15:00:40 <gagehugo> #startmeeting security
15:00:41 <openstack> Meeting started Thu Aug  8 15:00:40 2019 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:42 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:44 <openstack> The meeting name has been set to 'security'
15:00:55 <fungi> aloha
15:00:55 <gagehugo> #link https://review.opendev.org/#/c/674877/
15:01:02 <gagehugo> o/
15:01:19 <mhen> o/
15:03:29 <gagehugo> let's begin
15:03:36 <gagehugo> #topic OSSA-2019-003
15:03:58 <gagehugo> So a new OSSA was released this week
15:04:06 <gagehugo> thanks to fungi for handling that
15:04:12 <gagehugo> #link https://security.openstack.org/ossa/OSSA-2019-003.html
15:04:28 <gagehugo> #link https://bugs.launchpad.net/nova/+bug/1837877
15:04:29 <openstack> Launchpad bug 1837877 in OpenStack Compute (nova) queens "[OSSA-2019-003] Nova Server Resource Faults Leak External Exception Details (CVE-2019-14433)" [High,In progress] - Assigned to Matt Riedemann (mriedem)
15:04:42 <gagehugo> Fixes in Nova are here
15:04:43 <gagehugo> #link https://review.opendev.org/#/q/I5e0a43ec59341c9ac62f89105ddf82c4a014df81
15:06:41 <fungi> all supported stable branches except stable/queens have merged at this point
15:07:32 <fungi> also the advisory was hung up in the openstack-announce ml's moderation queue until just now, but it also was sent on tuesday to the openstack-discuss ml as well as oss-security (non-openstack open source security mailing list)
15:08:06 <fungi> after discussing with ttx he's suggested i become a co-moderator of openstack-announce so we don't have to ping him on these in the future
15:08:53 <fungi> also the real thanks on ossa-2019-003 go to donnyd for reporting it and mriedem for writing and testing all the patches for 6 different branches of nova
15:09:19 <gagehugo> thanks to all of them too then!
15:10:02 <gagehugo> #topic Nova/Cinder policy
15:10:12 <gagehugo> mhen: sorry, it's been crazy here this last week
15:10:25 <gagehugo> I still have that on my to-do list
15:10:25 <mhen> No worries, I totally understand :)
15:10:32 <gagehugo> just giving a heads up :)
15:10:47 <gagehugo> and putting it on the agenda also helps me remember
15:11:07 <gagehugo> #topic Open Discussion
15:11:14 <gagehugo> anyone have anything else?
15:16:29 <fungi> update on the image encryption effort
15:16:59 <fungi> it looks like the nova spec is unlikely to get a spec freeze exception for train, based on discussion in #openstack-nova on monday
15:17:35 <gagehugo> hmm ok
15:17:49 <fungi> the main reasoning is that if they did approve the exception, they don't think they'd have time to actually review the necessary changes for the implementation before release
15:18:39 <fungi> especially as the image handling routines in nova are rather dangerous places to be poking around due to their age (they don't get touched often) so extra care would be required there
15:19:23 <fungi> there were also still some outstanding questions on the spec requiring clarification, and a concern about assumptions being made around the wrong abstraction layers
15:19:46 <gagehugo> makes sense
15:19:52 <fungi> so ideally the spec gets polished up in the coming weeks and targets an early approval in the "u" cycle
15:19:55 <gagehugo> probably best not to rush this
15:23:46 <gagehugo> thanks fungi mhen
15:23:53 <gagehugo> have a good rest of the week
15:23:57 <gagehugo> #endmeeting