14:00:10 <abhishekk> #startmeeting glance 14:00:11 <openstack> Meeting started Thu Mar 11 14:00:10 2021 UTC and is due to finish in 60 minutes. The chair is abhishekk. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:14 <openstack> The meeting name has been set to 'glance' 14:00:16 <abhishekk> #topic roll call 14:00:23 <abhishekk> #link https://etherpad.openstack.org/p/glance-team-meeting-agenda 14:00:27 <abhishekk> o/ 14:01:19 <rosmaita> o/ 14:01:32 <abhishekk> Looks like just two of us :D 14:01:46 <abhishekk> anyways we have very short agenda, so we could wrap this up early 14:01:51 <rosmaita> works for me! 14:02:02 <abhishekk> lets start then 14:02:10 <abhishekk> #topic Updates 14:02:23 <abhishekk> I have created planning etherpad for Xena 14:02:24 <jokke> o/ 14:02:36 <abhishekk> cool, jokke is here as well 14:02:43 <abhishekk> #link https://etherpad.opendev.org/p/xena-ptg-glance-planning 14:03:03 <abhishekk> Kindly add your name if you are planning to attend the PTG 14:03:14 <abhishekk> also add topics for discussion if you have any 14:03:35 <abhishekk> I have booked 1400 to 1700 UTC from Tuesday to Friday for our discussion 14:04:03 <abhishekk> I will discuss with rosmaita if we need to coordinate for cinder-glance session and decide time for the same 14:04:14 <abhishekk> Moving ahead 14:04:20 <jokke> sounds good 14:04:25 <abhishekk> cool 14:04:28 <abhishekk> #topic release/periodic jobs update 14:04:39 <abhishekk> This is M3 release week 14:04:53 <abhishekk> python-glanceclient is released today 14:05:05 <abhishekk> Glance is also in good shape to tag M3 14:05:21 <abhishekk> just couple of patches are open and 1 of them is related to config refresh 14:05:35 <abhishekk> so either of you please have a look at it and please review 14:05:58 <rosmaita> ok, that should be an easy one 14:06:08 <abhishekk> Glance status - https://etherpad.opendev.org/p/glance-wallaby-m3-status 14:06:27 <abhishekk> I am planning to tag M3 on 15th March, that is Monday 14:07:24 <abhishekk> Periodic jobs are green, so we are pretty much good 14:07:37 <abhishekk> I guess I have covered next topic as well 14:07:49 <abhishekk> any questions about release planning? 14:08:52 <abhishekk> I take that as no 14:09:02 <abhishekk> Moving into open discussion 14:09:11 <abhishekk> #topic Open discussion 14:09:25 <abhishekk> rosmaita, jokke anything you want to discuss 14:09:32 <jokke> I have one 14:09:55 <abhishekk> ok, stage is yours 14:10:02 <jokke> #link https://wiki.openstack.org/wiki/OSSN/OSSN-0088 14:10:12 <jokke> The security note you issued earlier this week 14:10:23 <abhishekk> right 14:11:47 <jokke> I'm pretty concerned about the impact that has with no fixes not even investigation of actual attack vector with just blanket statement of "turn the whole api off" 14:12:22 <jokke> The impact that statement has to any deployment relying metadefs and being audited is big 14:13:09 <abhishekk> This is taken as a preventive action with advisory to open those in the deployments with notice 14:15:19 <abhishekk> If the deployers are willing to take risks they can enable metadef API's in there environment 14:16:11 <abhishekk> I don't think that this will be a concern, also we are planning to fix those in X milestone 1 and will re-enable those by default 14:16:12 <jokke> "turn off your service" advisory based on something that has no clear attack vector is not preventive action. It's lifting embargo on potential issue without investigation and telling the users that it's their problem now. 14:17:02 <rosmaita> well, it seems like there are 2 different issues: the DOS can be averted by restricting the create policies 14:17:40 <jokke> thus the concern, and that's why I pressed from the very beginning that Lance's findings should be _investigated_ as private security bugs so the details are not discussed publicly before they can be confirmed and addressed 14:17:55 <abhishekk> So, actually we have assessed the situation, one of the bug was open since (DoS related) long, and our policy structure is pretty complex to provide fix at the moment 14:19:05 <abhishekk> and that is the reason we have decided to go public with issuing security note 14:19:20 <jokke> but the reality is, it's out there and thrown at our users to deal with. Just wanted to express my concerns how it was handled. 14:20:19 <rosmaita> it might be a good idea to reach out to operators and see if someone who uses metadefs can attend a PTG session to give us a walkthrough 14:20:48 <rosmaita> the implementors are long gone, and it would be good to understand how people are using these things 14:20:59 <abhishekk> also if you look at the facts (judging by the one bug which was open since couple of cycles) we don't have that much bandwidth to work on urgent basis and provide fix 14:21:23 <abhishekk> rosmaita, is it possible for you to create survey (I know you are very very busy at the moment) 14:21:56 <jokke> abhishekk: I think that would be great question for the OpenStack user survey 14:21:56 <rosmaita> abhishekk: i was thinking more just an email with [ops][glance][security] in the subject line 14:22:05 <jokke> or that 14:22:18 <rosmaita> yeah, the OS survey isn't very fine grained 14:22:29 <abhishekk> jokke, will you do that? 14:22:32 <rosmaita> it would be good to have a use case in mind before modifying them 14:22:44 <abhishekk> +1 14:23:06 <rosmaita> i can draft something in an etherpad, though not before noon tomorrow 14:23:14 <abhishekk> cool 14:23:58 <abhishekk> I will remind you this time tomorrow 14:24:06 <rosmaita> please do! 14:24:12 <abhishekk> :D 14:24:15 <abhishekk> anything else 14:24:21 <jokke> nothing from me 14:24:28 <rosmaita> look here (eventually) https://etherpad.opendev.org/p/glance-xena-ptg-metadefs 14:24:38 <abhishekk> noted 14:25:21 <abhishekk> Lets wrap up for today then 14:25:25 <abhishekk> thank you all 14:25:43 <rosmaita> bye! 14:26:09 <jokke> thanks 14:26:15 <abhishekk> #endmeeting