16:00:11 <bnemec> #startmeeting oslo
16:00:11 <bnemec> Courtesy ping for hberaud, stephenfin, moguimar, jungleboyj, bnemec, johnsom, bcafarel, kgiusti, gmann, valleedelisle, sboyron, damani
16:00:11 <openstack> Meeting started Mon Feb 22 16:00:11 2021 UTC and is due to finish in 60 minutes.  The chair is bnemec. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:11 <bnemec> #link https://wiki.openstack.org/wiki/Meetings/Oslo#Agenda_for_Next_Meeting
16:00:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:15 <openstack> The meeting name has been set to 'oslo'
16:00:19 <moguimar> o/
16:00:41 <bnemec> Since it's feature freeze week and hberaud is on PTO, I'm going to run the meeting so we can handle any last-minute stuff.
16:00:41 <damani> hi
16:00:41 <johnsom> o/
16:03:04 <bnemec> #topic Red flags for/from liaisons
16:04:26 <moguimar> Nothing from barbican
16:04:38 <johnsom> Nothing from Octavia or Designate
16:04:59 <bnemec> Good to hear, thanks
16:05:09 <bnemec> #topic Releases liaison
16:05:18 <bnemec> damani: Anything to report?
16:07:49 <bnemec> I'll take that as "no". :-)
16:07:52 <bnemec> #topic Security liaison
16:08:10 <bnemec> There is actually some security-related news this week!
16:08:31 <bnemec> You may have seen a ML thread about a security bug open against Oslo.
16:08:40 <moguimar> cache?
16:08:49 <bnemec> I took a look at that and the other security-tagged bugs open against our projects.
16:08:55 <bnemec> Yeah, the caching one.
16:09:21 <bnemec> It looks like it was actually a problem with the keystonemiddleware caching code, not the Oslo version.
16:09:27 <moguimar> IIRC we had a release containing that fix
16:09:44 <damani> bnemec, sorry, no nothing to report
16:09:46 <moguimar> changing the default behavior
16:10:07 <bnemec> Different bug, I think. Let me find the link.
16:10:19 <moguimar> ah, ok
16:10:51 <moguimar> I know that keystone authtoken does its own thing and does not use oslo.cache
16:11:56 <bnemec> #link https://launchpad.net/bugs/1883659
16:12:00 <openstack> Launchpad bug 1883659 in keystonemiddleware "keystonemiddleware connections to memcached from neutron-server grow beyond configured values" [Undecided,Confirmed]
16:12:23 <bnemec> It appears that configuring the middleware to use the oslo.cache backend actually fixes the bug, so I closed it against oslo.cache.
16:13:15 <bnemec> We actually had another longstanding private bug against oslo.config that basically was about pyyaml.
16:13:53 <bnemec> It turns out that we didn't necessarily need to do anything about that either, although I did push a patch to bump our pyyaml min version to avoid the potentially bad versions.
16:14:21 <bnemec> The bigger concern there was that we had a security bug open for over a year and nobody knew. :-(
16:14:37 <bnemec> I thought the coresec team got email notifications of private security bugs, but I don't remember ever getting one about that bug.
16:14:50 <bnemec> So we need to keep a closer eye on the security bug list.
16:15:20 <bnemec> I put together a link that should list all of the bugs marked security in oslo:
16:15:23 <bnemec> #link https://bugs.launchpad.net/oslo/+bugs?field.searchtext=&orderby=-importance&search=Search&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.information_type%3Alist=PUBLICSECURITY&field.information_type%3Alist=PRIVATESECURITY&assignee_option=any&field.assignee=&field.bug_reporter=&field.
16:15:23 <bnemec> bug_commenter=&field.subscriber=&field.structural_subscriber=&field.tag=&field.tags_combinator=ANY&field.has_cve.used=&field.omit_dupes.used=&field.omit_dupes=on&field.affects_me.used=&field.has_patch.used=&field.has_branches.used=&field.has_branches=on&field.has_no_branches.used=&field.has_no_branches=on&field.has_blueprints.used=&field.has_blueprints=on&field.has_no_blueprints.used=&field.has_no_blueprints=on
16:15:39 <bnemec> Oof, should have shortened that.
16:15:40 <stephenfin> bnemec: Related to the keystonemiddleware issue from above, there's a patch against the project to switch the oslo.cache backend on by default
16:15:54 <stephenfin> I don't have core on that project though, but just FYI for anyone that does
16:16:05 <bnemec> stephenfin: Thanks for the update.
16:16:16 <bnemec> I'm not sure we have any keystone cores here.
16:16:24 <stephenfin> probably not
16:16:37 * stephenfin will try find someone who is during the week
16:16:57 <moguimar> lbragstad should be core
16:17:00 <bnemec> Yeah, the keystone team has been a bit quiet lately so you may need to ping people directly.
16:17:32 <stephenfin> ack
16:17:56 <bnemec> If they have a meeting tomorrow that would be a good time to request reviews too.
16:18:32 <bnemec> They have an agenda etherpad here: https://etherpad.opendev.org/p/keystone-weekly-meeting
16:20:27 <bnemec> We should also think about setting up the Oslo projects under the VMT umbrella. Right now I think only a couple are.
16:20:43 <stephenfin> VMT umbrella?
16:21:50 <bnemec> Oops, undefined TLA. Vulnerability Management Team. Basically the people who deal with security disclosures and such for OpenStack.
16:22:11 <bnemec> Right now most of our projects are not covered by that.
16:23:18 <bnemec> I need to follow up on the ML thread anyway, so I'll see if I can get some more information about what is involved in that.
16:23:30 <bnemec> #action bnemec to follow up on security bug ML thread
16:23:34 <stephenfin> Gotcha. That makes sense
16:24:13 <bnemec> It looks like we may need to do some cleanup of our private security bug settings too. The security team doesn't have access to all of our projects, and I found at least one person who does and probably shouldn't anymore.
16:24:38 <bnemec> I don't actually have access to change that though.
16:25:18 <bnemec> Anyway, I don't want to hog any more of the meeting. I'll keep everyone updated on what the outcomes of these discussions are.
16:25:59 <stephenfin> Sounds good. Lemme know if I can help with anything
16:26:10 <bnemec> Will do, thanks.
16:26:20 <bnemec> #topic TaCT SIG liaison
16:26:34 <moguimar> no fire alarms on my end
16:26:51 <bnemec> Good to hear!
16:26:53 <jungleboyj> Ugh, sorry I missed the ping.
16:27:39 <bnemec> jungleboyj: We'll have to dock your pay from the Oslo team. :-P
16:27:48 <jungleboyj> :-)
16:28:42 <bnemec> No action items from last week, so we can skip that.
16:28:50 <bnemec> #topic Weekly Wayward Wallaby Review
16:29:25 <bnemec> My reviewstats is no longer working since the gerrit upgrade, so I don't have a handy list of old reviews, but I think we want to focus on any last feature reviews anyway.
16:29:35 <bnemec> Does anyone have anything they want to get in before feature freeze?
16:30:18 <moguimar> not on my end, got everything I had for oslo.cache
16:30:38 <moguimar> I'll poke the barbican team tomorrow for the patches we have open against castellan
16:30:43 <bnemec> That was mostly backports at this point?
16:31:01 <moguimar> yep, all done
16:31:10 <bnemec> Cool :-)
16:31:13 <moguimar> the last bit on master got a release already
16:32:32 <bnemec> I'll give people another minute to bring up feature reviews and then I guess we'll move on.
16:32:57 <bnemec> If anything comes up this week you can always bring it here or the list too.
16:34:29 <bnemec> #topic Open discussion
16:34:36 <bnemec> Okay, anything else before we close for the week?
16:37:26 <bnemec> Guess that's it. Thanks for joining!
16:37:28 <bnemec> #endmeeting