15:04:14 #startmeeting security 15:04:15 Meeting started Thu Mar 12 15:04:14 2020 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:04:17 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:04:19 The meeting name has been set to 'security' 15:04:42 #link https://etherpad.openstack.org/p/security-agenda agenda 15:05:40 apologies for the late start 15:05:55 no worries 15:07:51 only major news i'm aware of is the manila advisory which was published yesterday 15:08:23 #link https://security.openstack.org/ossa/OSSA-2020-002.html 15:08:41 #topic OSSA-2020-02 15:08:45 Yeah 15:10:37 that was a public sec bug 15:11:09 not until the advisory was published 15:11:35 this was similar to the octavia advisory late last year where representatives of the project team coordinated teh embargo process 15:11:49 since manila isn't (currently) vulnerability:managed 15:12:20 gouthamr did a great job following the process we've published 15:13:07 oh yeah nvm I missed that comment 15:13:21 yeah, they did good 15:13:45 i provided a little guidance in the bug, but he wrote the impact description, obtained the cve, sent the embargoed pre-ossa to the embargo-notice ml, proposed the ossa repo addition and sent out the advisories 15:14:57 thanks for guiding them through the process! 15:15:27 luckily they didn't need much guiding at all. seems like our process documentation is thorough and precide 15:15:30 er, precise 15:17:16 our documentation is great then 15:18:32 #topic open discussion 15:18:43 So, with the virus going around 15:19:01 my company has halted most travel, so as of now I won't make it to vancouver 15:19:40 and potentially any summit/ptg this year 15:20:16 yeah, it's hard to predict for anyone right now 15:21:12 so we will see I guess 15:21:21 fungi: do you have anything else? 15:21:48 the process for opening all our stale embargoed reports is progressing nicely 15:22:11 the bulk of them will expire in may and be switched public then most likely 15:22:30 some have already been cleaned up/closed out as no longer valid 15:23:22 i think i mentioned last week going through other private and private security reports for openstack projects without vmt oversight or which predated formal vmt process (and in some cases predated any vmt at all) 15:24:01 i'm looking forward to having only a handful of private reports we need to keep an eye on, once the postdated expirations go into effect 15:24:48 there will be a much larger volume of updates to the openstack-security ml over the next couple months as those get opened up, so folks who are interested can keep an eye on things that way 15:24:53 yeah, that will be nice 15:25:27 also i've been trying to mention in #openstack-security any public reports we triage or private reports which get switched to public 15:25:41 good idea 15:25:43 for improved visibility 15:27:32 * gouthamr peeps in 15:27:39 "luckily they didn't need much guiding at all. seems like our process documentation is thorough and precide" - I agree, fungi 15:27:59 thank you for the guidance, and hope to collaborate more by applying for the vmt tag soon :) 15:28:16 looking forward to it, definitely 15:29:38 cool! 15:29:43 thanks everyone, stay safe 15:29:45 #endmeeting