#openstack-meeting log

15:00:27 <gagehugo> #startmeeting security
15:00:28 <openstack> Meeting started Thu May 23 15:00:27 2019 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:29 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:31 <openstack> The meeting name has been set to 'security'
15:00:38 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda
15:00:40 <gagehugo> o/
15:01:55 <fungi> hey howdy
15:02:12 <nickthetait> hi hi
15:03:19 <fungi> great agenda this week ;)
15:04:06 <gagehugo> heh
15:04:19 <gagehugo> fungi: was there anything this week?
15:04:39 <fungi> checking my notes
15:05:07 <fungi> #link https://launchpad.net/bugs/1824248 Security Group filtering hides rules from user
15:05:08 <openstack> Launchpad bug 1824248 in neutron "Security Group filtering hides rules from user" [Undecided,In progress] - Assigned to Slawek Kaplonski (slaweq)
15:05:33 <fungi> we ended up making that one public and triaging it as a security hardening opportunity
15:05:58 <gagehugo> ok, cool
15:06:14 <fungi> #link https://storyboard.openstack.org/#!/story/2005678 SQL Injection vulnerability in node_cache
15:06:45 <fungi> that was for ironic-inspector which is not overseen by the vmt, but we did consult on it
15:06:57 <fungi> got a cve assignment but considered probably not exploitable
15:07:29 <gagehugo> since Liberty, oh boy
15:07:37 * redrobot sneaks in
15:07:58 <fungi> i think those are all the newly public reports
15:08:11 * gagehugo adds them to his list
15:08:25 <gagehugo> thanks fungi
15:08:55 <fungi> please everyone feel free to weigh in on any public reports of suspected vulnerabilities and argue for a different outcome if you feel it's warranted
15:09:32 <gagehugo> fungi: related to ^ I was considering the idea of sending out a weekly security sig update on our meeting notes
15:09:32 <fungi> just because the vmt initially decides a report isn't severe enough to need an advisory doesn't mean we can't be convinced by new evidence
15:09:42 <fungi> gagehugo: great idea!
15:09:46 <gagehugo> and we could put public security vulnerabilities in there
15:10:08 <gagehugo> to help get more eyes on it, since that's something we need
15:10:28 <fungi> yeah, link to any we recently switched to public, and also maybe include a quick list of all which are public and unresolved
15:11:24 <fungi> (we frequently resolve reports when making them public if we deem them not in need of an advisory at that time, so would be separate lists i expect)
15:11:33 <gagehugo> yeah, I will write up a template in an etherpad, and we could track those
15:12:17 <gagehugo> ok
15:12:44 <gagehugo> #action gagehugo to draft a weekly meeting template
15:13:22 <fungi> could probably assemble most of those bits from the openstack-security ml archive and lp/sb queries
15:13:52 <fungi> though maybe also worth discussing is revisiting retirement of the openstack-security ml
15:14:11 <gagehugo> hmm
15:14:28 <fungi> i was working with hyakuhei on that at least a couple years ago, but with the shakeup in leadership and then the transition away from being a project much of that effort was dropped on the floor
15:14:34 <gagehugo> I thought that got retired when we migrated to discuss
15:15:02 <fungi> it's been receiving automated reports for security bugtags and gerrit changes marked security-impact
15:15:11 <gagehugo> hmm
15:15:17 <fungi> but the list description still implies it's for discussion, and he's still the list owner
15:15:43 <fungi> at a minimum, we should decide how we want it to be used (if at all) and adjust the configuration for it accordingly
15:16:24 <fungi> #link http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
15:16:33 <fungi> it's still linked from the main list index too
15:16:49 <gagehugo> ok
15:16:56 <fungi> " central point for security discussion within OpenStack. Used primarily for project co-ordination within the OpenStack Security Group."
15:17:07 <fungi> "Openstack-security list run by robert.clark at hp.com, hyakuhei at gmail.com"
15:17:47 <fungi> but yeah, if we think it's a useful resource for people to be able to continue to subscribe to automated stuff, then we should just relabel it accordingly
15:18:01 <gagehugo> ok
15:18:15 <fungi> otherwise we should announce we're shutting it down, and then go ahead with that
15:18:35 <nickthetait> just ask on that list if anyone finds it useful?
15:18:36 <fungi> maybe worth a [security] tagged thread on openstack-discuss to see what people think
15:18:51 <gagehugo> yeah
15:18:53 <fungi> i'm not even sure if that list currently allows subscribers to post to it
15:18:59 <nickthetait> hehe
15:19:07 <fungi> so asking on the list for feedback to that list may be counterproductive
15:19:09 <gagehugo> well I will try to find out
15:19:19 <gagehugo> see if it throws it back
15:19:33 <fungi> but perhaps announcing on that list that we're discussing the future of it over on openstack-discuss (with a link to the start of the thread) could be a good idea
15:19:49 <gagehugo> fungi: sounds good
15:19:57 <fungi> i can easily reassign that list to one or more of us as owners
15:20:14 <fungi> using my infra superpowers
15:20:20 <gagehugo> heh
15:21:24 <gagehugo> nickthetait: btw I got security sig mascot stickers the last day of the PTG, lemme know if you want some
15:21:49 <nickthetait> sweet
15:21:58 <nickthetait> not sure its worth mailing them
15:22:02 <gagehugo> https://www.openstack.org/project-mascots/
15:22:30 <nickthetait> aww its cute!
15:22:56 <gagehugo> I will just put some in a letter
15:23:54 <gagehugo> Anyone have anything else?
15:24:03 <nickthetait> nope
15:24:53 <fungi> technically those were "security project team mascot stickers" left over from before it stopped being a project team
15:25:06 <gagehugo> yeah
15:25:28 <fungi> the osf didn't actually supply mascot work for sigs
15:25:37 <gagehugo> correct
15:27:32 <gagehugo> thanks for coming everyone, have a good holiday weekend
15:27:38 <gagehugo> #endmeeting