13:00:56 #startmeeting barbican 13:00:56 Meeting started Tue Oct 4 13:00:56 2022 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:00:56 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 13:00:56 The meeting name has been set to 'barbican' 13:01:05 #topic Roll Call 13:01:11 Courtesy ping for ade_lee dave-mccowan d34dh0r53 hrybacki jamespage Luzi lxkong mhen rm_work tosky xek nearyo oleksandry 13:01:21 o/ 13:01:29 o/ 13:01:38 o/ 13:01:55 Hi y'all! 13:02:03 OK, let's get started 13:02:16 #topic Review Past Meeting Action Items 13:02:45 #link https://meetings.opendev.org/meetings/barbican/2022/barbican.2022-09-27-13.00.html 13:05:15 Looks like we didn't have any 13:05:17 moving on 13:05:22 #topic Liaison Updates 13:06:28 tosky: around? Any updates from QA/QE? 13:08:09 Moving on to release liaison (we'll come back to tosky if he stops by) 13:08:45 actually, let's talk VMT first 13:09:24 ... 13:09:42 I'm waiting for coffee to kick in and need to organize my thoughts ... 13:09:45 ... 13:10:04 OK, so for release liaison, I've submitted a patch to volunteer myself as Release Liaison: 13:10:09 (sorry, no updates from me) 13:10:14 #link https://review.opendev.org/c/openstack/releases/+/860152 13:10:24 o/ 13:10:25 thanks tosky ! 13:10:39 o/ 13:10:58 Dave McCowan was still the release liaison on the releases repo, so that's why he was still being added to all release reviews 13:11:21 Not sure xek is around, but I'll ask him to +1 that patch so we can get that update in 13:11:33 after it merges both xek and I will be able to approve release requests 13:11:48 dmendiza[m], can we add more than one ? looks like cyborg has two .. 13:12:15 ade_lee I suppose so ... are you volunteering as tribute? 13:12:23 dmendiza[m], what does the release liaison do? 13:13:21 * Pay attention to release deadlines 13:13:21 * Approve release patches that are created by the release team automation 13:13:21 * Request releases for libraries when the team feels there's a need 13:14:20 dmendiza[m], interesting that we haven't had any issues for awhile -- given that dave has been away for awhile now 13:14:26 ade_lee: if that's something you're interested in, just submit a patch like mine and ask xek to +1 (or ask me if my patch has already merged.) 13:14:40 ade_lee: well, PTL is the default liaison so I've been handling all that stuff 13:15:03 dmendiza[m], gotcha -- so liaison is backup in case ptl is not around? 13:15:09 or it goes to both> 13:15:10 ? 13:15:16 ade_lee: yeah, or helping had if PTL is too busy 13:15:52 yeah, so when my patch merges, the release automation will add both myself and xek. Previously it used to add me and Dave. Now it's adding Dave and xek 13:16:10 The release team waits for either one to +1 before merging 13:16:18 dmendiza[m], ok - I'll put my own patch up -- or you can add me to your 13:16:29 either way 13:16:41 ade_lee: I don't want to update mine because it will drop the +2 that's already there 13:16:55 dmendiza[m], ack - I'll add my own 13:17:07 ade_lee++ thanks! 13:17:28 #info antelope cycle will have two release liaisons ade_lee and dmendiza[m] 13:17:45 and xek by default 13:17:51 right 13:18:33 On the topic of releases, I did request a Zed RC3 this week: 13:18:34 https://review.opendev.org/c/openstack/releases/+/859894 13:18:38 *last week 13:18:49 that was to pull in a CVE fix that' I'll talk about in a bit 13:19:09 RC3 should be the final spin and will likely be the Zed final release 13:19:45 OK, moving on 13:20:11 #topic CVE-2022-3100 13:21:16 #link https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3100 13:22:01 it was reported via Red Hat CVE tracking: 13:22:03 #link https://access.redhat.com/security/cve/CVE-2022-3100 13:22:28 We also have an errata page with more info: 13:22:29 #link https://access.redhat.com/errata/RHSA-2022:6750 13:24:00 Storyboard was private, but I just toggled the flag to make it public: 13:24:02 #link https://storyboard.openstack.org/#!/story/2010258 13:24:47 Long story short, there is a vulnerability that will allow malicious users to access secret payloads when they have no roles assigned on the project that owns the secret 13:26:03 We've patched Wallaby, Xena, Yoga, Zed and Master branches: 13:26:06 #link https://review.opendev.org/q/topic:cve-2022-3100 13:26:22 I'm currently working on the Victoria patch, but the Victoria gates are a mess 13:26:33 so it's taking a bit longer than it should. 13:27:02 Once that's sorted I'll be backporting the fix all the way back to Train 13:27:33 Stein and older branches are EOL and folks should upgrade to a newer release to get the fix. 13:28:18 d34dh0r53: anything else you want to add for this topic? 13:31:16 I want to say that d34dh0r53 is working on an OSSA for this 13:33:09 OK, moving on 13:33:21 #topic PTG Planning 13:33:23 It's that time again 13:33:42 #link https://openinfra.dev/ptg/ 13:34:32 We've got two weeks to come up with an agenda 13:34:59 I'll probably spend some time with xek and ade_lee reviewing the last PTG notes to get things started 13:35:16 Etherpad for topic ideas is here: 13:35:19 #link https://etherpad.opendev.org/p/antelope-ptg-barbican 13:35:48 #action xek and dmeniza[m] to reserve time slots for Barbican sessions during PTG 13:36:01 I think we'll stick to 2x 2hr blocks on different days again 13:38:52 Any questions/commets about the upcoming PTG? 13:40:51 OK, moving on 13:40:58 #topic New meeting time proposal 13:41:13 Now that xek is the brand new shiny PTL we'll need to move this meeting 13:41:29 because xek has a conflict at this time 13:41:35 I should say he has a conflicting meeting. 13:41:36 I have a conflict, so I propose to move it 1 hour later 13:41:44 oh hi Grzegorz Grasza ! 13:41:53 1 hr later would work for me 13:41:57 how about you, Luzi ? 13:46:28 ... maybe Luzi had to run ... 13:46:36 I'll send out an email before I change the meeting time 13:46:43 sounds good 13:47:05 #info This meeting time is proposed to move to an hour later 13:47:26 OK, moving on 13:47:37 #topic Secret Consumers 13:47:46 Not a whole lot of progress on the client side 13:48:03 I've been busy with CVE things and haven't gotten a chance to update the first python-barbicanclient patch 13:48:32 dmendiza: you can +w the spec change, since the implementation already merged: https://review.opendev.org/c/openstack/barbican-specs/+/856759 13:49:04 Grzegorz Grasza: we should probably update the Core team 13:49:16 Grzegorz Grasza: I'll add you and you can +W yourself 😄 13:49:23 dmendiza[m], xek one hour later puts this meeting 10 minutes from now , right? 13:49:48 ade_lee: correct ... overlaps with both PGM and FIPS for you 13:50:08 yup 13:50:26 I'd be down with an hour earlier also 13:50:33 but that might be too early for d34dh0r53 13:51:09 I can make that work 13:51:16 dmendiza[m]: ^ 13:52:13 Grzegorz Grasza: what does 1 hr earlier look like for you? (1200 UTC)? 13:52:52 dmendiza: looks good 13:53:10 OK, let's plan for that, hopefully that'll also work for Luzi 13:56:05 back to Secret Consumers 13:56:18 I'll continue to work on that as soon as we get all these CVE patches backported 13:56:40 afaranha_ and Mauricio are also helping out with the Castellan bits 13:56:48 ... 13:56:52 and we're just about out of time 13:56:56 #topic Open Discussion 13:57:09 Anything else y'all want to talk about during the last couple of minutes? 14:01:46 Thanks for joining, y'all! 14:01:48 #endmeeting