#openstack-meeting log

15:01:04 <gagehugo> #startmeeting security
15:01:05 <openstack> Meeting started Thu May  7 15:01:04 2020 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:06 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:09 <openstack> The meeting name has been set to 'security'
15:01:17 <gagehugo> #link https://etherpad.opendev.org/p/security-agenda agenda
15:02:06 <fungi> exciting week!
15:02:11 <gagehugo> no kidding
15:02:24 <fungi> (exciting several weeks in private)
15:06:26 <gagehugo> #topic new OSSA's
15:06:48 <gagehugo> #link https://security.openstack.org/ossa/OSSA-2020-003.html
15:06:51 <gagehugo> #link https://security.openstack.org/ossa/OSSA-2020-004.html
15:06:53 <gagehugo> #link https://security.openstack.org/ossa/OSSA-2020-005.html
15:07:18 <gagehugo> The bugs for those were disclosed this week and fixes in keystone are currently in the process of being merged
15:07:25 <fungi> that was a massive pile of work, thanks for tackling those
15:07:39 <gagehugo> 5 bugs in total :(
15:07:45 <gagehugo> thanks fungi for the help!
15:07:55 <gagehugo> and thanks cmurphy for tackling the fixes so quickly
15:07:59 <fungi> and of course hyge thanks to kay for finding those bugs, and cmurphy for patching them
15:08:10 <fungi> s/hyge/huge/
15:08:53 <fungi> and mitre got back to you as soon as the advisories went out? so now it's time for three errata patches and some new e-mails
15:10:21 <gagehugo> yup, will tackle those today
15:10:58 <gagehugo> #topic Syntribos
15:11:45 <gagehugo> We've brought this up sometime last year, but the project has seen maybe 1-2 updates outside of any infra changes in the last few years
15:11:54 <gagehugo> It might be time to retire the project
15:12:08 <gagehugo> we also sent out an email to the discuss ML that didn't get a response
15:12:38 <fungi> note that there are several syntribos repos
15:13:05 <fungi> and presumably we'd retire them all at the same time
15:13:33 <gagehugo> yup, there's the template ones as well
15:14:11 <fungi> the syntribos-core group in gerrit has approval rights on all three repos
15:14:49 <fungi> 5 folks with rackspace addresses, two with gmail addresses. i don't recognize any of those names as being recently active in the sig (or openstack as a whole)
15:15:43 <fungi> Charles Neill, Matt Valdes, Michael Dong, Michael Xin, Nathan Buckner, Rahul U Nair, Vinay Potluri
15:16:30 <gagehugo> yeah I think we looked into using it briefly a few years ago and I was told to reach out to rackspace
15:18:09 <fungi> so anyway, looks pretty solidly abandoned as an effort
15:18:14 <gagehugo> yeah
15:18:31 <gagehugo> we can start the process I guess and see if anyone objects
15:18:33 <fungi> also, retirement is far from permanent. it's an acl change and a git revert away from resurrection if someone wants to take it over
15:20:56 <gagehugo> that is true
15:21:17 <fungi> so yes, i agree we should just start retiring the syntribos repos as soon as anyone has time to start on that
15:21:32 <gagehugo> agreed
15:21:48 <gagehugo> I can possibly look into that either this afternoon or tomorrow
15:21:58 <gagehugo> lemme try to get these cves out first
15:22:05 <fungi> and probably reply to the original ml thread saying it's in progress and linking to the review topic
15:22:15 <fungi> thanks!
15:22:26 <gagehugo> sure
15:22:34 <gagehugo> #topic open discussion
15:22:39 <gagehugo> fungi: anything else for today?
15:22:44 <fungi> also AJaeger volunteered to help with the retirement changes if needed
15:24:00 <gagehugo> yeah I saw, I'll ping him if I need any help with that
15:24:13 <fungi> a fond vmt farewell to tristanC
15:24:24 <fungi> his help these many years has been greatly appreciated
15:25:33 <fungi> aside from that, nothing else i can think of to report since last week
15:26:22 <gagehugo> alright, thanks as always fungi
15:26:26 <gagehugo> #endmeeting