15:00:31 #startmeeting security 15:00:32 Meeting started Thu Apr 12 15:00:31 2018 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:33 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:35 The meeting name has been set to 'security' 15:00:53 o/ 15:01:04 ping eeiden fungi gagehugo lhinds nickthetait 15:01:04 hey 15:01:12 hey jessegler nickthetait 15:01:38 will likely be a short meeting today, don't have much in updates 15:01:59 as usual, i'm also trying to pay attention in #openstack-tc for office hour 15:02:05 #link https://etherpad.openstack.org/p/security-agenda 15:02:08 fungi o/ 15:02:57 sigmavirus24 doesn't seem to be here right now, but was looking for browne in #openstack-security yesterday 15:03:23 I think browne is mostly available via email lately 15:03:27 (looks like maybe it was day before yesterday actually) 15:04:19 no updates afaik for spectre/meltdown update 15:04:28 #topic Bandit 15:04:48 not much changed from last week, think a couple ps got merged 15:05:14 #topic Tatu 15:05:27 ping gdecandia 15:05:57 #topic Documentation 15:06:25 no updates here 15:06:35 #topic OSSN 15:06:46 I submitted an OSSN draft this week 15:06:48 :) 15:06:50 nice 15:07:01 do you have a link? 15:07:05 yeah 15:07:10 https://review.openstack.org/#/c/559440/ 15:07:11 patch 559440 - security-doc - Publish a draft of OSSN-0083 15:08:04 I can take a look later today 15:08:16 that would be great, thanks 15:08:35 #topic VMT 15:08:53 should probably change that to say OSSA instead 15:09:01 since we have threat analysis on the agenda as well 15:09:14 no OSSA updates afaik 15:09:34 #topic Threat Analysis 15:09:51 keystonemiddleware was approved for the vmt tag \o/ 15:10:19 does that mean it is an official openstack project now? 15:11:02 nickthetait it means that keystonemiddleware is eligible for being covered under vulnerability management 15:11:08 lemme find the wiki link 15:11:23 aha 15:11:28 https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html#vulnerability-managed 15:11:32 keystonemiddleware has been an official openstack deliverable under the keystone team for years (basically for as long as it has existed) 15:11:47 ^ 15:12:20 fungi I'll email browne about sigmavirus24 looking for him 15:12:22 btw 15:12:33 specifically, that change is an indication that the openstack cross-project vulnerability management team has agreed to coordinate reported vulnerabilities for keystonemiddleware rather than the keystone team having to do that themselves 15:13:04 okay 15:13:44 yup! 15:13:54 #topic General Discussion 15:13:59 the openstack vmt is generally willing to assist any official projects with vulnerability report coordination, but specifically prioritizes those with the vulnerability:managed governance tag and does more of the legwork themselves 15:14:32 gagehugo: thanks, i missed the call for bandit news earlier in the meeting, but per discussion in #openstack-security sigmavirus24 was looking for bandit maintainers to follow up on moving it to pypa. apparently they mentioned wanting to do that but subsequently disappeared and left the pypa maintainers hanging 15:15:01 fungi ah, I think browne was handling that for the most part, but I will double check 15:15:18 much appreciated 15:15:39 anyone have anything else? 15:15:46 nah 15:16:56 if not then we can end early 15:17:08 have a good rest of the week everyone! 15:17:14 later 15:17:18 o/ 15:17:21 #endmeeting