15:00:10 <gagehugo> #startmeeting security 15:00:11 <openstack> Meeting started Thu Oct 3 15:00:10 2019 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:14 <openstack> The meeting name has been set to 'security' 15:01:02 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda 15:04:09 <fungi> i guess i can give some vmt updates 15:04:30 <gagehugo> fungi: o/ 15:07:47 <fungi> so, since volume of vulnerability reports has been fairly low, i've turned my focus to improving our support for projects on storyboard 15:09:05 <gagehugo> ok 15:09:06 <fungi> there's already a great feature in sb where you can create named teams of users, mark them as security teams, associate specific projects with them, and any time a task for one of those projects is added in a story marked as security-related that corresponding team will have access automatically added 15:09:55 <fungi> the openstack vmt is currently represented on storyboard.openstack.org by a security team named "openstack-security" 15:10:33 <fungi> and i've associated all official deliverables which are vulnerability:managed according to openstack governance as associated with it 15:11:27 <fungi> so this means any security-related stories with tasks for those deliverables (if they're using storyboard for defect reporting) will automatically be visible to the members of the openstack vmt now 15:11:50 <gagehugo> ah ok, cool 15:12:15 <fungi> i also used my administrator privs on the server to temporarily insert access for my user into all existing private stories and audited them 15:12:58 <fungi> most were for projects without vmt oversight so i did my best to find appropriate contacts for each of those and add access for them if the reporter hadn't already 15:13:12 <fungi> i also left comments in them all noting this 15:13:27 * redrobot walks in late ... sits in the back 15:14:07 <fungi> the next thing we need is project-specific teams (like the .*-coresec teams in lp) so the vmt can more easily direct access for triaged security stories 15:14:37 <fungi> and i want to make team definition/creation a self-service thing 15:14:52 <fungi> so i've started a change with a proposed schema for managing this in git: 15:15:17 <fungi> #link https://review.opendev.org/685778 Record vulnerability management teams used in SB 15:15:49 <fungi> i'm getting started on the automation/api integration side of that now 15:16:16 <fungi> the data in that current change is just a copy of what's currently set in sb 15:16:53 <fungi> but once i get it integrated we can propose new changes to create those other teams directly and allow project leaders to propose updates to them when desired 15:17:18 <fungi> that's probably all i've got for updates at a high level this week 15:23:08 <gagehugo> ok 15:23:24 <gagehugo> redrobot: o/ 15:23:48 <gagehugo> anything else? 15:24:34 <redrobot> Nope. I'm good. :) 15:24:53 <gagehugo> thanks fungi redrobot! 15:24:55 <gagehugo> #endmeeting