#openstack-meeting log

15:00:10 <gagehugo> #startmeeting security
15:00:11 <openstack> Meeting started Thu Oct  3 15:00:10 2019 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:14 <openstack> The meeting name has been set to 'security'
15:01:02 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda
15:04:09 <fungi> i guess i can give some vmt updates
15:04:30 <gagehugo> fungi: o/
15:07:47 <fungi> so, since volume of vulnerability reports has been fairly low, i've turned my focus to improving our support for projects on storyboard
15:09:05 <gagehugo> ok
15:09:06 <fungi> there's already a great feature in sb where you can create named teams of users, mark them as security teams, associate specific projects with them, and any time a task for one of those projects is added in a story marked as security-related that corresponding team will have access automatically added
15:09:55 <fungi> the openstack vmt is currently represented on storyboard.openstack.org by a security team named "openstack-security"
15:10:33 <fungi> and i've associated all official deliverables which are vulnerability:managed according to openstack governance as associated with it
15:11:27 <fungi> so this means any security-related stories with tasks for those deliverables (if they're using storyboard for defect reporting) will automatically be visible to the members of the openstack vmt now
15:11:50 <gagehugo> ah ok, cool
15:12:15 <fungi> i also used my administrator privs on the server to temporarily insert access for my user into all existing private stories and audited them
15:12:58 <fungi> most were for projects without vmt oversight so i did my best to find appropriate contacts for each of those and add access for them if the reporter hadn't already
15:13:12 <fungi> i also left comments in them all noting this
15:13:27 * redrobot walks in late ... sits in the back
15:14:07 <fungi> the next thing we need is project-specific teams (like the .*-coresec teams in lp) so the vmt can more easily direct access for triaged security stories
15:14:37 <fungi> and i want to make team definition/creation a self-service thing
15:14:52 <fungi> so i've started a change with a proposed schema for managing this in git:
15:15:17 <fungi> #link https://review.opendev.org/685778 Record vulnerability management teams used in SB
15:15:49 <fungi> i'm getting started on the automation/api integration side of that now
15:16:16 <fungi> the data in that current change is just a copy of what's currently set in sb
15:16:53 <fungi> but once i get it integrated we can propose new changes to create those other teams directly and allow project leaders to propose updates to them when desired
15:17:18 <fungi> that's probably all i've got for updates at a high level this week
15:23:08 <gagehugo> ok
15:23:24 <gagehugo> redrobot: o/
15:23:48 <gagehugo> anything else?
15:24:34 <redrobot> Nope.  I'm good. :)
15:24:53 <gagehugo> thanks fungi redrobot!
15:24:55 <gagehugo> #endmeeting