#openstack-meeting log

15:04:14 <gagehugo> #startmeeting security
15:04:15 <openstack> Meeting started Thu Mar 12 15:04:14 2020 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:04:17 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:04:19 <openstack> The meeting name has been set to 'security'
15:04:42 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda
15:05:40 <gagehugo> apologies for the late start
15:05:55 <fungi> no worries
15:07:51 <fungi> only major news i'm aware of is the manila advisory which was published yesterday
15:08:23 <gagehugo> #link https://security.openstack.org/ossa/OSSA-2020-002.html
15:08:41 <gagehugo> #topic OSSA-2020-02
15:08:45 <gagehugo> Yeah
15:10:37 <gagehugo> that was a public sec bug
15:11:09 <fungi> not until the advisory was published
15:11:35 <fungi> this was similar to the octavia advisory late last year where representatives of the project team coordinated teh embargo process
15:11:49 <fungi> since manila isn't (currently) vulnerability:managed
15:12:20 <fungi> gouthamr did a great job following the process we've published
15:13:07 <gagehugo> oh yeah nvm I missed that comment
15:13:21 <gagehugo> yeah, they did good
15:13:45 <fungi> i provided a little guidance in the bug, but he wrote the impact description, obtained the cve, sent the embargoed pre-ossa to the embargo-notice ml, proposed the ossa repo addition and sent out the advisories
15:14:57 <gagehugo> thanks for guiding them through the process!
15:15:27 <fungi> luckily they didn't need much guiding at all. seems like our process documentation is thorough and precide
15:15:30 <fungi> er, precise
15:17:16 <gagehugo> our documentation is great then
15:18:32 <gagehugo> #topic open discussion
15:18:43 <gagehugo> So, with the virus going around
15:19:01 <gagehugo> my company has halted most travel, so as of now I won't make it to vancouver
15:19:40 <gagehugo> and potentially any summit/ptg this year
15:20:16 <fungi> yeah, it's hard to predict for anyone right now
15:21:12 <gagehugo> so we will see I guess
15:21:21 <gagehugo> fungi: do you have anything else?
15:21:48 <fungi> the process for opening all our stale embargoed reports is progressing nicely
15:22:11 <fungi> the bulk of them will expire in may and be switched public then most likely
15:22:30 <fungi> some have already been cleaned up/closed out as no longer valid
15:23:22 <fungi> i think i mentioned last week going through other private and private security reports for openstack projects without vmt oversight or which predated formal vmt process (and in some cases predated any vmt at all)
15:24:01 <fungi> i'm looking forward to having only a handful of private reports we need to keep an eye on, once the postdated expirations go into effect
15:24:48 <fungi> there will be a much larger volume of updates to the openstack-security ml over the next couple months as those get opened up, so folks who are interested can keep an eye on things that way
15:24:53 <gagehugo> yeah, that will be nice
15:25:27 <fungi> also i've been trying to mention in #openstack-security any public reports we triage or private reports which get switched to public
15:25:41 <gagehugo> good idea
15:25:43 <fungi> for improved visibility
15:27:32 * gouthamr peeps in
15:27:39 <gouthamr> "luckily they didn't need much guiding at all. seems like our process documentation is thorough and precide" - I agree, fungi
15:27:59 <gouthamr> thank you for the guidance, and hope to collaborate more by applying for the vmt tag soon :)
15:28:16 <fungi> looking forward to it, definitely
15:29:38 <gagehugo> cool!
15:29:43 <gagehugo> thanks everyone, stay safe
15:29:45 <gagehugo> #endmeeting