15:00:16 <gagehugo> #startmeeting security 15:00:16 <openstack> Meeting started Thu Mar 26 15:00:16 2020 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:17 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:19 <openstack> The meeting name has been set to 'security' 15:00:28 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda 15:00:42 <gagehugo> o/ 15:00:45 <fungi> ohai 15:04:30 <gagehugo> #topic Open Discussion 15:04:37 <gagehugo> It's been a quiet week 15:04:49 <gagehugo> not sure if everyone is just hiding inside 15:04:57 <gagehugo> fungi: do you have any updates? 15:05:06 <fungi> oh, yep 15:05:45 <fungi> so there's this git commit footer we've used traditionally in openstack to indicate when a change has a potential security impact 15:05:52 <fungi> "SecurityImpact" 15:06:12 <fungi> and we've got a gerrit hook script which fires on new changes with that in the commit message 15:06:22 <gagehugo> ah 15:06:29 <fungi> it was designed to send e-mail notifications to the openstack-security ml 15:06:40 <fungi> but doesn't seem to have been doing so for many, many years 15:07:06 <fungi> we've also not had any complaints, nobody's brought it to our attention and we just stumbled across the fact that it's not been working 15:07:36 <gagehugo> haah 15:07:36 <fungi> so for now we're leaving it broken 15:07:38 <gagehugo> haha* 15:07:41 <gagehugo> ah ok 15:08:21 <fungi> but i just wanted to make a record of that decision. we can try to fix it up, it will require some changes to our new gerrit deployment mechanism (which is why we happened to notice at all) 15:09:07 <fungi> so if it's something folks want to have restored to working order it should be possible, but we'd rather wait to do that until we're done with the current storm of gerrit deployment changes and pending upgrades 15:09:15 <fungi> so we don't have to fix things more than once 15:09:28 <fungi> but also, if nobody really has a need for it, we'd like to drop it 15:09:44 <fungi> (again not urgent, just something to mull over) 15:10:55 <gagehugo> Could send out an email to fish for interest 15:11:36 <fungi> the commit message tag does at least still continue to see use 15:11:49 <fungi> there was a nova change merged a couple of weeks ago with it 15:12:23 <gagehugo> ah ok 15:12:31 <fungi> but even without the notification hook, that's still a useful pattern if for no other reason than filtering in gerrit queries for review dashboards or looking through commit histories 15:14:56 <gagehugo> I see 15:17:06 <fungi> other than that, i don't think we have a lot on the infra or vmt side 15:17:14 <fungi> not since last week anyway 15:17:45 <gagehugo> Been adjusting to working from home full time 15:17:51 <gagehugo> so I don't really have too much 15:17:58 <fungi> we're ~6 weeks from when a large number of stale embargoes will be expiring and some (in some cases very old) reports will become public 15:18:15 <gagehugo> That's a good point, I'll mark that date on the agenda 15:19:43 <fungi> pretty sure that's may 9 15:20:38 <gagehugo> ok 15:20:39 <fungi> no, my bad 15:20:41 <fungi> may 27 15:20:51 <gagehugo> heh ok 15:21:32 <fungi> this is what i put in all of the existing reports which were private at the time i went through them all: This embargo shall not extend past 2020-05-27 and will be made public by or on that date if no fix is identified. 15:21:44 <fungi> so we're two months out from that still 15:22:06 <gagehugo> time flies though 15:22:10 <fungi> i also added this comment to all of them: 15:22:55 <fungi> In keeping with recent OpenStack vulnerability management policy changes, no report should remain under private embargo for more than 90 days. Because this report predates the change in policy, the deadline for public disclosure is being set to 90 days from today. If the report is not resolved within the next 90 days, it will revert to our public workflow as of 2020-05-27. Please see 15:22:56 <fungi> http://lists.openstack.org/pipermail/openstack-discuss/2020-February/012721.html for further details. 15:23:52 <fungi> i'll go through and add reminders to them soon 15:24:16 <gagehugo> ok, thanks fungi 15:26:43 <gagehugo> Do you have anything else for this week? 15:30:39 <fungi> i do not, no 15:31:07 <fungi> just overbooked on this timeslot as usual, sorry again about the delayed responses :/ 15:31:07 <gagehugo> thanks again fungi, have a good rest of the week 15:31:13 <gagehugo> no worries :) 15:31:16 <fungi> thanks gagehugo, you too! 15:31:17 <gagehugo> #endmeeting