#openstack-meeting log

14:00:10 <abhishekk> #startmeeting glance
14:00:11 <openstack> Meeting started Thu Mar 11 14:00:10 2021 UTC and is due to finish in 60 minutes.  The chair is abhishekk. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:14 <openstack> The meeting name has been set to 'glance'
14:00:16 <abhishekk> #topic roll call
14:00:23 <abhishekk> #link https://etherpad.openstack.org/p/glance-team-meeting-agenda
14:00:27 <abhishekk> o/
14:01:19 <rosmaita> o/
14:01:32 <abhishekk> Looks like just two of us :D
14:01:46 <abhishekk> anyways we have very short agenda, so we could wrap this up early
14:01:51 <rosmaita> works for me!
14:02:02 <abhishekk> lets start then
14:02:10 <abhishekk> #topic Updates
14:02:23 <abhishekk> I have created planning etherpad for Xena
14:02:24 <jokke> o/
14:02:36 <abhishekk> cool, jokke is here as well
14:02:43 <abhishekk> #link https://etherpad.opendev.org/p/xena-ptg-glance-planning
14:03:03 <abhishekk> Kindly add your name if you are planning to attend the PTG
14:03:14 <abhishekk> also add topics for discussion if you have any
14:03:35 <abhishekk> I have booked 1400 to 1700 UTC from Tuesday to Friday for our discussion
14:04:03 <abhishekk> I will discuss with rosmaita if we need to coordinate for cinder-glance session and decide time for the same
14:04:14 <abhishekk> Moving ahead
14:04:20 <jokke> sounds good
14:04:25 <abhishekk> cool
14:04:28 <abhishekk> #topic release/periodic jobs update
14:04:39 <abhishekk> This is M3 release week
14:04:53 <abhishekk> python-glanceclient is released today
14:05:05 <abhishekk> Glance is also in good shape to tag M3
14:05:21 <abhishekk> just couple of patches are open and 1 of them is related to config refresh
14:05:35 <abhishekk> so either of you please have a look at it and please review
14:05:58 <rosmaita> ok, that should be an easy one
14:06:08 <abhishekk> Glance status - https://etherpad.opendev.org/p/glance-wallaby-m3-status
14:06:27 <abhishekk> I am planning to tag M3 on 15th March, that is Monday
14:07:24 <abhishekk> Periodic jobs are green, so we are pretty much good
14:07:37 <abhishekk> I guess I have covered next topic as well
14:07:49 <abhishekk> any questions about release planning?
14:08:52 <abhishekk> I take that as no
14:09:02 <abhishekk> Moving into open discussion
14:09:11 <abhishekk> #topic Open discussion
14:09:25 <abhishekk> rosmaita, jokke anything you want to discuss
14:09:32 <jokke> I have one
14:09:55 <abhishekk> ok, stage is yours
14:10:02 <jokke> #link https://wiki.openstack.org/wiki/OSSN/OSSN-0088
14:10:12 <jokke> The security note you issued earlier this week
14:10:23 <abhishekk> right
14:11:47 <jokke> I'm pretty concerned about the impact that has with no fixes not even investigation of actual attack vector with just blanket statement of "turn the whole api off"
14:12:22 <jokke> The impact that statement has to any deployment relying metadefs and being audited is big
14:13:09 <abhishekk> This is taken as a preventive action with advisory to open those in the deployments with notice
14:15:19 <abhishekk> If the deployers are willing to take risks they can enable metadef API's in there environment
14:16:11 <abhishekk> I don't think that this will be a concern, also we are planning to fix those in X milestone 1 and will re-enable those by default
14:16:12 <jokke> "turn off your service" advisory based on something that has no clear attack vector is not preventive action. It's lifting embargo on potential issue without investigation and telling the users that it's their problem now.
14:17:02 <rosmaita> well, it seems like there are 2 different issues: the DOS can be averted by restricting the create policies
14:17:40 <jokke> thus the concern, and that's why I pressed from the very beginning that Lance's findings should be _investigated_ as private security bugs so the details are not discussed publicly before they can be confirmed and addressed
14:17:55 <abhishekk> So, actually we have assessed the situation, one of the bug was open since (DoS related) long, and our policy structure is pretty complex to provide fix at the moment
14:19:05 <abhishekk> and that is the reason we have decided to go public with issuing security note
14:19:20 <jokke> but the reality is, it's out there and thrown at our users to deal with. Just wanted to express my concerns how it was handled.
14:20:19 <rosmaita> it might be a good idea to reach out to operators and see if someone who uses metadefs can attend a PTG session to give us a walkthrough
14:20:48 <rosmaita> the implementors are long gone, and it would be good to understand how people are using these things
14:20:59 <abhishekk> also if you look at the facts (judging by the one bug which was open since couple of cycles) we don't have that much bandwidth to work on urgent basis and provide fix
14:21:23 <abhishekk> rosmaita, is it possible for you to create survey (I know you are very very busy at the moment)
14:21:56 <jokke> abhishekk: I think that would be great question for the OpenStack user survey
14:21:56 <rosmaita> abhishekk: i was thinking more just an email with [ops][glance][security] in the subject line
14:22:05 <jokke> or that
14:22:18 <rosmaita> yeah, the OS survey isn't very fine grained
14:22:29 <abhishekk> jokke, will you do that?
14:22:32 <rosmaita> it would be good to have a use case in mind before modifying them
14:22:44 <abhishekk> +1
14:23:06 <rosmaita> i can draft something in an etherpad, though not before noon tomorrow
14:23:14 <abhishekk> cool
14:23:58 <abhishekk> I will remind you this time tomorrow
14:24:06 <rosmaita> please do!
14:24:12 <abhishekk> :D
14:24:15 <abhishekk> anything else
14:24:21 <jokke> nothing from me
14:24:28 <rosmaita> look here (eventually) https://etherpad.opendev.org/p/glance-xena-ptg-metadefs
14:24:38 <abhishekk> noted
14:25:21 <abhishekk> Lets wrap up for today then
14:25:25 <abhishekk> thank you all
14:25:43 <rosmaita> bye!
14:26:09 <jokke> thanks
14:26:15 <abhishekk> #endmeeting