was intended (from an Ironic POV) to be a canary so we could tell operators when things broke | 18:41 |
| spotz[m] | Maybe a won't fix and explanation? | 18:42 |
| fungi | noonedeadpunk: yes, rackspace's new "flex" environment is more than twice as fast on half the number of vcpus | 18:42 |
| fungi | for many of our jobs anyway | 18:42 |
| gouthamr | fungi: very nice | 18:42 |
| JayF | There seems to be no interest in the Ironic community in doing any effort on these jobs other than removing them, unless someone asks for it :) | 18:42 |
| fungi | longer term we hope to slowly swap out classic rackspace nodes for flex, as they bring more regions online | 18:42 |
| gouthamr | JayF: manila folks maintain postgres jobs too; because some large deployments use it | 18:42 |
| gouthamr | they're non-voting for the reason you mentioned | 18:43 |
| JayF | I invite them to help reintroduce official postgres support into openstack; until then it's not really a priority IMO | 18:43 |
| gouthamr | +1 | 18:43 |
| gouthamr | anything else for $topic? | 18:43 |
| gouthamr | #topic TC Tracker | 18:43 |
| noonedeadpunk | fungi: frankly - I was o_O on tests time and was thinking for real that we broke smth to a point that smth is simply not executed | 18:43 |
| gouthamr | #link https://etherpad.opendev.org/p/tc-2024.2-tracker (Technical Committee activity tracker - 2024.2) | 18:43 |
| gouthamr | #link https://etherpad.opendev.org/p/tc-2025.1-tracker (Technical Committee activity tracker - 2025.1) | 18:44 |
| gouthamr | ^ you'll notice goal tracking as well here; just something we can try for this release | 18:45 |
| gouthamr | we've been pretty good with these trackers | 18:46 |
| gouthamr | please pull in anything you were finishing up for 2024.2 into the 2025.1 etherpad | 18:47 |
| gouthamr | lets switch to Open Discussion | 18:47 |
| gouthamr | #topic Open Discussion | 18:47 |
| gmann | ++ good tracking too gouthamr | 18:47 |
| noonedeadpunk | #link https://review.opendev.org/c/openstack/governance/+/927962 | 18:47 |
| gouthamr | ^ we're asking some questions on this change; alongside the swift PTL appointment change | 18:49 |
| bauzas | (sorry folks, trying to fix my pipewire issue on my F40 laptop) | 18:49 |
| gouthamr | hoping we can get axel and timburke responding here | 18:49 |
| * bauzas gets hit by https://bugzilla.redhat.com/show_bug.cgi?id=2232584 | 18:49 | |
| gouthamr | #link https://review.opendev.org/c/openstack/governance/+/928881 (Appoint Tim Burke as PTL for Swift) | 18:50 |
| gouthamr | gmann notes that folks must be more responsive on these governance changes to prove to the TC that they're responsible and willing to engage with the TC | 18:51 |
| gouthamr | bauzas is asking about PTG planning | 18:53 |
| gouthamr | he suggests asking for who's interested in these topics to help with the scheduling | 18:55 |
| gouthamr | (and noting their timezones) | 18:55 |
| fungi | the oceanbase topic is proposed by people in apac timezones, i think | 18:55 |
| spotz[m] | And I think I grabbed first slot on Monday for D&I | 18:59 |
| gouthamr | +1 on both points | 18:59 |
| gouthamr | #action gouthamr will share this etherpad on the ML asking interested folks to vote (with their nicks) on the topics | 19:00 |
| fungi | we could maybe move (some of?) the inclusive terminology discussion into the d&i wg slot | 19:00 |
| gmann | or its good topic for TC+leader interaction sessions | 19:01 |
| gouthamr | fungi: agreed | 19:01 |
| gouthamr | gmann: yes; we can re-hash that discussion in a time boxed manner if it happens after the D&I discussion | 19:01 |
| bauzas | I guess we need to end the meeting here ? :) | 19:04 |
| gmann | yeah | 19:04 |
| bauzas | #endmeeting | 19:05 |
| opendevmeet | Meeting ended Tue Oct 1 19:05:22 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 19:05 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/tc/2024/tc.2024-10-01-18.00.html | 19:05 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/tc/2024/tc.2024-10-01-18.00.txt | 19:05 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/tc/2024/tc.2024-10-01-18.00.log.html | 19:05 |
| bauzas | hehe, I don't need to be a chair :) | 19:05 |
| bauzas | (I remember that, we did that | 19:05 |
| gmann | ++ | 19:06 |
| bauzas | if people want to hear what I get as audio sometimes https://discussion.fedoraproject.org/t/garbled-audio/87470 | 19:06 |
| bauzas | pipewire-- | 19:06 |
| bauzas | sorry for not having able to join the meeting most of the time :( | 19:06 |
| fungi | yeah, if the meeting has been running for at least an hour, anyone can end it | 19:14 |
| JayF | tc-members: vmt just opened https://bugs.launchpad.net/keystone/+bug/2069063 up to the public as it passed the embargo deadline; ignored security issues is a sign of project inactivity and this is extremely concerning for an authz-related project | 19:20 |
| dansmith | not just auth-related but core and central to most of the other projects' existence :/ | 19:21 |
| JayF | tc-members: I've informed #openstack-keystone as well, but if anyone has time/knowledge about keystone, is a core or knows a core, we need more engagement on security issues for that project | 19:21 |
| gouthamr | bauzas++ thank you | 19:21 |
| fungi | yes, i know the keystone team is stretched, but their security reviewers don't seem to be able to find time to look at reports of potential vulnerabilities | 19:21 |
| fungi | so that would be a great area for interested folks to pitch in | 19:21 |
| JayF | keystone team, as dansmith points out, might as well be everyone if it's nobody because if it's neglected it hits us all | 19:21 |
| JayF | not the sorta thing that can go inactive without taking the whole project with it :/ | 19:22 |
| fungi | note we're not trying to shame the current volunteers, keystone is simply the epitome of the tragedy of the commons | 19:23 |
| gouthamr | https://launchpad.net/~keystone-coresec/+members#active | 19:23 |
| JayF | my concern is more along the lines of $panic than trying to point at anyone/anything in particular | 19:23 |
| fungi | also serves as a reminder for teams to refresh their security review teams | 19:24 |
| gouthamr | fungi: i agree; but, this list is outdated wrt keystone maintainers i think | 19:24 |
| fungi | right, not keeping it up to date is another sign of a project that can't find enough volunteers for basic upkeep | 19:24 |
| bauzas | that's something doable : ask the teams to review their coresec subteam | 19:26 |
| JayF | I'll send an email along those lines today | 19:26 |
| bauzas | we did that for the pypi maintainers recently | 19:26 |
| JayF | as long as fungi or other vmt members don't object: ) | 19:26 |
| fungi | thanks JayF! | 19:26 |
| TheJulia | Yeah, definitely need to review their members since several of those keystone-coresec members have since moved on | 19:27 |
| fungi | no objection. i tried to send reminders to the ml off and on about it, but it's been a while. i had hoped ptls worked it into their transition procedures | 19:27 |
| bauzas | also, asking 3 existing maintainers to be in the coresec team seems a quite difficult level to ask, but that's reality | 19:27 |
| TheJulia | Reality is, critical components likely need *4* | 19:27 |
| TheJulia | err, *5* | 19:27 |
| bauzas | if you can't at least have 2 people in the coresec team, then you're fragile | 19:27 |
| fungi | it can just be their core review team if that's all the people they have | 19:27 |
| bauzas | TheJulia: I don't disagree for large security bugs (but we never had any of them impacting 3 projects like Nova, Cinder and Glance, right ? ^_^= | 19:28 |
| bauzas | ) | 19:28 |
| TheJulia | fungi: indeed | 19:28 |
| TheJulia | ... and Ironic | 19:29 |
| bauzas | fungi: I'm not exactly fan of opening embargoed bugs to the whole core team | 19:29 |
| fungi | bauzas: if the whole core team is 3 people though? | 19:29 |
| fungi | that was my point | 19:29 |
| bauzas | heh | 19:29 |
| bauzas | tbh, that's where the bond trust is difficult to make | 19:30 |
| bauzas | you can trust someone for being able to review a critical patch on a non-affiliated manner | 19:30 |
| bauzas | but sometimes you don't trust that person for keeping secrets | 19:30 |
| TheJulia | And also, it is always possible to find more issues which begins to erode a small team's capacity when one issue is being worked. Basically need spill-over coverage capacity. | 19:31 |
| bauzas | that's two different (and possibly not adjacent) groups of people | 19:31 |
| gouthamr | in may cases our coresec teams don't have the project PTL in them :( | 19:31 |
| bauzas | which is understandable | 19:32 |
| bauzas | I always considered the "P" in PTL standing for Paperwork | 19:32 |
| gmann | i think existing core (active core) also sharing their bandwidth for other things which makes keystone change take so much time to merge. we have experienced in RBAC cases. | 19:33 |
| fungi | the ptl doesn't have to be a security reviewer, but it's up to them to keep the roster of security reviewers up to date | 19:33 |
| fungi | similar to keeping the roster of core reviewers up to date | 19:34 |
| gmann | IMO, 2 people should be ok to keep things active but things really matter is how much bandwidth they have for upstream activity | 19:34 |
| JayF | bauzas: in some communities (e.g. CNCF) they do have split core teams (e.g. reviewers vs approvers or some similar split of "kinda trusted" v "fully trusted"). I think it'd be interesting to see this applied to OpenStack -- it might enable us to have trusted-people with more access (reviewers) without having to open them up to full access (approvers). For this kinda split, we could use approvers group as the coresec group. | 19:34 |
| JayF | because generally this all works back to "we are too siloed to succeed without more people" | 19:34 |
| JayF | and unless you have more open job reqs than I do I don't think we're going to solve the problem without unsiloing some | 19:35 |
| gouthamr | we do have that split: project-core, project-stable-maint, project-coresec | 19:35 |
| JayF | (I know this probably is dripping with hypocrisy as Ironic has been more of a lone wolf team, but I think that makes us uniquely qualified to know how much that's painful) | 19:35 |
| JayF | gouthamr: on some teams, they have stable-maint members that aren't even regular cores; and -coresec is a launchpad concept unrelated to code review | 19:36 |
| JayF | gouthamr: so I think you're right that vibe-wise we follow that pattern in some places, but I think it'd be smart of us to evaluate following it more closely throughout the stack | 19:37 |
| gouthamr | yes; and making it one of the early PTL tasks; so you're PTL now (or again), please ensure this item is top on your checklist | 19:38 |
| gouthamr | https://docs.openstack.org/project-team-guide/ptl.html#at-the-beginning-of-a-new-cycle | 19:39 |
| gouthamr | these lists are woefully out of date: https://wiki.openstack.org/wiki/CrossProjectLiaisons (you wouldn't know looking at all the thankless work that happens from our PTLs and project maintainers despite the lack of this) | 19:41 |
| fungi | yeah, the vmt mainly consults that list as a fallback, in combination with the dpl liaisons and ptl in governance | 19:41 |
| JayF | Well, the wiki is pretty miserable in terms of being up to date for most projects in general | 19:42 |
| fungi | in keystone's case, the ptl has also volunteered to participate in the vmt and so has visibility into all private security bugs, not just keystone's | 19:42 |
| fungi | but if they don't have time for those tasks, it doesn't help much | 19:42 |
| gouthamr | ah | 19:43 |
| fungi | again, not trying to call anyone out, this is a collective problem | 19:43 |
| fungi | https://launchpad.net/~openstack-vuln-mgmt | 19:44 |
| JayF | yeah I mean, Ironic didn't even officially get VMT managed until a couple weeks ago | 19:44 |
| JayF | after I intended to get it done during my run as PTL | 19:44 |
| fungi | congratulations though! | 19:44 |
| JayF | just difficult to keep all the plates spinning | 19:45 |
| gouthamr | which, is still lightyears ahead of Manila - i've only been thinking about it and not acting | 19:45 |
| gouthamr | thanks for working on (and sharing) Ironic's VMT transition JayF | 19:45 |
| JayF | gouthamr: if you wanna schedule some time, happy to work through it with you | 19:45 |
| gouthamr | YES | 19:45 |
| JayF | gouthamr: jay@gr-oss.io, just send a meeting invite sometime between 7am-4pm and you'll probably get lucky enough to hit an open spot :D | 19:45 |
| gouthamr | haha thanks :) | 19:46 |
| JayF | fungi: I wonder if we should have a x-project VMT session to evangelize the VMT | 19:46 |
| gouthamr | ^ yes | 19:46 |
| JayF | altohugh I guess if people know enough to join the session, they know enough to just have a conversation :) | 19:46 |
| fungi | JayF: in the past we've called that the security sig session at the ptg, because basically only vmt members have shown up to those since years | 19:49 |
| JayF | makes sense | 19:49 |
| JayF | that's basically the relationship of ironic to the BM SIG | 19:49 |
| JayF | BM SIG is just different marketing for our operator meetups so we don't scare away metal3 users :P | 19:49 |
| fungi | i'm happy to re-title the ptg track in the future if it will draw more interest | 19:50 |
| JayF | I don't know if it will, but I apprecaite the reminder to make sure I show up to the security sig :D | 19:51 |
| fungi | but basically, if anyone wants to discuss openstack vulnerability management, the security sig is the vehicle for those discussions | 19:51 |
| gouthamr | ^ maybe bring this up during the TC/project leaders discussion | 19:51 |
| gouthamr | i'll be sure to schedule that on Monday | 19:51 |
| fungi | i need to book a timeslot or two for it still, but i try to avoid colliding with other teams and that gets... challenging | 19:51 |
| gouthamr | true :( i wish we could have cross project discussions on a different week :D | 19:52 |
| gmann | ++ for TC leaders discussion. | 19:52 |
| spotz[m] | Why can't you? No one is stopping you:) | 19:52 |
| gouthamr | ^ true, isn't it | 19:53 |
| JayF | Honestly even if you look at VMT over the last year, we're getting better. Trajectory improving. | 19:53 |
| JayF | It went from basically just fungi to me, fungi, rosmaita (and a couple others?, but tbh we are the most active 3 right now) | 19:54 |
| fungi | it's far less of just me occasionally getting other people to weigh in with an opinion on something occasionally, yep. refreshing! | 19:54 |
| JayF | and I think overall the project did a good job of navigating the security minefield qemu chucked at us this year :) | 19:54 |
| fungi | ...so far | 19:54 |
| fungi | the year's not over yet! | 19:55 |
| JayF | don't say things like that! karma is listening... | 19:55 |
| * fungi is a "glass half full of karma" kind of person | 19:55 | |
| JayF | I'm a "I hope the glass doesn't shatter in my hand" kind of person | 19:56 |
| JayF | we probably need to audit https://security.openstack.org/repos-overseen.html#repositories-overseen even for projects in the VMT | 19:56 |
| JayF | e.g. nova is clearly VMT, but placement isn't listed there | 19:57 |
| JayF | likely just a bitrot thing and not anything policy-impacting | 19:57 |
| fungi | yes, unless the tc decides to pull the trigger on all official openstack repos being vulnerability managed (which i wouldn't object to, but then there are a lot of other changes the teams need to make, particularly to their bug trackers) | 19:58 |
| fungi | in my opinion the best possible outcome would be that the list of overseen repos becomes a link to the list of official openstack deliverable repos | 19:58 |
| JayF | My only concern about that is in the inactive project case | 19:59 |
| JayF | that this might be just turn into another monitoring system for project activity | 19:59 |
| fungi | yes, we'd of course come up with some additional mitigating policies | 19:59 |
| JayF | if I were to propose this, I'd probably put something like | 19:59 |
| JayF | after 30 days if $project-coresec hasn't responded, TC is given access to the bug | 19:59 |
| JayF | or something similar | 19:59 |
| fungi | but i don't like tracking half-synced lists of repositories in different places any more than the next person | 20:00 |
| JayF | so that VMT is not "the buck stops here" for those technical problems | 20:00 |
| JayF | and we have a catch before something goes private->public | 20:00 |
| fungi | sure, i could get behind that | 20:00 |
| JayF | gouthamr: would you be in support of a resolution to: 1) say all official openstack deliverables on a cycle-* release cadence are VMT managed & 2) TC becomes the final escalation point in case of any project covered by #1 where there is no response from security team before $deadline | 20:01 |
| JayF | fungi: ^ note the "cycle-*" deliniation | 20:01 |
| JayF | there are lots of "official openstack" projects that don't make sense to VMT; e.g. sushy-tools, virtualbmc, virtualpdu, other things that are official projects but not supported for production | 20:01 |
| JayF | and usually cycle-with-x release cadences is a good signal of that | 20:02 |
| cardoe | Apologies for not being around earlier was with my kids (I’m on PTO). Something we need to encourage is more involvement from contributors. That’s how we’ll get more reviews. It won’t happen overnight. We need to “teach, not preach” for contributors. | 20:02 |
| JayF | cardoe: you should apologize for IRC'ing during PTO. Go be with your kids, we'll take care of your adopted-tech-children in the meantime ;) | 20:03 |
| cardoe | We need to be encouraging projects all over the board to welcome contributors. | 20:03 |
| fungi | right, effectively we can come up with a dynamic filter for what repos make no sense for vmt oversight, but the current opt-in list (which was a continuation of the earlier governance tag) doesn't scale well once we start covering a larger amount of the project list | 20:03 |
| fungi | because it's guaranteed to get out of sync | 20:04 |
| cardoe | My fear is the xz issue if we get too thin on reviewers. So in addition to adding more security reviewers I’d like to see us encourage more to use their +1 on regular reviews. | 20:06 |
| JayF | cardoe: I think we've already improved somewhat by raising scrutiny levels on randomly appearing contributors ... the interesting thing is, this kinda behavior would be an enhancement, not a impediment, to new folks, as it would (theretically) come with mentorship/auditing | 20:10 |
| fungi | cardoe: as for improving the contributor experience, if you missed it, you may want to weigh in on https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/GTPTFUPXXBDMWNQZGZDLM2IIX4FSTT5Y/ and if you're going to be in indianapolis for oid-na stop by our forum session on the topic. also we've proposed to discuss it with the tc during the ptg | 20:12 |
| TheJulia | cardoe: family > work-family > work.... Go enjoy your PTO :) | 20:12 |
| cardoe | I’m going back to the water. Been called! | 20:12 |
| TheJulia | Enjoy! | 20:12 |
| fungi | enjoy! | 20:12 |
| spotz[m] | While I'm thinking about it, any tc-members I haven't already emailed plan on being at OpenInfra Days NA? | 20:13 |
| * gouthamr had stepped away | 21:36 | |
| gouthamr | JayF: ack; lets talk about this.. i think that'd be a good move.. but, we'd need to make sure PTLs/DPLs are aware and revisit their security liaisons and in parallel we will need more folks to staff the VMT | 21:37 |
| fungi | if people were more active in the per-project security review teams, that would also take some of the burden off the vmt though. a lot of our time is spent chasing people to get them to look at reports | 21:42 |
| gouthamr | ack; i know that can be frustrating.. do you resort to emailing them? | 21:49 |
| JayF | we also just recently went from 1 active -> 3 active VMT members | 21:50 |
| JayF | so that in itself is already a significant scale-up | 21:50 |
| gouthamr | nice! great to see that https://security.openstack.org/vmt.html | 21:51 |
| fungi | though in keeping with the discussion about making sure lists of active people are up to date, we do need to reach out to several vmt volunteers who apparently didn't have the time they thought they did to assist in our usual tasks | 21:53 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!