#openstack-barbican log

13:00:56 <dmendiza[m]> #startmeeting barbican
13:00:56 <opendevmeet> Meeting started Tue Oct  4 13:00:56 2022 UTC and is due to finish in 60 minutes.  The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:00:56 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:00:56 <opendevmeet> The meeting name has been set to 'barbican'
13:01:05 <dmendiza[m]> #topic Roll Call
13:01:11 <dmendiza[m]> Courtesy ping for ade_lee dave-mccowan d34dh0r53 hrybacki jamespage Luzi lxkong mhen rm_work tosky xek nearyo oleksandry
13:01:21 <xek> o/
13:01:29 <Luzi> o/
13:01:38 <tosky> o/
13:01:55 <dmendiza[m]> Hi y'all!
13:02:03 <dmendiza[m]> OK, let's get started
13:02:16 <dmendiza[m]> #topic Review Past Meeting Action Items
13:02:45 <dmendiza[m]> #link https://meetings.opendev.org/meetings/barbican/2022/barbican.2022-09-27-13.00.html
13:05:15 <dmendiza[m]> Looks like we didn't have any
13:05:17 <dmendiza[m]> moving on
13:05:22 <dmendiza[m]> #topic Liaison Updates
13:06:28 <dmendiza[m]> tosky: around?  Any updates from QA/QE?
13:08:09 <dmendiza[m]> Moving on to release liaison (we'll come back to tosky if he stops by)
13:08:45 <dmendiza[m]> actually, let's talk VMT first
13:09:24 <dmendiza[m]> ...
13:09:42 <dmendiza[m]> I'm waiting for coffee to kick in and need to organize my thoughts ...
13:09:45 <dmendiza[m]> ...
13:10:04 <dmendiza[m]> OK, so for release liaison, I've submitted a patch to volunteer myself as Release Liaison:
13:10:09 <tosky> (sorry, no updates from me)
13:10:14 <dmendiza[m]> #link https://review.opendev.org/c/openstack/releases/+/860152
13:10:24 <ade_lee> o/
13:10:25 <dmendiza[m]> thanks tosky !
13:10:39 <d34dh0r53> o/
13:10:58 <dmendiza[m]> Dave McCowan was still the release liaison on the releases repo, so that's why he was still being added to all release reviews
13:11:21 <dmendiza[m]> Not sure xek is around, but I'll ask him to +1 that patch so we can get that update in
13:11:33 <dmendiza[m]> after it merges both xek and I will be able to approve release requests
13:11:48 <ade_lee> dmendiza[m], can we add more than one ?  looks like cyborg has two ..
13:12:15 <dmendiza[m]> ade_lee I suppose so ... are you volunteering as tribute?
13:12:23 <ade_lee> dmendiza[m], what does the release liaison do?
13:13:21 <dmendiza[m]> * Pay attention to release deadlines
13:13:21 <dmendiza[m]> * Approve release patches that are created by the release team automation
13:13:21 <dmendiza[m]> * Request releases for libraries when the team feels there's a need
13:14:20 <ade_lee> dmendiza[m], interesting that we haven't had any issues for awhile -- given that dave has been away for awhile now
13:14:26 <dmendiza[m]> ade_lee: if that's something you're interested in, just submit a patch like mine and ask xek to +1 (or ask me if my patch has already merged.)
13:14:40 <dmendiza[m]> ade_lee: well, PTL is the default liaison so I've been handling all that stuff
13:15:03 <ade_lee> dmendiza[m], gotcha -- so liaison is backup in case ptl is not around?
13:15:09 <ade_lee> or it goes to both>
13:15:10 <ade_lee> ?
13:15:16 <dmendiza[m]> ade_lee: yeah, or helping had if PTL is too busy
13:15:52 <dmendiza[m]> yeah, so when my patch merges, the release automation will add both myself and xek.  Previously it used to add me and Dave.  Now it's adding Dave and xek
13:16:10 <dmendiza[m]> The release team waits for either one to +1 before merging
13:16:18 <ade_lee> dmendiza[m], ok - I'll put my own patch up -- or you can add me to your
13:16:29 <ade_lee> either way
13:16:41 <dmendiza[m]> ade_lee: I don't want to update mine because it will drop the +2 that's already there
13:16:55 <ade_lee> dmendiza[m], ack - I'll add my own
13:17:07 <dmendiza[m]> ade_lee++ thanks!
13:17:28 <dmendiza[m]> #info antelope cycle will have two release liaisons ade_lee and dmendiza[m]
13:17:45 <ade_lee> and xek by default
13:17:51 <dmendiza[m]> right
13:18:33 <dmendiza[m]> On the topic of releases, I did request a Zed RC3 this week:
13:18:34 <dmendiza[m]> https://review.opendev.org/c/openstack/releases/+/859894
13:18:38 <dmendiza[m]> *last week
13:18:49 <dmendiza[m]> that was to pull in a CVE fix that' I'll talk about in a bit
13:19:09 <dmendiza[m]> RC3 should be the final spin and will likely be the Zed final release
13:19:45 <dmendiza[m]> OK, moving on
13:20:11 <dmendiza[m]> #topic CVE-2022-3100
13:21:16 <dmendiza[m]> #link https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3100
13:22:01 <dmendiza[m]> it was reported via Red Hat CVE tracking:
13:22:03 <dmendiza[m]> #link https://access.redhat.com/security/cve/CVE-2022-3100
13:22:28 <dmendiza[m]> We also have an errata page with more info:
13:22:29 <dmendiza[m]> #link https://access.redhat.com/errata/RHSA-2022:6750
13:24:00 <dmendiza[m]> Storyboard was private, but I just toggled the flag to make it public:
13:24:02 <dmendiza[m]> #link https://storyboard.openstack.org/#!/story/2010258
13:24:47 <dmendiza[m]> Long story short, there is a vulnerability that will allow malicious users to access secret payloads when they have no roles assigned on the project that owns the secret
13:26:03 <dmendiza[m]> We've patched Wallaby, Xena, Yoga, Zed and Master branches:
13:26:06 <dmendiza[m]> #link https://review.opendev.org/q/topic:cve-2022-3100
13:26:22 <dmendiza[m]> I'm currently working on the Victoria patch, but the Victoria gates are a mess
13:26:33 <dmendiza[m]> so it's taking a bit longer than it should.
13:27:02 <dmendiza[m]> Once that's sorted I'll be backporting the fix all the way back to Train
13:27:33 <dmendiza[m]> Stein and older branches are EOL and folks should upgrade to a newer release to get the fix.
13:28:18 <dmendiza[m]> d34dh0r53: anything else you want to add for this topic?
13:31:16 <dmendiza[m]> I want to say that d34dh0r53 is working on an OSSA for this
13:33:09 <dmendiza[m]> OK, moving on
13:33:21 <dmendiza[m]> #topic PTG Planning
13:33:23 <dmendiza[m]> It's that time again
13:33:42 <dmendiza[m]> #link https://openinfra.dev/ptg/
13:34:32 <dmendiza[m]> We've got two weeks to come up with an agenda
13:34:59 <dmendiza[m]> I'll probably spend some time with xek and ade_lee reviewing the last PTG notes to get things started
13:35:16 <dmendiza[m]> Etherpad for topic ideas is here:
13:35:19 <dmendiza[m]> #link https://etherpad.opendev.org/p/antelope-ptg-barbican
13:35:48 <dmendiza[m]> #action xek and dmeniza[m] to reserve time slots for Barbican sessions during PTG
13:36:01 <dmendiza[m]> I think we'll stick to 2x 2hr blocks on different days again
13:38:52 <dmendiza[m]> Any questions/commets about the upcoming PTG?
13:40:51 <dmendiza[m]> OK, moving on
13:40:58 <dmendiza[m]> #topic New meeting time proposal
13:41:13 <dmendiza[m]> Now that xek is the brand new shiny PTL we'll need to move this meeting
13:41:29 <dmendiza[m]> because xek has a conflict at this time
13:41:35 <dmendiza[m]> I should say he has a conflicting meeting.
13:41:36 <xek> I have a conflict, so I propose to move it 1 hour later
13:41:44 <dmendiza[m]> oh hi Grzegorz Grasza !
13:41:53 <dmendiza[m]> 1 hr later would work for me
13:41:57 <dmendiza[m]> how about you, Luzi ?
13:46:28 <dmendiza[m]> ...  maybe Luzi had to run ...
13:46:36 <xek> I'll send out an email before I change the meeting time
13:46:43 <dmendiza[m]> sounds good
13:47:05 <dmendiza[m]> #info This meeting time is proposed to move to an hour later
13:47:26 <dmendiza[m]> OK, moving on
13:47:37 <dmendiza[m]> #topic Secret Consumers
13:47:46 <dmendiza[m]> Not a whole lot of progress on the client side
13:48:03 <dmendiza[m]> I've been busy with CVE things and haven't gotten a chance to update the first python-barbicanclient patch
13:48:32 <xek> dmendiza: you can +w the spec change, since the implementation already merged: https://review.opendev.org/c/openstack/barbican-specs/+/856759
13:49:04 <dmendiza[m]> Grzegorz Grasza: we should probably update the Core team
13:49:16 <dmendiza[m]> Grzegorz Grasza: I'll add you and you can +W yourself 😄
13:49:23 <ade_lee> dmendiza[m], xek one hour later puts this meeting 10 minutes from now , right?
13:49:48 <dmendiza[m]> ade_lee: correct ... overlaps with both PGM and FIPS for you
13:50:08 <ade_lee> yup
13:50:26 <dmendiza[m]> I'd be down with an hour earlier also
13:50:33 <dmendiza[m]> but that might be too early for d34dh0r53
13:51:09 <d34dh0r53> I can make that work
13:51:16 <d34dh0r53> dmendiza[m]: ^
13:52:13 <dmendiza[m]> Grzegorz Grasza: what does 1 hr earlier look like for you? (1200 UTC)?
13:52:52 <xek> dmendiza: looks good
13:53:10 <dmendiza[m]> OK, let's plan for that, hopefully that'll also work for Luzi
13:56:05 <dmendiza[m]> back to Secret Consumers
13:56:18 <dmendiza[m]> I'll continue to work on that as soon as we get all these CVE patches backported
13:56:40 <dmendiza[m]> afaranha_ and Mauricio are also helping out with the Castellan bits
13:56:48 <dmendiza[m]> ...
13:56:52 <dmendiza[m]> and we're just about out of time
13:56:56 <dmendiza[m]> #topic Open Discussion
13:57:09 <dmendiza[m]> Anything else y'all want to talk about during the last couple of minutes?
14:01:46 <dmendiza[m]> Thanks for joining, y'all!
14:01:48 <dmendiza[m]> #endmeeting