#openstack-meeting log

15:00:16 <gagehugo> #startmeeting security
15:00:16 <openstack> Meeting started Thu Mar 26 15:00:16 2020 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:17 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:19 <openstack> The meeting name has been set to 'security'
15:00:28 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda
15:00:42 <gagehugo> o/
15:00:45 <fungi> ohai
15:04:30 <gagehugo> #topic Open Discussion
15:04:37 <gagehugo> It's been a quiet week
15:04:49 <gagehugo> not sure if everyone is just hiding inside
15:04:57 <gagehugo> fungi: do you have any updates?
15:05:06 <fungi> oh, yep
15:05:45 <fungi> so there's this git commit footer we've used traditionally in openstack to indicate when a change has a potential security impact
15:05:52 <fungi> "SecurityImpact"
15:06:12 <fungi> and we've got a gerrit hook script which fires on new changes with that in the commit message
15:06:22 <gagehugo> ah
15:06:29 <fungi> it was designed to send e-mail notifications to the openstack-security ml
15:06:40 <fungi> but doesn't seem to have been doing so for many, many years
15:07:06 <fungi> we've also not had any complaints, nobody's brought it to our attention and we just stumbled across the fact that it's not been working
15:07:36 <gagehugo> haah
15:07:36 <fungi> so for now we're leaving it broken
15:07:38 <gagehugo> haha*
15:07:41 <gagehugo> ah ok
15:08:21 <fungi> but i just wanted to make a record of that decision. we can try to fix it up, it will require some changes to our new gerrit deployment mechanism (which is why we happened to notice at all)
15:09:07 <fungi> so if it's something folks want to have restored to working order it should be possible, but we'd rather wait to do that until we're done with the current storm of gerrit deployment changes and pending upgrades
15:09:15 <fungi> so we don't have to fix things more than once
15:09:28 <fungi> but also, if nobody really has a need for it, we'd like to drop it
15:09:44 <fungi> (again not urgent, just something to mull over)
15:10:55 <gagehugo> Could send out an email to fish for interest
15:11:36 <fungi> the commit message tag does at least still continue to see use
15:11:49 <fungi> there was a nova change merged a couple of weeks ago with it
15:12:23 <gagehugo> ah ok
15:12:31 <fungi> but even without the notification hook, that's still a useful pattern if for no other reason than filtering in gerrit queries for review dashboards or looking through commit histories
15:14:56 <gagehugo> I see
15:17:06 <fungi> other than that, i don't think we have a lot on the infra or vmt side
15:17:14 <fungi> not since last week anyway
15:17:45 <gagehugo> Been adjusting to working from home full time
15:17:51 <gagehugo> so I don't really have too much
15:17:58 <fungi> we're ~6 weeks from when a large number of stale embargoes will be expiring and some (in some cases very old) reports will become public
15:18:15 <gagehugo> That's a good point, I'll mark that date on the agenda
15:19:43 <fungi> pretty sure that's may 9
15:20:38 <gagehugo> ok
15:20:39 <fungi> no, my bad
15:20:41 <fungi> may 27
15:20:51 <gagehugo> heh ok
15:21:32 <fungi> this is what i put in all of the existing reports which were private at the time i went through them all: This embargo shall not extend past 2020-05-27 and will be made public by or on that date if no fix is identified.
15:21:44 <fungi> so we're two months out from that still
15:22:06 <gagehugo> time flies though
15:22:10 <fungi> i also added this comment to all of them:
15:22:55 <fungi> In keeping with recent OpenStack vulnerability management policy changes, no report should remain under private embargo for more than 90 days. Because this report predates the change in policy, the deadline for public disclosure is being set to 90 days from today. If the report is not resolved within the next 90 days, it will revert to our public workflow as of 2020-05-27. Please see
15:22:56 <fungi> http://lists.openstack.org/pipermail/openstack-discuss/2020-February/012721.html for further details.
15:23:52 <fungi> i'll go through and add reminders to them soon
15:24:16 <gagehugo> ok, thanks fungi
15:26:43 <gagehugo> Do you have anything else for this week?
15:30:39 <fungi> i do not, no
15:31:07 <fungi> just overbooked on this timeslot as usual, sorry again about the delayed responses :/
15:31:07 <gagehugo> thanks again fungi, have a good rest of the week
15:31:13 <gagehugo> no worries :)
15:31:16 <fungi> thanks gagehugo, you too!
15:31:17 <gagehugo> #endmeeting